Hacking the World: How NSO's Pegasus Software Targeted Journos, Activists & Political Leaders

Hacking the World: How NSO’s Pegasus Software Targeted Journos, Activists & Political Leaders

July 19, 2021 – A recent leak has uncovered the global abuse of a cyber surveillance weapon called Pegasus, created by Israeli Intelligence’s NSO Group. We have previously reported on allegations of human and civil rights abuses tied to this software that were revealed during a lawsuit between WhatsApp and NSO Group. Our first report in October 2019, “WhatsApp Sues Israeli NSO Group for Allegedly Helping Spies Hack Phones World Wide” reported on the initial filing of the lawsuit. Our second July 17, 2020 more detailed report “Judge: Lawsuit Against Israeli Spyware Firm NSO Group Can Proceed” went into the details and allegations from the lawsuit. That article concluded:

The latest allegations are that Spain was a customer of NSO Group, if the case does indeed go to trial, discovery could provide a massive trove of information about the use of technology by governments around the world to target dissidents and political opposition.

These allegations are particularly alarming. Regardless of whether NSO was aware that clients were misusing and abusing these tools to target innocent civilians and journalists, as the creator of the tools they should retain ultimate liability. The lawsuit launched by Facebook aims to look closer into NSO’s connections to the U.S.

With the Motion to Dismiss denied, the case will be allowed to go forward with Discovery and Production as well.  This has been a major week for NSO, with the dismissal of the Amnesty International in Israel case requesting the NSO export license revocation, a major scandal in Spain that Catalan politicians were targeted with Pegasus, and then Spain confirmed as an NSO customer.

Earlier this month the Election Frontier Foundation (EFF) run by Edward Snowden launched a database called ‘ATLAS of Surveillance,’ a compilation of police agencies and the ‘tech tools they use to spy on communities’ which includes NSO. – Patriots’ Soapbox

The allegations regarding NSO Group and Pegasus clearly are well known and the lawsuit which would include discovery would eventually come out without any leaks. I highly recommend looking at both of those prior articles if you are not well versed on the saga and allegations.

Of major import to note is that during the initial WhatsApp lawsuit there were claims that NSO Group had ties to the U.S. It also should be noted the software is considered a weapon that is under strict export control by the Israeli government.

This is particularly concerning, and if it is indeed true, the next question must be, who in the U.S. Intelligence Community had access to this software and has it been used to target Americans?

This investigation for the Washington Post is probably particularly disturbing considering one of their own journalists Jamal Khashoggi was targeted using the Pegasus software and then gruesomely assassinated.

It is good to see Edward Snowden speaking out against private intelligence programs instead of simply illegal spying conducted by government agencies.

One could even argue that was the true purpose of the technology. It can be said to have a “dual use.” One is commercial and used to track criminals and terrorists, and the other is intelligence use, with the ability to track and target dissidents, journalists and politicians.

The allegations about NSO now have been forensically proven to be true.

This is appalling but it’s just a subset. Who truly knows how many other countries were involved or how many total individuals were targeted world wide?

I am sure Hungary isn’t the only country that is doing this. In fact, Joe Biden just publicly announced he wanted to use “private companies” to surveille anyone he deems a so-called “domestic terrorist.”

John Scott-Railton is absolutely correct here, and this is just one surveillance weapon that we are examining. We have to wonder how many other tools just like this one are being used to silence and crush dissent.

NSO made those claims during the lawsuit as we previously reported in 2019 and 2020. While claiming that they cannot control what their clients do with the program, they clearly had a good idea of what they would do and how they could weaponize it.

John Scott-Railton is a journalist you should be following. He is an objective, fact-based reporter who doesn’t insert his own opinion into his work. He is a top notch cyber security journalist and I highly recommend bookmarking his Twitter page.

Edward Snowden created a program called ATLAS to track private security companies selling hi-tech spying tools to police in the United States and NSO is on that list.

Interestingly the reason for this isn’t because Big Tech cares about human rights. They are merely protecting their business model and they don’t want other companies moving in on their turf.

Think about what this means and how this sort of abuse has been allowed to proliferate.

From the Guardian report on the NSO Group leaks:

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak.

The investigation by the Guardian and 16 other media organizations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.

Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.

The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.

Forbidden Stories, a Paris-based nonprofit media organization, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.

The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.

Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware.

The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.

The list also contains the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives.

The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.

The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected.

NSO said that even if Pineda’s phone had been targeted, it did not mean data collected from his phone contributed in any way to his death, stressing governments could have discovered his location by other means. He was among at least 25 Mexican journalists apparently selected as candidates for surveillance over a two-year period.

Without forensic examination of mobile devices, it is impossible to say whether phones were subjected to an attempted or successful hack using Pegasus.

NSO has always maintained it ‘does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets’.

In statements issued through its lawyers, NSO denied ‘false claims’ made about the activities of its clients, but said it would ‘continue to investigate all credible claims of misuse and take appropriate action’. It said the list could not be a list of numbers ‘targeted by governments using Pegasus’, and described the 50,000 figure as ‘exaggerated’.

The company sells only to military, law enforcement and intelligence agencies in 40 unnamed countries, and says it rigorously vets its customers’ human rights records before allowing them to use its spy tools.

The Israeli minister of defence closely regulates NSO, granting individual export licences before its surveillance technology can be sold to a new country.

Last month, NSO released a transparency report in which it claimed to have an industry-leading approach to human rights and published excerpts from contracts with customers stipulating they must only use its products for criminal and national security investigations. – The Guardian

Credit where credit is due, The Guardian and Washington Post have done good work reporting on the leaks and their implications.

From Amnesty International, who has published a section on their website called the Pegasus Project, “Massive data leak reveals Israeli NSO Group’s spyware used to target activists, journalists, and political leaders globally“:

NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale, according to a major investigation into the leak of 50,000 phone numbers of potential surveillance targets. These include heads of state, activists and journalists, including Jamal Khashoggi’s family.

The Pegasus Project is a ground-breaking collaboration by more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conducted cutting- edge forensic tests on mobile phones to identify traces of the spyware.

‘The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril,’ said Agnès Callamard, Secretary General of Amnesty International.

‘These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.’

‘Clearly, their actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists. Until this company and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology.’

In a written response to Forbidden Stories and its media partners, NSO Group said it ‘firmly denies… false claims’ in the report. It wrote that the consortium’s reporting was based on ‘wrong assumptions’ and ‘uncorroborated theories’ and reiterated that the company was on a ‘life-saving mission’. A fuller summary of NSO Group’s response is available here.

At the centre of this investigation is NSO Group’s Pegasus spyware which, when surreptitiously installed on victims’ phones, allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.

Over the next week, media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will run a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware.

From the leaked data and their investigations, Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place.

During the investigation, evidence has also emerged that family members of Saudi journalist Jamal Khashoggi were targeted with Pegasus software before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group.

Amnesty International’s Security Lab established that Pegasus spyware was successfully installed on the phone of Khashoggi’s fiancée Hatice Cengiz just four days after his murder.

His wife, Hanan Elatr was also repeatedly targeted with the spyware between September 2017 and April 2018 as well as his son, Abdullah, who was also selected as a target along with other family members in Saudi Arabia and the UAE.

In a statement, the NSO Group responded to the Pegasus Project allegations saying that its ‘technology was not associated in any way with the heinous murder of Jamal Khashoggi’. The company said that it ‘previously investigated this claim, immediately after the heinous murder, which again, is being made without validation’.

Journalists under attack

The investigation has so far identified at least 180 journalists in 20 countries who were selected for potential targeting with NSO spyware between 2016 to June 2021, including in Azerbaijan, Hungary, India and Morocco, countries where crackdowns against independent media have intensified.

The revelations show the real-world harm caused by unlawful surveillance:

  • In Mexico, journalist Cecilio Pineda’s phone was selected for targeting just weeks before his killing in 2017. The Pegasus Project identified at least 25 Mexican journalists were selected for targeting over a two-year period. NSO has denied that even if Pineda’s phone had been targeted, data collected from his phone contributed to his death.
  • Pegasus has been used in Azerbaijan, a country where only a few independent media outlets remain. More than 40 Azerbaijani journalists were selected as potential targets according to the investigation. Amnesty International’s Security Lab found the phone of Sevinc Vaqifqizi, a freelance journalist for independent media outlet Meydan TV, was infected over a two-year period until May 2021.
  • In India, at least 40 journalists from nearly every major media outlet in the country were selected as potential targets between 2017-2021. Forensic tests revealed the phones of Siddharth Varadarajan and MK Venu, co-founders of independent online outlet The Wire, were infected with Pegasus spyware as recently as June 2021.
  • The investigation also identified journalists working for major international media including the Associated Press, CNN, The New York Times and Reuters as potential targets. One of the highest profile journalists was Roula Khalaf, the editor of the Financial Times.

Exposing Pegasus infrastructure

Amnesty International is today releasing the full technical details of its Security Lab’s in-depth forensic investigations as part of the Pegasus Project.

The Lab’s methodology report documents the evolution of Pegasus spyware attacks since 2018, with details on the spyware’s infrastructure, including more than 700 Pegasus-related domains.

‘NSO claims its spyware is undetectable and only used for legitimate criminal investigations. We have now provided irrefutable evidence of this ludicrous falsehood,’ said Etienne Maynier, a technologist at Amnesty International’s Security Lab.

There is nothing to suggest that NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the Forbidden Stories consortium also found numbers in the data belonging to suspected criminals.

‘The widespread violations Pegasus facilitates must stop. Our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control,’ said Etienne Maynier.

In response to a request for comment by media organizations involved in the Pegasus Project, NSO Group said it ‘firmly denies’ the claims and stated that ‘many of them are uncorroborated theories which raise serious doubts about the reliability of your sources, as well as the basis of your story.’ NSO Group did not confirm or deny which governments are NSO Group’s customers, although it said that the Pegasus Project had made ‘incorrect assumptions’ in this regard.  Notwithstanding its general denial of the claims, NSO Group said it ‘will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations’. – Amnesty International 

NSO Group is denying the allegations and claiming that they are unfounded and that the sources are not credible.

Forbidden Stories has dedicated a section of their website for researchers and investigators to access some resources.

Amnesty International has created a section detailing the forensic methodology undertaken to validate and verify the information that came from the leaks. “Forensic Methodology Report: How to catch NSO Group’s Pegasus“:


NSO Group claims that its Pegasus spyware is only used to ‘investigate terrorism and crime’  and ‘leaves no traces whatsoever’. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.[1]

Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.

As laid out in the UN Guiding Principles on Business and Human Rights, NSO Group should urgently take pro-active steps to ensure that it does not cause or contribute to human rights abuses within its global operations, and to respond to any human rights abuses when they do occur. In order to meet that responsibility, NSO Group must carry out adequate human rights due diligence and take steps to ensure that HRDs and journalists do not continue to become targets of unlawful surveillance.

In this Forensic Methodology Report, Amnesty International is sharing its methodology and publishing an open-source mobile forensics tool and detailed technical indicators, in order to assist information security researchers and civil society with detecting and responding to these serious threats.

This report documents the forensic traces left on iOS and Android devices following targeting with the Pegasus spyware. This includes forensic records linking recent Pegasus infections back to the 2016 Pegasus payload used to target the HRD Ahmed Mansoor.

The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.

Sections 1 to 8 of this report outline the forensic traces left on mobile devices following a Pegasus infection. This evidence has been collected from the phones of HRDs and journalists in multiple countries.

Finally, in section 9 the report documents the evolution of the Pegasus network infrastructure since 2016. NSO Group has redesigned their attack infrastructure by employing multiple layers of domains and servers. Repeated operational security mistakes have allowed the Amnesty International Security Lab to maintain continued visibility into this infrastructure. We are publishing a set of 700 Pegasus-related domains.

Names of several of the civil society targets in the report have been anonymized for safety and security reasons. Individuals who have been anonymized have been assigned an alphanumeric code name in this report. – Amnesty International 

If you want to learn about how researchers and journalists went about verifying the information and allegations from the leak, Amnesty International’s report goes into great detail explaining the forensic methodology. This is really important for transparency and learning about how researchers can apply forensic and law enforcement methods to bolster their reporting and to help validate claims.

One of the most important and grave implications is that due to the strict Israeli export controls on the software, there is no way that NSO could have put its tech at the disposal of at least 12 foreign governments to track 180 journalists without getting approval from the highest levels of the Netanyahu government. That’s the real scandal here and we know that Netanyahu is already under investigation for corruption.

These are military grade cyber weapons and they now permeate our society and the internet at large, rendering the use of the internet and technology like smart phones more and more dangerous. The law has not caught up to the advances in technology so that, as case law and legal precedent slowly tries to catch up, the tech advances faster and operates in a legal grey zone.

We are left with some other questions:  How many politicians were targeted using Pegasus on behalf of the Israeli government? Were any of them blackmailed into doing the bidding of the Israeli government? This is especially concerning when we take the Jeffrey Epstein scandal into consideration, the PROMIS software and other scandals tied to Israeli Intelligence. There are also programs like Talpiot run by Israeli Unit 8200 to infiltrate the hi-tech sector of the United States and other countries.

We hope the revelations of this story compels discovery of many more answers. 

This story is still developing, please check back for updates. 

See a spelling or grammar error? Let us know! Highlight the text and press Ctrl+Enter.

Notify of
Inline Feedbacks
View all comments