Pegasus software manufactured by Israeli surveillance company NSO Group has been used in intercepting mobile phones, including secured apps such as WhatsApp, Signal and Telegram of hundreds of individuals, including prime ministers, ministers, politicians, human rights activists, journalists and lawyers around the world. An investigation by British newspaper the Guardian and 16 other media organizations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company sells only for use against criminals and terrorists.
The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.
NSO Group insists that its mobile phone surveillance software, called Pegasus, is meant to help its clients combat crime and terrorism. But it has also been used to spy on prime ministers, ministers, journalists, activists, opposition politicians, and dissidents.
After years of criticism, the Israeli company has recently become more communicative, publicizing its commitment to human rights and even publishing a “Transparency and Responsibility Report” in June 2021.
But the spyware intrusions haven’t stopped. That’s why more than 80 journalists, representing 17 media organizations around the world, have come together to produce this investigation.
It began when journalism nonprofit Forbidden Stories and human rights group Amnesty International gained access to a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s phone hacking software. As the coordinator of the project, Forbidden Stories then invited OCCRP, the Washington Post, the Guardian, and 13 other partners to help investigate.
In the course of the project, the investigators have identified hundreds of individuals who owned these phones. Sixty-seven of them were subject to forensic analysis to determine whether they had been infected, and 37 showed signs of Pegasus activity. This reporting, supplemented by additional databases, internal documents, interviews, court documents, and other sources, formed the basis of the Pegasus Project, an unprecedented effort to understand who has been targeted by the users of NSO Group’s software — and what happens to them next.
A key part of the Pegasus Project is a list of over 50,000 phone numbers in nearly 50 countries, which is believed to be a list of numbers that have been “selected for targeting” by NSO clients.
However, reporting by The Pegasus Project builds a case that the list indeed contains cell phone numbers selected by NSO Group clients for targeting with Pegasus. There is no evidence or suggestion that the company itself compiled or had any knowledge of these numbers.
The list does not include identifying information, but reporters were able to independently identify the owners of over 1,000 numbers. OCCRP focused on identifying numbers from Azerbaijan, Kazakhstan, and Rwanda.
In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition. Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.
Pegasus Project partners spoke with off-the-record industry insiders who corroborated key issues, found that court documents from WhatsApp’s suit against NSO Group contained some of the same numbers as on the leaked list, and confirmed other details that further corroborated the Pegasus Project’s understanding of the data.
The strongest indication that the list really does represent Pegasus targets came through forensic analysis.
Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list. Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.
Fifteen of the phones in the data were Android devices. Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list. In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection. In 15 cases, the trace appeared within one minute of selection. This strongly suggests the list represents the selection of numbers for targeting by state actors.
There is still much the investigators can’t prove about the list: how it was compiled, who compiled it, or how it was used. Just because a number was included does not necessarily mean it was compromised. The list may include phone numbers where an attempted infection was unsuccessful, or where no attempt was made.
Who bought the Pegasus spyware?
Based on the geographical clustering of the numbers on the leaked list, reporters identified potential NSO Group clients from more than 10 countries, mostly (but not always) one per country.
These countries include:
United Arab Emirates
NSO Group insists that it sells its software only to governments, suggesting that the clients in these countries represent intelligence services, law enforcement agencies, or other official bodies.
Who were targeted by the Pegasus spyware?
NSO Group contends that its Pegasus software is meant only to help legitimate law enforcement bodies go after criminals and terrorists, and that any other use would violate its policies and user agreements.
The Pegasus Project did find numbers belonging to suspected criminal figures on the leaked list. However, of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.
For the most part, NSO Group’s clients selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists.
What is the meaning of being infected by Pegasus spyware?
Many people targeted by Pegasus have reported receiving text messages attempting to trick them into clicking on an accompanying link. The experience can be frightening and extremely invasive, even before any infection occurs.
Carmen Aristegui, a Mexican investigative journalist, received dozens of messages impersonating the US Embassy in Mexico, her colleagues, and even her bank and phone company.
“Carmen my daughter has been missing for 5 days, we are desperate, I would be grateful if you help me by sharing her photo,” read one message, accompanied by a malicious link.
Aristegui’s son, then a minor, also received such texts, including a “warning” that his social media account had been compromised. “Friend, there is a pseudo account on fb and twitter identical to yours check it out so you can report it,” it read.
Such “phishing attempts,” as they are widely known, have become so commonplace that many people have learned to be on their guard.
But the Pegasus software has gradually become more sophisticated, with the most recent versions able to gain entry to a target’s mobile phone without requiring them to click on a link, or take any action at all.
Once installed, Pegasus can extract data, conversations, contacts, and call logs from the victim’s phone. It can even switch on microphones and cameras to silently record live audio and video.
How the investigators knew it was Pegasus?
The process of identifying Pegasus infections begins with one fortunate fact: Years ago, NSO Group was not as careful at hiding its traces as it is today.
In setting up a Pegasus attack against Ahmed Mansoor, a dissident from the United Arab Emirates who was hacked in 2016, NSO Group left several references to the name “Pegasus” in the malware that infected his phone. The network infrastructure used to conduct the attacks also left a trail that led researchers back to NSO Group servers.
Researchers say that NSO Group’s software has become more clever at hiding its traces in recent years, including intentionally altering system files to hide evidence of infection.
However, when Amnesty International carried out forensic audits of dozens of phones belonging to people whose numbers appeared on the newly leaked lists, they identified uniquely configured web servers that matched the ones identified in 2016.
Also connected to the same Pegasus network infrastructure are iOS “processes” — small programs not necessarily visible to the user — that appeared on infected phones and did not match any legitimate code released by Apple.
“There’s a sequence that shows a website was being visited, an application crashed, some files were modified, and all of these processes executed in a matter of seconds or even milliseconds,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. These processes, he said, were the same ones found in previously known Pegasus infections.
One process called “BH” or “BridgeHead,” identified after an analysis of Mansoor’s phone in 2016, kept appearing throughout the more recently analyzed phones as well. It appears to be a key component of the Pegasus toolkit.
“There’s no doubt in my mind that what we’re looking at is Pegasus,” Guarnieri said. “The characteristics are very distinct and all of the traces that we see confirm each other, essentially. There are no contradictory forensic traces that we have seen.”
Along with this project, Amnesty International is publishing the full technical analysis that allowed their researchers to reach these conclusions. It was independently reviewed by Citizen Lab, a research center at the University of Toronto that has years of experience investigating NSO Group. The Citizen Lab researchers concurred with Amnesty International’s analysis.
The victims of Pegasus spyware
Years of reporting by investigative journalists and digital rights advocates has led to the identification of many victims of NSO Group’s software on an ad hoc basis. But those cases depended on the targets coming forward themselves after receiving a suspicious message or otherwise having reason to think their phones were breached.
The Pegasus Project approached the topic from the other direction, identifying potential victims from a leaked list of numbers believed to be selected as targets by NSO Group’s clients.
This allowed reporters not only to identify many new victims, but also to leverage the list as a basis for examining the accuracy of long-held contentions that Pegasus is systematically used to target journalists, activists, and other non-criminal figures. The reporting found widespread additional evidence that this is the case, painting the most complete picture to date of what Pegasus does around the world.
Is surveillance of phones legal?
This is a difficult question because of the number and nature of the jurisdictions involved. Generally, countries have the right to investigate criminal activity and monitor people they consider dangerous or criminal. In many cases, they can do this only after receiving a warrant or approval from a judge. But many of the countries that use NSO Group’s software score poorly on measures of rule of law and respect for human rights, making abuses possible even when the formalities are observed. The large number of politicians, journalists, activists, and academics on the leaked lists suggest that some countries were surveilling people for political or other illegitimate purposes.
There is also the issue of NSO Group’s exploitation of weaknesses in commercial software. Apple, Google, WhatsApp, and other tech firms whose software was compromised may have legitimate damage claims against NSO Group, and in fact WhatsApp has launched a high-profile lawsuit against the company.
Has Pegasus been used to target terrorists and criminals?
Yes. Numbers belonging to known criminals appeared on the leaked list for some countries. However, these are naturally harder to identify than the numbers of journalists and politicians. Tens of thousands of the leaked numbers remain unidentified, and the true proportion of criminals in the data may never be fully known.
What NSO says about Pegasus scandal?
NSO Group has denied that the list of 50,000 phone numbers could be a list of targeted persons.
A law firm retained by the company wrote that it looked more like a public list of “HLR” or “Home Location Register” data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. It includes information such as whether a phone is in a network, whether it is active, whether it is roaming, and other basic information.
Karsten Nohl, the chief scientist for Security Research Labs in Berlin, said that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking.
Moreover, a source with knowledge of NSO Group’s software said that HRL lookups are integrated into the Pegasus system.
Amnesty International’s forensic analysis, explained in question 2 above, also shows that in many cases the targeting was swiftly followed by an infection, often within minutes. This is consistent with a system that had an integrated HLR lookup. Cases when infection did not follow could correspond to HLR lookups that showed the phone was not available at the time.
In sum, NSO Group could be correct that the 50,000 numbers represent HLR data — and this would not contradict journalists’ findings that the same data could represent the selection of targets for infection with Pegasus.
In their response NSO Group said:
In response to requests for comment by Forbidden Stories, OCCRP, and the other participants in The Pegasus Project, NSO Group and a law firm retained by the company sent several replies.
In general, NSO Group strongly denies the journalistic consortium’s findings, which it describes as “uncorroborated theories” that rely on information that has “no factual basis” presented by an “unreliable” source.
NSO Group’s more specific responses are cited below:
The Source Data
The reporting for The Pegasus Project is based on 50,000 phone numbers believed to represent NSO Group’s customers selecting people for targeting with the Pegasus system. (For more information about the evidentiary basis for this finding, read OCCRP’s “About the Project” explainer).
In its initial response, a law firm retained by NSO Group wrote:
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes.”
The company then provided more detail:
“NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide.
“The sheer volume of numbers on this purported list … confirms that it cannot be a list of numbers targeted by governments using Pegasus. There simply are not that many numbers targeted by governments using Pegasus. Thus, Forbidden Stories’s assertion that it reviewed records of thousands of ‘targets’ of NSO Group clients is false.”
“As to your request to confirm the ‘existence of such data’, obviously we cannot do so, since even if they were customers’ data, we have no visibility nor access to them.”
In another follow-up, NSO added:
“You have put forward a flawed and speculative thesis the data list may have been used by third parties prior to a surveillance attempt, but that assertion (even if true) does not establish that the “use” was in fact attempted to be used as part of the surveillance attempt, that the attempted use was successful, or that the attempted or completed attempts produced the consequences theorized in your questions. It is beyond dispute that an attempt at surveillance is NOT the only utility of the data. It is also beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO, so there can be no factual basis to suggest (as your questions imply) that a use of the data somehow equates to surveillance.”
“NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”
In response to a technical report produced by Amnesty International, which is published along with this project and presents forensic evidence of Pegasus infections on dozens of analyzed phone numbers, NSO Group wrote:
“If you are relying on the ‘technical report’ for that purpose, that report is a compilation of speculative and baseless assumptions regarding the purported connection between what is described in the report and NSO Group’s technology. Specifically, your report depends on assumptions linking previous reports to NSO Group, which are in turn based on similar assumptions regarding even earlier reports, with no demonstrated linkage between the various layers of reports sufficient for a responsible journalist to publish these conclusions.”
NSO Group’s Clients
Sticking with a long-held policy, NSO Group declined to confirm or deny any of the client relationships suggested by the leaked data and other reporting:
“As we stated in the past, due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers.”
The company also said that it does not run the Pegasus software after it’s sold:
“NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.”
Cecilio Pineda’s murder
In response to a question about the use of NSO Group spyware against Cecilio Pineda, a Mexican journalist who was subsequently murdered, the law firm retained by the company wrote:
“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month. Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”
In response to questions about the use of NSO Group spyware against friends and family members of murdered Saudi dissident Jamal Khashoggi, the company wrote:
“Our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is being made without validation. … Forbidden Stories claimed that, in 2019, Saudi Arabia targeted a British human rights lawyer who represented “the fiancée of Jamal Khashoggi’’ and a “Saudi Arabian human rights activist.” This allegation simply cannot be true because NSO Group can prove that such use of Pegasus is technically impossible.”
“We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in your inquiry.”
NSO Group’s Mission
The law firm retained by NSO Group wrote that the company’s products are a source for good and that the company takes allegations of abuse seriously:
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes shutting down of a customers’ system, something NSO has proven its ability and willingness to do, due to confirmed misuse, done it multiple times in the past, and will not hesitate to do again if a situation warrants. This process is documented in NSO Group’s ‘Transparency and Responsibility Report,’ which was released last month.”
“The fact is, NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings. The technologies are also being used every day to break up pedophilia-, sex-, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
Update, July 19, 2021:
After the publication of the initial set of stories in this investigation, NSO Group’s CEO, Shalev Hulio, reached out to The Washington Post to offer several additional comments.
He continued to dispute that the list of over 50,000 numbers used as a basis for this investigation represented targeting by NSO Group’s Pegasus software. He also said that most of the allegations made in the stories were untrue.
However, Hulio noted that NSO Group had terminated contracts with two clients within the last year because of concerns about human rights abuses. He described some of the revelations in the stories as “disturbing” and said he was “very concerned” about what he had read.
“We are investigating everything,” he said. “I believe that we need to check. If we check, we will find that some of this will be true.”