An Israeli firm, accused of supplying spyware to governments, was linked to hacking attempts on tens of thousands of smartphone numbers, including activists, journalists, business executives and politicians around the world, media reports said on Monday.
At least one number once used by Prime Minister Imran Khan was also targeted by the NSO Group and its Pegasus malware, which is capable of switching a phone’s camera or microphone on and harvesting its data.
Sunday’s revelations are part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets. The NSO Group has been in the headlines since 2016, when researchers accused it of helping spy on a dissident in a Middle Eastern country.
The leak consists of more than 50,000 smartphone numbers believed to have been identified as connected to people of interest by NSO clients since 2016, the news outlets reported, although it was unclear how many devices were actually targeted or surveilled.
On the list were 15,000 numbers in Mexico — among them reportedly a number linked to a murdered reporter — and 300 in India, including politicians and prominent journalists. The Washington Post stated that India was one of the 10 countries listed as a client of the Pegasus malware.
Israel’s Haaretz reported on Monday that India targeted a phone which was earlier in Prime Minister Imran Khan’s use, through the malware. Several Pakistani officials, Kashmiri freedom fighters, Indian Congress leader Rahul Gandhi, an Indian supreme court judge were also targeted, it added.
According to a Pakistani private TV channel, India even tried to tap the federal cabinet members’ calls and messages through the spyware, prompting the Pakistani government to develop new software for the federal ministers.
However, no newspaper report would confirm that the attempt on Prime Minister Imran’s number was successful. Information Minister Fawad Chaudhry expressed concern on the report and said the unethical policies of the Modi government have “dangerously polarised India and the region”.
An Indian investigative news website, The Wire, reported that 300 mobile phone numbers used in India — including those of government ministers, opposition politicians, journalists, scientists and rights activists — were on the list.
The Guardian said the investigation suggested “widespread and continuing abuse” of NSO’s hacking software, described as malware that infects smartphones to enable the extraction of messages, photos and emails; record calls; and secretly activates microphones.
The report ignited fears of widespread privacy and rights abuses. The Amnesty International decried “the wholesale lack of regulation” of surveillance software. Indian Congress leader Rahul Gandhi tweeted: “Targeted surveillance [...] is illegal and deplorable.”
India’s Ministry of Electronics and Information Technology, responding to questions from The Washington Post, said that “any interception, monitoring, or decryption of any information through any computer resource is done as per the due process of law”.
The revelations are made by the Amnesty International and Forbidden Stories, a Paris-based non-profit media organisation, which initially had the access to the leak. Later, they shared the data with other media organisations.
The Washington Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi.
The list of targeted numbers included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials—including heads of state, prime ministers and cabinet ministers.
Also on the list are journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.
Many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates (UAE), according to the newspapers.
The NSO has denied any wrongdoing, labelling the allegations “false”. It issued a denial on Sunday, calling the Forbidden Stories report “full of wrong assumptions and uncorroborated theories,” and threatening a defamation lawsuit.
“We firmly deny the false allegations made in their report,” the NSO said. It added it was “not associated in any way” with the Khashoggi murder, adding that it sells “solely to law-enforcement and intelligence agencies of vetted governments”.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, the NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv. The group, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
Pegasus is a highly invasive tool that can switch on a target’s phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.
The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ