Investigators found evidence of powerful spyware that’s designed to be used to track criminals on the phones of journalists, human rights activists and politicians, a bombshell report said.
Some 23 phones showed signs that they were hacked and another 14 showed signs of attempted hacks using Pegasus software licensed by Israeli-based NSO Group, a private technology firm, according to an investigation by The Washington Post and several media partners.
The spyware can be sent in a message, but may not even need to be clicked on to hack a phone – leading one cyberattack expert to call it “eloquently nasty.”
Using the spyware, hackers can have access to anything on a phone and may even be able to activate cameras and microphones.
“There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes,” Timothy Summers, IT director at Arizona State University, told the Washington Post.
But Summers, a former cybersecurity engineer in US intelligence, said there’s the possibility of using it to spy on nearly the entire population of the world.
“But humanity is not in a place where we can have that much power just accessible to anybody.”
The number of alleged hacks and attempted hacks may only be a fraction of a total. Of 67 phones voluntarily offered for review, 37 showed signs of hacks or attempted hacks but that doesn’t mean the other 30 weren’t under surveillance, the report said.
Reporters identified the numbers and requested voluntary access to the phones after the news organizations obtained a list dating back to 2016 of more than 50,000 phone numbers as part of their probe into Pegasus, according to the report.
More than 1,000 people on the list were identified in over 50 countries, including 189 journalists for organizations like CNN, The New York Times, The Wall Street Journal and Bloomberg, the Washington Post said. Over 600 of those identified are politicians or government workers, including heads of state the report stated.
Two people apparently targeted were directly connected to Jamal Khashoggi, a Saudi journalist murdered in October 2019, the report stated. His wife was allegedly targeted ahead of his death and his girlfriend was allegedly targeted days after the killing, the report claimed.
Mexican journalist Cecilio Pineda, who appeared on the list twice, was shot dead at a car wash, the report stated. NSO denied any connection to the company and the deaths of Khashoggi and Pineda.
The probe was based on misinterpretations and mischaracterizations, an attorney for NSO told the publication.
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” said the libel attorney.
The overall list, which doesn’t identify people associated with the number or why they’re on the list, was obtained by Forbidden Stories and Amnesty International. It isn’t clear where the list originated or who may have used it, but the company says its customers include agencies in 40 different countries, the Post stated.
A large share of numbers on the list were are in places like the United Arab Emirates, Saudi Arabia and Bahrain, which are or have reportedly been NSO clients, according to the investigation.
NSO has claimed it polices clients for human rights violations and recently ended two contracts over abuses, the report said.
The analysis of phones found no evidence that spyware had affected any phones in the US, although a dozen Americans oversees were listed. NSO said none of their products can be used for surveillance of US phones.