Military-grade spyware developed and licensed by the private Israeli firm NSO Group was found on the smartphones of 23 journalists, business executives, human rights activists, and at least one woman close to murdered Washington Post columnist Jamal Khashoggi, the Post and 16 other media organizations around the world reported Sunday. Someone had also attempted to put the spyware, Pegasus, on 14 of the phones forensically analyzed by Amnesty International's Security Lab, and the digital autopsy on the remaining 30 phones studied was inconclusive.
Once Pegasus infects a phone, it lets the intruder read anything; steal photos, location records, passwords, contacts, recordings, and other communications; and hijack the camera and microphone. The spyware is completely undetectable to the phone's owner, and in some cases it can infect a phone through a text message the owner never sees. NSO says it licenses its spyware to about 60 foreign governments to track down terrorists, drug traffickers, sex traffickers, and other criminals.
"This is nasty software — like eloquently nasty," creating the ability to "spy on almost the entire world population," Timothy Summers, a former U.S. intelligence cybersecurity engineer, tells the Post. "There's not anything wrong with building technologies that allows you to collect data; it's necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody."
NSO Group, CEO Shalev Hulio, and a libel lawyer the company hired all strenuously denied much of the reporting by the Post and its consortium partners, insisting its software played zero role in Khashoggi's murder by Saudi agents and "no customer has ever been granted technology that would enable them to access phones with U.S. numbers."
Hulio said the leaked list of 50,000 phone numbers Amnesty and the French nonprofit Forbidden Stories used to track down possible Pegasus targets had no connection to NSO, though he also told the Post "we understand that in some circumstances our customers might misuse the system," and "we have shut down systems for customers who have misused the system." An NSO source told the Post that in the past year, the company canceled contracts with Saudi Arabia and Dubai over human rights concerns.
The phone numbers on the list were concentrated in 10 countries with spotty human rights records, all reported NSO client states: Mexico, Hungary, India, Saudi Arabia, the United Arab Emirates, Bahrain, Kazakhstan, Azerbaijan, Morocco, and Rwanda. Read more at The Washington Post.