The Post reported Sunday that the phones were “on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens” and are known to be clients of the company, NSO Group, whose Pegasus spyware is ostensibly licensed to track terrorists and major criminals.
The newspaper reported that through the investigation, which was also conducted with the help of Amnesty International and Forbidden Stories, a Paris-based journalism nonprofit, the outlets “were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.”
The phone numbers of reporters working overseas for CNN, The Associated Press, Voice of America, The New York Times, The Wall Street Journal, Bloomberg News, France’s Le Monde, the UK’s Financial Times and Qatar’s Al Jazeera are among the numbers that appear on the list, which dates to 2016, according to the Post. The newspaper did not name the reporters in its story. The Post reported that “the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.”
CNN has not independently verified the findings of the Pegasus Project investigation, which was organized by Forbidden Stories.
In a lengthy statement to CNN on Sunday, NSO Group strongly denied the investigation’s findings, saying in part that it sells its “technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts.”
“NSO does not operate the system and has no visibility to the data,” the company said, saying it will continue to investigate “all credible claims of misuse and take appropriate action based on the results” of such investigations.
NSO also said its systems “are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”
The Post reported that while many of the numbers on the list were in the Middle East, including Qatar and the UAE, “the greatest number was in Mexico, where more than 15,000 numbers, including those belonging to politicians, union representatives, journalists and other government critics, were on the list.”
Other countries, including India, Pakistan, Azerbaijan, Kazakhstan, France and Hungary, are also represented on the list, according to the newspaper.
The investigation found that the “numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks,” the Post said. “The consortium could not perform forensic analysis on most of these phones.”
The newspaper noted that NSO “has said for years that its product cannot be used to surveil American phones” and added that the probe “did not find evidence of successful spyware penetration on phones with the US country code.”
The spyware, which was developed a decade ago with the help of Israeli ex-cyberspies, is designed to easily circumvent typical smartphone privacy measures, “like strong passwords and encryption,” according to the Post, which said it can “attack phones without any warning to users” and “read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts.” The Post also noted that “spyware also can activate cameras and microphones for real-time surveillance.”
The Pegasus spyware can initiate the attack in a number of different ways, the newspaper said, including through “a malicious link in an SMS text message or an iMessage.” Some spyware companies use “zero-click” attacks, according to the Post, which deliver spyware simply by sending a message to a user’s phone that produces no notification.” “Users,” the Post reported of such attacks, “do not even need to touch their phones for infections to begin.”
“The phone of his fiancée, Hatice Cengiz, was successfully infected during the days after his murder … and (his) wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful,” the Post said.
NSO denied in its statement that its technology was used in connection with Khashoggi’s murder, saying “our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry.”