Takeaways from the Pegasus Project

(The Washington Post)

Military-grade spyware leased by the Israeli firm NSO Group to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners led by the Paris-based journalism nonprofit Forbidden Stories.

Forbidden Stories and Amnesty International, a human rights group, had access to a list of more than 50,000 numbers and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did forensic examination of the phones. Thirty-seven targeted smartphones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.

Here are key takeaways from the investigation:

  1. Apple iPhone shown to be vulnerable: The discovery on a list of phone numbers of 37 smartphones that had been either penetrated or attacked with Pegasus spyware fuels the debate over whether Apple has done enough to ensure the security of its devices, popular the world over for their reputation for resisting hacking attempts. Thirty-four of the 37 were iPhones. In September, Apple released a software update to fix the iMessage security flaw exploited by NSO Group’s Pegasus surveillance tool. In the months since, Apple has sued NSO Group in federal court, asking that NSO be prohibited from abusing Apple’s software.
  2. NSO Group at the center of a global debate: The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses. NSO chief executive Shalev Hulio said in a lengthy late-night interview that he would “shut Pegasus down” if there were a better way to help governments deliver security. But he acknowledged that NSO’s ability to investigate abuse is crippled by its policy of having no visibility into clients’ activities. The United States sanctioned the company in November after determining that its phone-hacking tools had been used by foreign governments to “maliciously target” government officials, activists, journalists, academics and embassy workers around the world. A month later it was revealed that 11 U.S. diplomats’ phones had been hacked by Pegasus spyware.
  3. Politicians, journalists, activists found on list: The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as 10 prime ministers, three presidents and one king. The purpose of the list could not be conclusively determined. Further analysis concluded Pegasus spyware was found on the phone of Jamal Khashoggi’s wife months before his murder, challenging NSO’s claims that the slain journalist’s wife “was not a target.”
  4. New details of hacking carry worldwide implications: Among the 37 phones confirmed to have been targeted, 10 were in India and another five in Hungary, most linked to journalists, activists or businesspeople. The finding will add to concerns about extralegal government surveillance conducted with private spyware in both countries. Hundreds more numbers from India and Hungary appear on the broader global list. A third country, Mexico, was home to nearly one-third of the numbers of the list, adding to questions about its past use of Pegasus software. Each country says it acts legally in carrying out any surveillance activity.
  5. A princess raced to escape: In the years since commandos dragged Princess Latifa, a daughter of Dubai’s ruler, from her getaway yacht in the Indian Ocean in 2018, her friends and associates have wondered: How had her careful escape plan been foiled? A new investigation shows that in the days after she went missing, her phone number and those of friends were added to a list that also includes numbers of phones targeted by the powerful Pegasus spyware. Numbers for the ruler’s estranged wife, Princess Haya, and members of her legal and security team were also entered into the list when she fled later to London. The surveillance of the princesses was among the reasons the spyware’s owner, NSO Group, terminated Dubai’s contract, a person familiar with the company’s operations told The Post.
Your support is essential
Without subscribers, we wouldn’t be able to uncover the facts and bring you groundbreaking reporting like this.

Reporting from The Washington Post

Private Israeli spyware used to hack cellphones of journalists, activists worldwide

NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click. Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Read the full story.

Jamal Khashoggi’s wife targeted with spyware before his death

NSO Group’s Pegasus spyware was used to secretly target the smartphones of the two women closest to murdered Saudi columnist Jamal Khashoggi, according to digital forensic analysis. Read the full story.

Letter from the editor

Why The Washington Post joined news organizations across the globe to bring you this investigation. Read the letter.

FAQ: A guide to ‘spyware’

How Pegasus works, who is most vulnerable and why it’s hard to protect yourself from hacks. Read the full story.

Despite the hype, iPhone security no match for NSO spyware

An international investigation found 23 Apple devices that were successfully hacked. “Zero-click” attacks can work on even the newest generations of iPhones, even after years of effort in which Apple attempted to close the door against unauthorized surveillance. Read the full story.

‘Somebody has to do the dirty work’: NSO founders defend the spyware they built

CEO Shalev Hulio said he would ‘shut Pegasus down’ if there were a better alternative. In lengthy interviews, Hulio and co-founder Omrie Lavie traced a journey launched from an Israeli kibbutz and said the company’s technology had saved lives. Read the full story.

The spyware secretly hacking smartphones

Podcast: The military-grade spyware that’s being used to spy on journalists, human rights activists and business executives. Listen to Post Reports.

Key question for Americans overseas: Can their phones be hacked?

NSO says phones with U.S. +1 numbers can’t be hacked anywhere in the world. But Americans using foreign-based numbers outside the U.S. are vulnerable. Read the full story.

On the list: Ten prime ministers, three presidents and a king

Among 50,000 phone numbers, the Pegasus Project found those of hundreds of public officials. But what of heads of state and governments, arguably the most coveted of targets? Read the full story.

Invisible surveillance

Video: How spyware is secretly hacking smartphones. Watch the video.

U.S. and E.U. security officials wary of NSO links to Israeli intelligence

Officials and analysts say the Israeli surveillance tech firm makes a world-class product, but some countries’ security services suspect a relationship with Israel’s government. Read the full story.

How Washington power brokers gained from NSO’s spyware ambitions

The surveillance giant has failed to build a big business in the U.S. But an influential network of consultants, lawyers and lobbyists still made money representing the company. Read the full story.

WhatsApp CEO says Pegasus Project stories show need for greater smartphone security

Messaging app leader, which sued NSO over alleged hacking of its product, disputes firm’s denials on scope of, involvement in spyware operations. Read the full story.

A princess raced to escape Dubai’s powerful ruler. Then her phone appeared on the list.

In the days before commandos dragged Princess Latifa from her getaway yacht in the Indian Ocean, her number was added to a list that included targets of a powerful spyware, a new investigation shows. Read the full story.

Human rights activist and close ally of detained Dubai princess had phone hacked by NSO spyware

A new forensic examination adds to the confirmed targets of the surveillance firm’s government clients around the world. The activist David Haigh said he was ‘horrified’ by this ‘attack on human rights by a despotic regime.’ Read the full story.

How Mexico’s traditional political espionage went high-tech

Victims say the use of Pegasus spyware through 2017 had a chilling effect on journalists and human rights workers. The government says it halted the practice, but questions remain. Read the full story.

The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.

The confirmed infections of seven phones represent a tiny fraction of what may be a vast surveillance net in Modi’s India. Read the full story.

Indian activists jailed on terrorism charges were on list with surveillance targets

The Bhima Koregaon activists were also victims of an unidentified hacker who planted evidence on their computers, recent reports found. Read the full story.

In Orban’s Hungary, spyware was used to monitor journalists and others who might challenge the government

The deployment of the tool, confirmed with forensics, shows a willingness to use tactics previously deemed out-of-bounds. Read the full story.

Global impact and developments

Reporting from the Pegasus Project partners

About this project

Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to a list of phone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group. The two nonprofits shared the information with The Washington Post and 15 other news organizations worldwide that have worked collaboratively to conduct further analysis and reporting over several months. Forbidden Stories oversaw the Pegasus Project, and Amnesty International provided forensic analysis but had no editorial input.

More than 80 journalists from Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline joined the effort.

Reporting by Reed Albergotti, Michael Birnbaum, Elizabeth Dwoskin, Shane Harris, Drew Harwell, Niha Masih, Souad Mekhennet, Dana Priest, Shira Rubin, Mary Beth Sheridan, Joanna Slater, Julie Tate and Craig Timberg.

Design and development by Junne Alcantara, Betty Chavarria, Garland Potts and Irfan Uraizee. Video by Jon Gerberg. Video graphics by Brian Monroe. Photo research and editing by Chloe Coleman and Olivier Laurent. Graphics by Hannah Dormido, Courtney Kan, Tim Meko and Danielle Rindler. “Post Reports” production by Reena Flores, Maggie Penman, Martine Powers and Emma Talkoff.

Editing by Jennifer Amur, Marisa Bellack, Matthew Brown, Andrew deGrandpre, David Bruns, Peter Finn, Courtney Kan, Jeff Leen, Mark Seibel, Greg Manifold, Liz McGehee, Jesse Mesner-Hage, Jorge Ribas and Stu Werner.

Additional editing and production by Courtney Beesch, Steven Bohner, Matthew Callahan, Amy Cavenaile, Jake Crump, Sarah Dunton, Thomas Johnson, Travis Lyles, Kenisha Malcolm, Angel Mendoza, Robert Miller, Tessa Muggeridge, Lucy Naland, Coleen O’Lear, T.J. Ortenzi, Vince Rinehart, Casey Silvestri, Mark W. Smith, Anjelica Tan, John Taylor, Emily Tsao and Julie Vitkovskaya.