“This reporting matches what we saw in the attack we defeated two years ago,” including the types of targets “who had no business being spied on in any shape or form,” Cathcart said in an interview this week with Stephanie Kirchgaessner, a reporter for the Guardian newspaper in London and a member of the Pegasus Project reporting team. The team of 16 media outlets, including The Washington Post, was organized by Paris-based Forbidden Stories, a nonprofit journalism group.
The project analyzed a list of more than 50,000 phone numbers dating back to 2016 and concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO, a leader in the growing and largely unregulated private spyware industry.
The media consortium identified the owners of more than 1,000 numbers and discovered they included several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers.
The numbers of several heads of state and government also appeared on the list, including France’s President Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa. Three current prime ministers, Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani, also were on the list.
Once Pegasus penetrates a smartphone, it can steal its contents — texts, photos, videos, emails — and can turn on its camera and microphone for real-time monitoring without the user ever detecting a problem.
WhatsApp said it discovered that Pegasus was being used to hack its app to gain access to users’ smartphones. The company said it was able to collect the identities of 1,400 smartphone users whose devices had been hacked in a two-week period. “What we saw was 1,400 victims in that brief period,” Cathcart said. “What that tells us is that in a longer period of time, over a multiyear period of time, the numbers of people being attacked is very high.”
WhatsApp sued NSO in 2019, accusing the company of targeting its users’ mobile devices with malware.
In court documents, NSO has argued that it should be granted “sovereign immunity” because its clients are vetted government customers, and legal doctrine holds that governments cannot be sued for performing their legitimate functions. NSO has also argued that its customers do the targeting, not the company.
In one court exhibit of internal NSO documents, the company wrote, “The company will provide the End user with assistance in operating, managing and configuring the System as well as resolving any Software technical issues.”
The assertion, WhatsApp argued, appears to contradict NSO’s argument that it plays no role in the targeting.
Another exhibit said, “In order to initiate a new installation, the operator of the Pegasus system should only insert the target phone number. The rest is done automatically by the system, resulting in most cases with an agent [malware] installed on the target device.”
That led a judge in the Northern District of California to rule that the suit could proceed because it appeared NSO retained some control. NSO insists that it has such control only with permission from the client.
In April, the U.S. Court of Appeals for the 9th Circuit heard NSO’s appeal of the judge’s ruling. A decision is pending.
NSO has also pointed out in court that at one point, Facebook, which owns WhatsApp, solicited NSO’s business. In 2017, Facebook executives reached out to NSO to ask for help in tracking the habits of iPhone users, including which apps they used and how much time they spent on them, according to records obtained by The Post. NSO says it denied the request because it only does business with governments.
In response to the Pegasus Project, NSO said the list of more than 50,000 phone numbers was not related to NSO or Pegasus and that the number was “exaggerated” in terms of NSO’s clients. A source familiar with company operations said an NSO client typically targets 112 phones a year. NSO has said it has 60 clients in 40 countries.
In the interview, Cathcart raised the same issue about NSO that his company had in its lawsuit, seizing on whether NSO operates the software it licenses to clients or knows whom the client is targeting.
“Well, software can be changed very easily,” Cathcart told the Guardian. “So how are they sure it is not being changed? Or are they actually operating it themselves?”
NSO responded in a statement to The Post on Saturday: “Mr. Cathcart is deliberately mistaken and misleading. NSO is not privy to the data of its customers, has no access to their systems, and despite what he claims, the information we provided is accurate, and we would be happy to prove it to him.”
Cathcart also asked how NSO could be certain that Pegasus cannot target +1 numbers, those with the country code for the United States.
“Is the reason why they are so confident U.S. numbers are not being targeted, is they are operating it themselves and they have the list [of targets]?" Cathcart said. “And if that’s the case, why aren’t they accountable for cases of abuse that are happening?”
Americans “travel overseas, they have overseas numbers, ambassadors, people all around the world. Is really the only protection the country code on your phone number? That’s a little nuts,” he said. “It’s like saying you’re going to make a missile that you’re sure is going to blow up in only certain parts of the world. It’s not how missiles work.”
In a response to Cathcart’s comments, an NSO spokesman said in a statement to the Guardian:
“Millions of people around the world are sleeping well at night, and safely walking in the streets, thanks to Pegasus and similar technologies which help intelligence agencies and law enforcement agencies around the world to prevent and investigate crime, terrorism, and pedophilia rings that are hiding under the umbrella of End-to-End encryption apps.
“We reiterate: NSO does not operate the technology, nor do we have visibility to the data collected. Our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with U.S. numbers. It is simply technologically impossible.
“Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using End to End encryption platforms? … If so, we would be happy to hear.”
Many of the largest Internet firms have joined the WhatsApp suit in an amicus brief on behalf of the company. The one exception is Apple, whose cellphone is vulnerable to a Pegasus attack, according to the digital forensic analysis of 52 iPhones for the project. Investigation revealed that 34 of the iPhones were compromised or showed signs of attempted penetration.
Apple has responded by saying the vast majority of users’ phones are safe.
Cathcart urged Apple to take a stronger public stand and join the lawsuit as other Internet giants have. “It’s not enough to say most users don’t have to worry about this. … It’s only tens of thousands of victims,” he said. “If anyone’s phone is not secure, it means everyone’s phone is not secure.”
Cathcart also urged governments to do more to regulate or impede spyware companies like NSO.
“I’m hoping we don’t forget this moment,” he said. “The reporting showed just a preview of how bad things will be for people’s privacy and security if we head down a path of insecure mobile phones and insecure software. I’m hoping the conversation will change. I think it depends on governments recognizing the national security threat and the threat to freedom that this reporting exposed.”
A previous version of this story included an imprecise number of iPhones examined as part of the Pegasus Project. A total of 52 iPhones were forensically examined, not 37. Investigation revealed that 34 of the iPhones were compromised or showed signs of attempted penetration.