Key question for Americans overseas: Can their phones be hacked?

NSO says phones with U.S. +1 numbers can’t be hacked anywhere in the world. But Americans using foreign-based numbers outside the U.S. are vulnerable.

U.S. resident Jean Paul Turayishimye, a critic of the government in his native Rwanda, was among expatriates of his homeland whose phone numbers were selected for potential spyware surveillance by a client of NSO Group. (Adam Glanzman for The Washington Post)
Placeholder while article actions load

Israeli spyware company NSO Group has said repeatedly that its surveillance tools do not work against smartphones based in the United States, but Americans traveling overseas and using foreign cellphones may not enjoy that protection.

A list of more than 50,000 phone numbers that included some for documented surveillance targets also included the overseas phone numbers for about a dozen Americans, including journalists, aid workers, diplomats and others, according to an investigation by The Washington Post and 16 other news organizations.

The investigation was unable to determine whether clients of NSO had delivered or attempted to deliver its Pegasus spyware to any of these numbers. But the presence of numbers used by American officials on the list highlighted questions about the national security threat posed by commercially available spyware.

In addition to the overseas phone numbers, the Washington-area cellphone number for the Biden administration’s lead Iran negotiator, Robert Malley, appeared on the list, as did those of several United Nations diplomats based in the United States and Rwandan expatriates who oppose the government of President Paul Kagame and are living in exile here.

Forensic examination was not possible in most of these cases, and the NSO Group said in response to questions from The Post and other news organizations that the targeting of phones with the +1 country code of the United States was “technologically impossible.” The company said that technological block also applies to foreign-registered devices when they are within the boundaries of the United States, even if they are registered to foreign telephone systems.

But the picture for Americans outside the United States using phones registered to foreign cellular networks is less clear. While available databases of cellular numbers show some identifying information — such as the home cellular network for a customer and the current location of a cellphone — there is no centralized database that tracks the nationalities of cellular customers.

Asked if Americans using foreign phones could be hacked by Pegasus, NSO spokeswoman Ariella Ben Abraham repeated the company’s assertion that U.S. +1 numbers anywhere and foreign phones inside the United States cannot be targeted. “It is technologically impossible,” she wrote. But her answer didn’t address the issue of Americans outside the United States with foreign-registered numbers.

NSO, which describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, says it restricts licensing of its products to countries that respect human rights and that deals are concluded only after rigorous investigations. It also says its Pegasus spyware, considered among the world’s most intrusive commercially available surveillance tools, is for use against terrorists and criminals, such as drug lords and pedophiles, and is not intended for surveilling law-abiding citizens.

The Paris-based journalism nonprofit Forbidden Stories and Amnesty International, the human rights group, had access to the list of phone numbers and shared them with The Post and its partner news organizations. Journalists sought to determine who the numbers belonged to, making more than 1,000 positive identifications, and also to conduct forensic examinations on individual devices.

These examinations, conducted by Amnesty’s Security Lab, found 37 of 67 smartphones examined had evidence of Pegasus infection or attempted infection. Many that didn’t had been replaced in recent years, meaning relevant logs probably were lost. Among the victims were journalists, human rights workers, business executives and diplomats — all categories represented heavily by people the investigation was able to link to phone numbers on the list.

How Pegasus works

Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.

Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.

Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.

Read more about why it’s hard to protect yourself from hacks.

NSO has disputed the investigation’s findings, saying that 50,000 phone numbers could not be affiliated with its surveillance systems.

“NSO Group firmly denies false claims made in your report which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story. Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims,” the company said in a detailed statement.

In the email, Tom Clare, a Virginia attorney representing NSO, wrote that “an attempt at surveillance is NOT the only use for the data,” adding that it is “beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance.”

“Again, to be clear, NSO does not have insight into the specific intelligence activities of its customers,” Clare added, “but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”

Nevertheless, on Sunday, NSO’s chief executive and co-founder, Shalev Hulio, said he was disturbed by some of the investigation’s findings and pledged “strong action” if it was determined that a client had abused the system. He noted that NSO had suspended the contracts of two clients because of human rights concerns in the past 12 months.

Still, the investigation underscored the vulnerability of smartphones to spyware capable of taking control of the devices, unlocking the troves of information they carry and activating cameras and microphones without the user knowing.

An investigation by a consortium of media organizations found Israeli firm NSO Group's Pegasus spyware was used to hack smartphones of journalists and others. (Video: Jon Gerberg/The Washington Post)

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee who has pushed for protections for U.S. officials working overseas, said more must be done to rein in spyware companies.

“If surveillance companies like NSO are working with our adversaries to spy on American government employees working overseas, they need to be held accountable,” Wyden said in a statement. “These spy-for-hire firms are a threat to U.S. national security, and the administration should consider all options to ensure that federal employees are not targeted.”

Malley still uses the phone number on the list, six months after joining the Biden administration as its lead Iran negotiator. Without obtaining access to Malley’s phone, The Post could not determine whether any attempt had been made to infect it.

At the time Malley’s number was added to the list in March 2019, he was out of government, leading the Brussels-based International Crisis Group organization. But his past could have been of interest: Malley served as a senior White House adviser to Barack Obama on the Middle East, North Africa and the Persian Gulf, and participated in talks with Iran that led to the nuclear agreement signed in 2015. Donald Trump withdrew from the deal three years later.

Malley declined to comment.

“We do not discuss security protocols, procedures or capabilities,” said a State Department official, speaking on the condition of anonymity. “We cannot comment on the specific details of any threats to our personnel or the steps we take to address them.”

Ben Rhodes, a former top national security adviser to President Barack Obama, said that U.S. officials often are targets of surveillance by foreign governments.

“It is no surprise that someone like Rob Malley would be targeted by some form of surveillance," Rhodes said. "As someone who has been targeted for my own involvement in the Iran nuclear negotiations ... it is not surprising to see another official show up on a list of people who came in for this kind of interest.”

In addition to Malley, foreign-registered phone numbers for U.S. diplomats in Bahrain, Azerbaijan and India were on the list, as were numbers for two employees of the U.S. Centers for Disease Control and Prevention in India — one of whom is a U.S. citizen.

Other Americans whose foreign-registered numbers were on the list include two American aid workers in Africa, two university employees in the Middle East, a Christian religious leader in the Middle East and numerous journalists for major news organizations. Among those organizations are the Associated Press, the New York Times, CNN, Bloomberg News, the Wall Street Journal and Voice of America; not all of the journalists themselves are U.S. citizens.

In none of these cases were the phones available for forensic examination to determine whether infection with the Pegasus software had been attempted by an NSO client.

It is unclear why American numbers that NSO says would not be hackable with its system were on the list.

They include phones belonging to several Rwandans affiliated with Paul Rusesabagina, the hero of the film “Hotel Rwanda,” which portrayed his efforts as a Kigali hotel manager to protect more than 1,200 people during the 1994 genocide. Rusesabagina, who lived largely in Texas over the past decade, was tricked last year into returning to his home country, where he now faces terrorism and other criminal charges after years of fierce public opposition to the Rwandan government of President Paul Kagame.

Carine Kanimba, 28, Rusesabagina’s adopted daughter, has lived in both the United States and Belgium and has phones registered to cellular networks in each country. Neither number was on the phone list, but Amnesty’s Security Lab undertook a forensic examination of both her phones at her request. It found her Belgian phone had been infected by Pegasus. Her American phone had not been.

Significantly, the attacks on her Belgian phone appeared to pause while she was in the United States recently for several weeks. An attempt to infect her Belgian phone with Pegasus on May 17 was unsuccessful, the forensic examination showed. She was in Boston at the time as part of her campaign to have her father freed.

Kanimba, who holds U.S. and Belgian citizenship, said she sometimes spoke to American officials while lobbying for action to free her father from custody in Rwanda on her Belgian-registered iPhone X. Amnesty’s Security Lab found evidence of repeated infection on that phone throughout this year, beginning in January, five months after her father was arrested in Rwanda. The attacks continued until the Amnesty forensics team told her to shut down the phone earlier this month.

“The way that I see this attack on us, on our family, on me personally, is that this is an attempt to intimidate me, to slow me down and say, ‘We are watching you, we know you’re here and we know what you are doing,’” Kanimba said in an interview at her home in Kraainem, Belgium. “But this will not work on me. It never worked on my father. And he taught us well. So it will not work on me.”

The numbers for at least three other Rwandan expatriates living in the United States who have criticized their home country’s government also appeared on the list.

One of those, Jean Paul Turayishimye, 49, a former Rwandan military and intelligence official who fled his home country in 2004, said news that his Massachusetts-based Verizon iPhone was on the list reminded him of the pervasive spying he saw in his home country — and that he hoped he had escaped by living in the United States.

Turayishimye, who has been granted U.S. political asylum, said he used to speak with Rusesabagina by phone several times a year. He has since lost the iPhone that was on the list, making forensic examination impossible.

Turayishimye, who has co-founded two opposition political groups and often criticizes the Kagame government on a YouTube show, said American law enforcement officials had warned him that he faces possible threat from the Rwandan government. He keeps the local police on speed dial and avoids sharing his travel plans. He says he grows suspicious when he sees a Black person he does not know in his central Massachusetts home of Leominster.

“It’s bad,” said Turayishimye, who works as a court translator and recently earned a law degree. “No one wants to be fearful doing what we do.”

In a statement, Rwanda’s minister of foreign affairs, Vincent Biruta, said his country doesn’t use Pegasus and “does not possess this technical capability in any form.” He said suggestions it does “are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally.”

Possible concerns

A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters said Sunday that +1 phones are safe from Pegasus no matter where they are in the world. The system is programmed to block efforts to hack them, the person said.

The person also said Pegasus can determine where a phone is geographically and block any efforts to hack a foreign-registered phone while it is inside the United States.

But there is no way to determine the nationality of the user of a phone registered to a foreign system.

That could be a concern for several people whose foreign-based phones were found on the list, including an AP reporter based in the Persian Gulf who uses a phone registered to a cellular network there and a New York Times reporter who uses a phone number registered to a network in the Middle East.

The foreign-based phone numbers of two American aid workers operating in Africa also were on the list, as was that of an American Christian leader based in the Persian Gulf. All three declined to comment and requested that they not be named out of fear of antagonizing governments in countries they work in or visit. Because they are private citizens not accused of any wrongdoing, The Post agreed to withhold their names and other details from this report.

The Post also agreed to withhold the names of two Americans working for a university program in the Middle East whose foreign-issued numbers appeared on the list as well as the identity and specific location of a Human Rights Watch researcher in Africa whose number was on the list and whose organization requested that the information be withheld, citing security concerns.

A spokeswoman for the group, Mei Fong, said, “There is no evidence Human Rights Watch’s devices have been compromised.”

The U.N., however, said it is working with U.S. officials to determine how to deal with the presence on the list of phones belonging to several foreign-born diplomats working at the United Nations in New York.

“We are dealing with the reports in coordination with the host government,” meaning the United States, said Farhan Haq, deputy spokesman for the U.N. “The Secretariat will take any actions that may be required to ensure the security of our communication systems.”

Karen DeYoung, Shane Harris and Drew Harwell from The Post and Michael Safi and Stephanie Kirchgaessner from the Guardian contributed to this report. Kristof Clerix, a reporter for Belgian news organization Knack, reported from Kraainem, Belgium.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.