The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The Pegasus Project raised the curtain on a vast spyware network. Here are four takeaways.

Placeholder while article actions load

with Aaron Schaffer

For at least half a decade, the smartphone hacking tools created by a controversial Israeli firm have allowed governments to silence critics and journalists, threaten opponents and extend oppression and intimidation outside their borders. 

That’s the clear conclusion from an extensive investigation by The Washington Post and 16 media partners into NSO Group, a leader in the growing industry of private companies selling military-grade hacking tools to government law enforcement and intelligence agencies, often with little insight into how they’re ultimately used. 

The investigation revealed 37 instances in which NSO’s Pegasus spyware was used in successful or attempted hacks of phones – including those belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi. That would seem to fly directly in the face of NSO’s claims that its tools are used only to track terrorists and other serious criminals. 

The goal in many cases probably was to silence dissent.

“Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources,” my colleagues write. “Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.”

The report is already raising outcries and calls for investigations across the globe. It’s also prompting warnings from technologists that such powerful hacking tools must be far better regulated. 

“This is nasty software — like eloquently nasty,” Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University, told my colleagues. 

He added: “Humanity is not in a place where we can have that much power just accessible to anybody.”

Here are four big takeaways from the Pegasus Project:

1. The stakes are extremely high.

The series is chock full of examples of high-profile people who were verified or potential targets of Pegasus spyware. 

The list of phone numbers that formed the basis of the stories included 14 current and former heads of state – including three sitting presidents, three current prime ministers and Morocco’s King Mohammed VI. Among the sitting presidents was France’s Emmanuel Macron. 

It also included the names of hundreds of other government officials and politicians

Because the leaders declined to share their phones with researchers, it’s impossible to tell whether they were compromised with the spyware. 

Researchers also found that Pegasus spyware penetrated the phone of Hatice Cengiz, fiancée of murdered Saudi columnist Khashoggi days after he was killed. There was an attempt to install the spyware on the Android phone of Khashoggi’s wife Hanan Elatr six months before his killing. It’s impossible to determine whether the phone was actually penetrated because Android phones don’t always retain that data. 

The list included numbers for Dubai princess Latifa bint Mohammed al-Maktoum and her associates – added in the days and hours before she was seized by security services trying to flee her father and seek political asylum in the United States. 

The fine print: Those phone numbers appeared on a list of 50,000 numbers obtained by the French journalism nonprofit Forbidden Stories and Amnesty International. The purpose of the list is not known, but the numbers on it are concentrated in countries known to engage in surveillance of their citizens and that are also known to have been NSO clients. 

A forensic analysis of 37 smartphones whose numbers appear on the list shows that many were penetrated with Pegasus or that the spyware attempted to penetrate them. There’s a tight correlation between time stamps associated with the numbers on the list and the initiation of surveillance.

NSO has repeatedly disputed all the allegations in the report and said the list does not reflect surveillance targets of its government clients. The company has also said it is not always aware of its clients’ surveillance activities and has canceled or refused contracts when it thinks there are human rights concerns. The purpose of Pegasus, the company's founders say, is to help governments save lives by catching criminals and terrorists. 

2. These are incredibly powerful hacking tools.

Many cybersecurity stories center around victims who were hacked in part because of their own negligence in not setting up proper protections. This isn’t one of them. 

Pegasus is capable of bypassing all the standard cybersecurity protections, sometimes without the victim even clicking a suspect link. It works on both Apple and Android devices. Once a phone is infected, the spyware’s operators can vacuum up reams of data, intercept emails and texts and turn the microphone and camera into surveillance tools. 

Claudio Guarnieri, the Amnesty International Security Lab researcher who analyzed the 37 phones that showed evidence of Pegasus likened his work to a 14th-century doctor confronting the Black Plague without useful medicine. “Primarily I’m here just to keep the death count,” he told my colleagues.

3. The story is already having an impact. 

Hungarian opposition lawmakers are calling for a parliamentary inquiry into the use of Pegasus there to track journalists and government critics. 

The Paris public prosecutor’s office launched a probe into roughly 1,000 French numbers on the list, including Macron’s. 

Opposition leaders in India are also pushing for an investigation. 

An Israeli parliamentary review panel may recommend changes to the country’s defense export policy for spyware. 

U.N. High Commissioner for Human Rights Michelle Bachelet called the revelations “extremely alarming." She said they “seem to confirm some of the worst fears about the potential misuse of surveillance technology to illegally undermine people’s human rights.”

NSO co-founder Shalev Hulio told my colleagues the company intends to investigate the allegations – while also maintaining that the underlying list of phone numbers had no link to the company. 

“Every allegation about misuse of the system is concerning,” he told The Post. “It violates the trust that we give customers. We are investigating every allegation … and if we find that it is true, we will take strong action.”

4. NSO’s links with Israel’s government are unclear.

Officials at NSO and Israel’s Ministry of Defense both denied that the company shares any information about its clients or that is gleaned from surveillance. But U.S. and European security officials aren’t so sure

The company was founded by former members of Israel’s top electronic surveillance agency, which is analogous to the U.S. National Security Agency. The defense ministry must approve the license of NSO’s products to foreign governments.

It’s crazy to think that NSO wouldn’t share sensitive national security information with the government of Israel,” one former senior U.S. national security official who has worked closely with the Israeli security services told my colleagues. “That doesn’t mean they’re a front for the Israeli security agencies, but governments around the world assume that NSO is working with Israel.”

The keys

Police in Spain arrested a fourth suspect in connection with a July 2020 Twitter hack.

Joseph O’Connor, a 22-year-old Briton, has been charged with hacking, extortion and cyberstalking, the Justice Department said. The arrest comes just over a year after hackers breached high-profile Twitter accounts including those belonging to former president Barack Obama and Joe Biden when he was a candidate. 

The hack's underwhelming goal was to share a bitcoin scam.

Prosecutors also charged O’Connor with taking over TikTok and Snapchat accounts, the Justice Department said. Last year, he denied taking part in the hacks, telling the New York Times that he was getting a massage when the accounts were breached. “They can come arrest me,” he said. “I would laugh at them. I haven’t done anything.”

President Biden plans to meet with business executives next month to discuss cybersecurity.

The Aug. 25 meeting will focus on “how we can work together to collectively improve the nation’s cybersecurity,” a National Security Council spokesperson said. It comes as the Biden administration works to limit the impact of ransomware and other hacks aimed at U.S. businesses.

The spokesperson did not say which business leaders would attend.

Pennsylvania’s top election official decertified voting machines in one county after it agreed to participate in a questionable, partisan audit. 

The sparsely populated Fulton County will probably have to buy or lease new voting machines, report Marc Levy and Mark Scolforo of the Associated Press. Acting secretary of state Veronica Degraffenreid told the county that the review “was not transparent or bipartisan” and the company had “no knowledge or expertise in election technology.”

Republicans in Pennsylvania announced the audit as GOP leaders around the country continue to push states to recount election results and examine voting machines in an effort to support baseless claims of election fraud in 2020. Cybersecurity experts warn that machines could be compromised if private firms take them into custody and don't verify they're properly secured against tampering.

Maricopa County, the largest county in Arizona, approved $3 million to replace voting machines inspected as part of a partisan review of election results ordered by the GOP-led state legislature.

Privacy patch

Top U.S. Catholic Church official resigns after cellphone data is used to track him on Grindr and to gay bars (Michelle Boorstein, Marisa Iati and Annys Shin)

Hill happenings

America’s water systems are vulnerable to a Pearl Harbor-level cyberattack, Angus King warns (Lewiston Sun Journal)

House committee approves slate of bills to improve telecom security (The Hill)

Global cyberspace

Saudi Aramco facing $50M cyber extortion over leaked data (Associated Press)

Chinese hackers stole Mekong River data from Cambodian ministry - sources (Reuters)

Cyber insecurity

Massachusetts couple sues eBay over 'unrelenting' harassment campaign (Reuters)

Chat logs show how Egregor, an $80 million ransomware gang, handled negotiations with little mercy (CyberScoop)

Chinese hacking group APT31 uses mesh of home routers to disguise attacks (The Record)

A hospital employee stole the identities of dying patients to get covid-related benefits, feds say (Forbes)

Government scan

CISA considering open-source registrar platform for .gov domain (NextGov)


  • The Atlantic Council hosts an event on Russia and cybercrime today at 1 p.m.
  • Mitre hosts an event on ransomware hacks on critical infrastructure today at 4 p.m.
  • Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Homeland Security and Governmental Affairs Committee on July 27 at 10 a.m.
  • Transportation Security Administration chief David Pekoske and deputy secretary of transportation Polly Trottenberg testify at a Senate Commerce Committee hearing on pipeline cybersecurity on July 27 at 10 a.m.
  • The Senate Judiciary Committee holds a hearing on ransomware on July 27 at 10 a.m.
  • A House Oversight and Reform Committee panel holds a hearing on electrical grid cybersecurity on July 27 at 2 p.m.

Secure log off