The Washington PostDemocracy Dies in Darkness

Pegasus hack reported on iPhones of Human Rights Watch official

Victim is latest among dozens of journalists, politicians, human rights workers, diplomats and other targets discovered in recent months, as scrutiny of Pegasus-maker NSO Group intensifies.

FILE — A logo adorns a wall on a branch of the Israeli NSO Group company, near the southern Israeli town of Sapir. (Sebastian Scheiner/AP)
Placeholder while article actions load

An earlier version misstated the number of times Pegasus spyware targeted Lama Fakih's iPhones. It was five. This version has been corrected.

Human Rights Watch official Lama Fakih was at a meeting in Beirut, where she lives and works, when a strange message appeared on her iPhone on Nov. 24: “ALERT,” it said. “State-sponsored attackers may be targeting your iPhone.”

When Fakih, a dual U.S.-Lebanese citizen, considered what “state-sponsored attackers” might be interested in hacking her phone, the list was so long it was hard to know who was responsible.

But the means soon became clear: Somebody had used Pegasus, the powerful Israeli-built spyware, to peer into two of Fakih’s iPhones and into her life, Human Rights Watch announced Wednesday following forensic investigations.

“I’ve sort of been caught up in this cycle of worry: Which government and why, and what did they access?” Fakih, the crisis and conflict director for Human Rights Watch and head of the group’s Beirut office, said in an interview. “This I thought again and again: What are they going to do with my data? And also I thought: I’ve been turned into this tool to undermine the rights of people.”

Fakih is one among dozens of human rights workers, journalists, diplomats, politicians and others who have learned that they have been victims of Pegasus infections since The Washington Post, as part of a global investigative consortium, reported on widespread abuse of the technology in July.

Takeaways from the Pegasus Project

A list published recently by Israel’s Haaretz, a partner in the Pegasus Project, tallied more than 450 known victims overall — including those named in the project and others whose cases were previously reported. And the discoveries keep coming. Research group Citizen Lab reported Tuesday that, in Poland, an opposition political leader and a co-author of a book about the head of the country’s secret services, had their phones hacked with Pegasus.

Fakih said she was unsure why she was targeted, but she had spent many months last year studying the mysterious 2020 explosion in Beirut that killed more than 200 people and caused billions of dollars in damage. That work and other efforts she oversaw for Human Rights Watch meant she routinely communicated with sensitive sources, including people who have been victimized.

She said she has contacted some close associates to warn them that her phone was infected with Pegasus — which is capable of collecting files, phone contacts, photos, audio recordings and messages on encrypted chat apps while also activating phones and cameras for real-time eavesdropping — but she could not easily reach everyone whose privacy might have been invaded.

“It’s heart-rending,” Fakih said. “My job is to talk to and about vulnerable people all day. … There was no way I could protect against this.”

She and other Human Rights Watch officials said her case underscores the rampant abuse from the largely unregulated spyware market, which includes dozens of companies worldwide. On Wednesday, Human Rights Watch called for an immediate moratorium on the sale and export of such technology until governments impose “enforceable legal frameworks requiring human rights due diligence” to prevent such abuses.

Wednesday’s report comes as the NSO Group, which makes Pegasus and licenses its use to dozens of government clients worldwide, confronts a growing number of financial, corporate and legal struggles.

The U.S. government has barred American companies from trading with it, and both Apple and Facebook’s parent company, Meta, have sued it. Israel’s attorney general last week said he was investigating news reports of Pegasus abuses by that nation’s police force. On Tuesday, the departure of the company’s chairman, Asher Levy, became public. That follows the chief executive’s November announcement, after just two weeks on the job, that he would resign.

Pegasus spyware used to hack U.S. diplomats working abroad

NSO Group said in a statement Tuesday that Levy’s departure was previously planned and that reports of financial and other troubles were unfounded. “Any attempts to present this move as a present-day resignation as a result of any publication related to NSO are completely false,” Levy said in a statement released by the company.

The Human Rights Watch report quotes the NSO Group saying it was “not aware of any active customer using [its] technology against a Human Rights Watch staff member” and would investigate the findings. The forensic investigation has been reviewed by Amnesty International’s Security Lab, an expert in tracking Pegasus.

In response to questions from reporters Tuesday, the NSO Group issued a statement that did not challenge the Human Rights Watch report. Company spokesman Oded Hershkovitz said: “NSO believes there should be an international regulatory structure put in place to ensure the responsible use of cyber intelligence tools. However, any call to suspend these lifesaving technologies until such a structure exists is naive and would only benefit the terrorists, pedophiles and hardened criminals who will evade surveillance and apprehension.”

Fakih’s two infected iPhones were on a Lebanese network and appear to have been targeted with “zero-click” attacks, meaning she didn’t need to click on a malicious link or do anything else for the hack to begin, according to the Human Rights Watch report. The report said evidence was found of five separate hacks by Pegasus on her iPhones between April and August. Some apparently used an exploit for targeting iPhones known as FORCEDENTRY. The discovery of FORCEDENTRY helped prompt Apple to sue the NSO Group in November and issue alerts to customers worldwide who may have been targeted.

A third phone used by Fakih with a U.S.-based +1 phone number did not show evidence of infection, she said, and the infected phones were not used to connect with the organization’s computer systems, minimizing the impact of the intrusion.

The list of places where Fakih oversaw investigations includes Syria, Myanmar, Israel, the Palestinian territories, Greece, Kazakhstan, Ethiopia, Lebanon, Afghanistan and the United States, Human Rights Watch said.

Report: 22 journalists at Salvadoran news site hit with Pegasus hack