GENEVA — The reported uses of military-grade malware from Israel-based NSO Group to spy on rights activists, dissidents and journalists “seem to confirm some of the worst fears” about governments abusing their surveillance powers, the head of the U.N. human rights office warned on Monday.
An international alliance of journalists reported that governments attempted or successfully installed the cyber-surveillance company’s Pegasus spyware for tracking terrorists and criminals on at least 37 smartphones, including the one owned by Washington Post columnist Jamal Khashoggi’s fiancee, Hatice Cengiz, four days after he was murdered in the Saudi Consulate in Istanbul in 2018.
At least 180 journalists in 20 nations — including Azerbaijan, Hungary, India and Morocco, where crackdowns on independent media have intensified — were selected by NSO clients as targets for potential surveillance between 2016 and June 2021, according to the Pegasus Project, an investigation by more than 80 journalists from 17 media outlets among 10 countries. The investigation, based on leaked data from unspecified sources, was coordinated by Paris-based Forbidden Stories with the technical support of London-based Amnesty International’s Security Lab, which forensically examined 67 smartphones.
Michelle Bachelet, the United Nations’ top human rights official, said the allegations, even if partly true, show government authorities crossed a red line “again and again with total impunity” by misusing public safety tools to intrude on the work of legitimate journalists, rights activists and political dissidents. The use of such powerful spyware, she said, can only be justified when governments are investigating serious crimes and grave security threats.
“Revelations regarding the apparent widespread use of the Pegasus software to spy on journalists, human rights defenders, politicians and others in a variety of countries are extremely alarming, and seem to confirm some of the worst fears about the potential misuse of surveillance technology to illegally undermine people’s human rights,” said Bachelet, head of the Geneva-based Office of the U.N. High Commissioner for Human Rights.
“Use of surveillance software has been linked to arrest, intimidation and even killings of journalists and human rights defenders,” she said. “Reports of surveillance also have the invidious effect of making people censor themselves through fear. Journalists and human rights defenders play an indispensable role in our societies, and when they are silenced, we all suffer.”
#Pegasus: Revelations about the widespread use of software to spy on journalists, human rights defenders & others are extremely alarming. See statement by @UNHumanRights Chief @mbachelet: https://t.co/v6moMj4v6W pic.twitter.com/vyRxLX4jyq
— UN Human Rights (@UNHumanRights) July 19, 2021
BREAKING: Thousands of iPhones have potentially been compromised. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models.#PegasusProjecthttps://t.co/QN5XY90dKY
— Amnesty International (@amnesty) July 19, 2021
Amnesty, which has been documenting over the past five years the alleged use of NSO’s spyware to target citizens, said the latest malware can hack even Apple iPhone’s latest models without detection.
It said Forbidden Stories and their media partners, including including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post, identified potential NSO clients in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo and the United Arab Emirates.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril,” said Agnès Callamard, Secretary General of Amnesty International. “As a first step, NSO Group must immediately shut down clients’ systems where there is credible evidence of misuse.”
At least 40 journalists in India were selected as potential targets between 2017 and 2021, it said, and one of the highest profile journalists was Financial Times Editor Roula Khalaf. “Press freedoms are vital,” she said, “and any unlawful state interference or surveillance of journalists is unacceptable.”
NSO described the investigation as “full of wrong assumptions and uncorroborated theories” based on unidentified sources and that only law enforcement and intelligence agencies of “vetted governments” have access to the spyware for catching terrorists and criminals. “After checking their claims, we firmly deny the false allegations made in their report,” it said. “Our technology was not associated in any way with the heinous murder of Jamal Khashoggi.”
Ivan Krstić, head of Apple’s security engineering and architecture, said such “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals.” He said the company works “tirelessly to defend all our customers” by improving protections for their devices and data.