Data leak and forensics suggest NSO’s surveillance tool used against journalists at some of world’s top media companies
The editor of the Financial Times is one of more than 180 editors, investigative reporters and other journalists around the world who were selected as possible candidates for surveillance by government clients of the surveillance firm NSO Group, the Guardian can reveal.
Roula Khalaf, who became the first female editor in the newspaper’s history last year, was selected as a potential target throughout 2018.
Her number is included in a leaked list of mobile phone numbers selected for possible surveillance by clients of NSO, an Israeli firm that manufactures spyware and sells it to governments. Its principal product, Pegasus, is capable of compromising a phone, extracting all of the data stored on the device and activating its microphone to eavesdrop on conversations.
Following publication NSO’s lawyer said there was no attempted or successful Pegasus infections of Khalaf’s phone.
Other journalists who were selected as possible candidates for surveillance by NSO’s clients work for some of the world’s most prestigious media organisations. They include the Wall Street Journal, CNN, the New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, Associated Press, Le Monde, Bloomberg, Agence France-Presse, the Economist, Reuters and Voice of America.
NSO has long insisted that the governments to whom it licenses Pegasus are contractually bound to only use the powerful spying tool to fight “serious crime and terrorism”.
Analysis of the leaked data suggests that Khalaf’s phone was selected as a possible target by the United Arab Emirates (UAE). At the time, Khalaf was a deputy editor at the FT. A spokesperson for the Financial Times said: “Press freedoms are vital, and any unlawful state interference or surveillance of journalists is unacceptable.”
The leaked records were initially accessed via Forbidden Stories, a nonprofit journalism organisation, and Amnesty International. They shared access with the Guardian and select other media outlets as part of the Pegasus project, an international investigative collaboration.
A successful Pegasus infection gives NSO customers access to all data stored on the device. An attack on a journalist could expose a reporter’s confidential sources as well as allowing NSO’s government client to read their chat messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the device’s microphone.
Reporters whose numbers appear in the data range from local freelancers, such as the Mexican journalist Cecilio Pineda Birto, who was murdered by attackers armed with guns one month after his phone was selected, through to prize-winning investigative reporters, editors and executives at leading media organisations.
In addition to the UAE, detailed analysis of the data indicates that the governments of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda and Saudi Arabia all selected journalists as possible surveillance targets.
It is not possible to know conclusively whether phones were successfully infected with Pegasus without analysis of devices by forensic experts. Amnesty International’s Security Lab, which can detect successful Pegasus infections, found traces of the spyware on the mobile phones of 15 journalists who had agreed to have their phones examined after discovering their number was in the leaked data.
Among the journalists confirmed by analysis to have been hacked by Pegasus were Siddharth Varadarajan and Paranjoy Guha Thakurta, a co-founder and a reporter at the Indian news website the Wire. Thakurta was hacked in 2018 while he was working on an investigation into how the Hindu nationalist government of Narendra Modi was using Facebook to systematically spread disinformation among Indian people online.
“You feel violated,” Varadarajan said of the hacking of his device and the selection of his colleagues for targeting. “This is an incredible intrusion and journalists should not have to deal with this. Nobody should have to deal with this, but in particular journalists and those who are in some way working for the public interest.”
Omar Radi, a Moroccan freelance journalist and human rights activist who has published repeated exposés of government corruption, was hacked by an NSO client believed to be the government of Morocco throughout 2018 and 2019.
The Moroccan government has since accused him of being a British spy, in allegations described by Human Rights Watch as “abusing the justice system to silence one of the few remaining critical voices in Moroccan media”.
Saad Bendourou, a deputy head of mission at the Moroccan embassy in France, dismissed the consortium’s findings.
“We remind you that the unfounded allegations already published by Amnesty International and relayed by Forbidden Stories have already been the subject of an official response by the Moroccan authorities, who categorically denied such allegations,” he said.
Khadija Ismayilova: ‘It’s Despicable, It’s Heinous’
Khadija Ismayilova, an award-winning Azerbaijani investigative journalist, was also confirmed by technical analysis to have been hacked with Pegasus in 2019. She has spent years reporting on the network of corruption and self-enrichment that surrounds the autocratic president, Ilham Aliyev, who has ruled his country since seizing power in 2003.
She has faced a sustained campaign of harassment and intimidation in retaliation for her work. In 2012 intimate videos of her, filmed using a camera installed in her apartment without her knowledge, were published online shortly after she received a letter warning her to “behave or be defamed”.
In 2014 she was arrested on charges of alleged tax evasion, “illegal business” offences, and the “incitement to suicide” of a still-living colleague. She was released from a jail sentence of seven and a half years following an appeal, though remained subject to a travel ban as well as an asset freeze preventing her from accessing her own bank account until recently.
Her phone was almost certainly hacked by agents of the Aliyev regime, according to analysis of the leaked data. The same NSO customer also selected as surveillance candidates more than 1,000 other Azerbaijani phones, many belonging to Azerbaijani dissidents, as well two of Ismayilova’s lawyers.
“I feel guilty for the sources who sent me [information], thinking that some encrypted messaging ways are secure. They did it and they didn’t know my phone was infected,” Ismayilova said.
“My family members are also victimised, people I’ve been working with. People who told me their private secrets are victimised. It’s not just me.”
She said she was angry with those who “produce all of these tools and sell them to the bad guys like the Aliyev regime. It’s despicable, it’s heinous … When the video was exposed, it was just me. Now I don’t know who else has been exposed because of me, who else is in danger because of me.”
Bradley Hope: ‘Your Phone Is A Potential Surveillance Device’
Also listed in the leaked records is a UK phone number belonging to the American investigative journalist Bradley Hope, who lives in London. At the time of his selection he was an employee at the Wall Street Journal.
In spring 2018 Hope and his colleague Tom Wright were fact-checking a draft of a book on 1MDB, a corruption scandal involving the theft of $4.5bn from the state of Malaysia. Central to the allegations were Najib Razak, the country’s prime minister, and a businessman named Jho Low.
Part of their investigation also concerned the possibility that some of the money had been spent on a luxury yacht, called the Topaz, for Sheikh Mansour, the deputy prime minister of the UAE and a senior member of the Abu Dhabi royal family.
As part of standard journalistic practice, Hope and Wright contacted parties who would be named in their book and offered them an opportunity to comment.
The records reveal that around the same time, one of NSO’s government clients – believed to be the UAE – began selecting Hope’s mobile phone as a possible surveillance candidate.
His number was included on the list until at least the spring of 2019, during which time Hope and Wright continued to report on new disclosures in the 1MDB corruption investigation. Wright’s phone number does not appear in the list.
Hope no longer has access to his phone so the Guardian was unable to carry out an analysis, although checks on his current device found no suggestion he was currently being monitored.
“I think probably the number one thing that anyone targeting my phone would want to know is: who are my sources?” Hope said. “They would want to know who it is that is providing this insight.”
He suggested that one possibility was that the country might have been interested in him because it was trying to calculate where, if anywhere, he stood in relation to the vast and sprawling regional rivalry between the UAE and its neighbour Qatar.
Hope said he had already adopted various digital security countermeasures, including regularly replacing his phone handset, updating operating systems and not bringing electronic devices into high-risk jurisdictions such as the UAE.
“Knowing that a country can so easily penetrate your phone, it inevitably means that you have to always be thinking about your phone as a potential surveillance device,” he said. “It will just remind me that at any time I could be carrying around a vulnerability with me.”
Other prominent journalists whose phones were selected by NSO’s clients include Gregg Carlstrom, a Middle East reporter at the Economist, whose Egyptian and Qatari phone numbers were selected as possible targets by an NSO client, believed to the UAE.
Prominent media executives, including Edwy Plenel, the founder of the French online investigative outlet Mediapart, were also selected.
‘There Are Not Enough Safeguards’
Carlos Martínez de la Serna, a programme director at the nonprofit Committee to Protect Journalists, said the use of spyware to attack journalists and their sources was becoming an increasingly serious issue for his organisation.
“Putting surveillance on a journalist has a very strong, chilling effect. Our devices are key in the reporting activity, and it exposes the journalist’s contacts, it exposes the journalist’s sources, exposes the journalist’s materials,” he said. “It targets the journalistic activity in a way that almost fully impedes it in situations where journalists are being threatened.”
Martínez said there was an urgent need for countries to begin regulating companies exporting surveillance capabilities, particularly where reporters were likely to be at risk. “There are not enough safeguards about the export of the software,” he said. “Spyware has been sold directly to governments with terrible press freedom records, which is hard to understand.”
NSO Group’s lawyers said the company “does not have access to the data of its customers’ targets”. However, they disputed that the numbers in the leak revealed the identities of NSO client’s surveillance targets, suggesting they may instead be part of a larger list of numbers used by their customers “for other purposes” that are legitimate and have nothing to do with surveillance or with NSO.
NSO denied “false claims” made about the activities of its clients, but said that it would “continue to investigate all credible claims of misuse and take appropriate action”. It said that in the past it had shut off client access to Pegasus where abuse had been confirmed.
The company added: “NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”
Leave a Reply