Governments around the world used military-grade spyware developed by an Israeli firm for tracking terrorists to hack journalists, activists, business executives, and even two women close to murdered Saudi journalist Jamal Khashoggi, The Washington Post reports.
Forbidden Stories, a French-based journalism nonprofit, and the human rights group Amnesty International obtained access to a list of 50,000 phone numbers concentrated in countries who are clients of the Israeli firm NSO Group and shared it with more than a dozen media outlets who investigated the list.
Reporters were able to identify more than 1,000 people based in 50 different countries as being among those who may have been hacked using the spyware. The list included multiple heads of state and members of the Saudi royal family, 189 journalists, 600 politicians and government officials, 85 human rights activists, and 65 business executives.
The journalists on the list included those working overseas for outlets like CNN, Associated Press, The New York Times, and Bloomberg as well as international reporters from Al Jazeera, the Financial Times, and Le Monde.
A forensic analysis of 37 smartphones found that they showed signs of hacking that correlated with the list.
Terrorist tracking app?:
The investigation appears to undermine claims by NSO, which has billed the software as a tool to track terrorists and criminals.
The company said prior to the report that the investigation’s findings were exaggerated and baseless but said it has “no insight” into how its clients use the software.
“The company cares about journalists and activists and civil society in general,” NSO CEO Shalev Hulio told the Post. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that two contracts in the past year were terminated due to suspected human rights abuses.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO says its clients are 60 intelligence, military, and law enforcement agencies in 40 countries. The company keeps its client list secret but the investigation found phone numbers clusters in 10 countries believed to be NSO clients: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Mexico leads in spying:
The largest number of phone numbers from the list were in Mexico. At least 15,000 Mexican numbers were on the list, including those belonging to lawmakers, union officials, journalists, and government critics.
Many were also in the Middle East, including Qatar, the UAE, Bahrain, and Yemen.
European governments appear to also be spying. The list included more than 1,000 French numbers and hundreds based in Hungary, including journalists and media moguls.
“This is nasty software — like eloquently nasty,” Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency, told the Post. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”