Israeli Disinformation Expert Linked to Faked Bank Accounts in Serbian Smear Campaign
A leaked report sheds light on the source of a mysterious media attack on the Serbian president’s political rival.
The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.
NSO Group insists that its mobile phone surveillance software, called Pegasus, is meant to help its clients combat crime and terrorism. But it has also been used to spy on journalists, activists, opposition politicians, and dissidents.
After years of criticism, the secretive company has recently become more communicative, publicizing its commitment to human rights and even publishing a “Transparency and Responsibility Report” in June 2021.
But the spyware intrusions haven’t stopped. That’s why more than 80 journalists, representing 17 media organizations around the world, have come together to produce this investigation.
It began when journalism nonprofit Forbidden Stories and human rights group Amnesty International gained access to a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s phone hacking software. As the coordinator of the project, Forbidden Stories then invited OCCRP, the Washington Post, the Guardian, and 13 other partners to help investigate.
In the course of the project, we identified hundreds of individuals who owned these phones. Sixty-seven of them were subject to forensic analysis to determine whether they had been infected, and 37 showed signs of Pegasus activity. This reporting, supplemented by additional databases, internal documents, interviews, court documents, and other sources, formed the basis of the Pegasus Project, an unprecedented effort to understand who has been targeted by the users of NSO Group’s software — and what happens to them next.
A key part of the Pegasus Project is a list of over 50,000 phone numbers in nearly 50 countries, which is believed to be a list of numbers that have been “selected for targeting” by NSO clients.
This is a characterization that NSO Group has rejected. (See question 10 below for more on NSO Group’s response to the data, which can be read here in more detail.)
However, reporting by The Pegasus Project builds a case that the list indeed contains cell phone numbers selected by NSO Group clients for targeting with Pegasus. There is no evidence or suggestion that the company itself compiled or had any knowledge of these numbers.
The list does not include identifying information, but reporters were able to independently identify the owners of over 1,000 numbers. OCCRP focused on identifying numbers from Azerbaijan, Kazakhstan, and Rwanda.
In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition. Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.
Pegasus Project partners spoke with off-the-record industry insiders who corroborated key issues, found that court documents from WhatsApp’s suit against NSO Group contained some of the same numbers as on the leaked list, and confirmed other details that further corroborated the Pegasus Project’s understanding of the data.
The strongest indication that the list really does represent Pegasus targets came through forensic analysis.
Amnesty International’s Security Lab examined data from 67 phones whose numbers were in the list. Thirty-seven phones showed traces of Pegasus activity: 23 phones were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been replaced.
Fifteen of the phones in the data were Android devices. Unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. However, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
In a subset of 27 analyzed phones, Amnesty International researchers found 84 separate traces of Pegasus activity that closely corresponded to the numbers’ appearance on the leaked list. In 59 of these cases, the Pegasus traces appeared within 20 minutes of selection. In 15 cases, the trace appeared within one minute of selection. This strongly suggests the list represents the selection of numbers for targeting by state actors.
There is still much we can’t prove about the list: how it was compiled, who compiled it, or how it was used. Just because a number was included does not necessarily mean it was compromised. The list may include phone numbers where an attempted infection was unsuccessful, or where no attempt was made.
Based on the geographical clustering of the numbers on the leaked list, reporters identified potential NSO Group clients from more than 10 countries, mostly (but not always) one per country.
These countries include:
NSO Group insists that it sells its software only to governments, suggesting that the clients in these countries represent intelligence services, law enforcement agencies, or other official bodies.
NSO Group contends that its Pegasus software is meant only to help legitimate law enforcement bodies go after criminals and terrorists, and that any other use would violate its policies and user agreements.
The Pegasus Project did find numbers belonging to suspected criminal figures on the leaked list. However, of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.
For the most part, NSO Group’s clients selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists.
Many people targeted by Pegasus have reported receiving text messages attempting to trick them into clicking on an accompanying link. The experience can be frightening and extremely invasive, even before any infection occurs.
Carmen Aristegui, a Mexican investigative journalist, received dozens of messages impersonating the U.S. Embassy in Mexico, her colleagues, and even her bank and phone company.
“Carmen my daughter has been missing for 5 days, we are desperate, I would be grateful if you help me by sharing her photo,” read one message, accompanied by a malicious link.
Aristegui’s son, then a minor, also received such texts, including a “warning” that his social media account had been compromised. “Friend, there is a pseudo account on fb and twitter identical to yours check it out so you can report it,” it read.
Such “phishing attempts,” as they are widely known, have become so commonplace that many people have learned to be on their guard.
But the Pegasus software has gradually become more sophisticated, with the most recent versions able to gain entry to a target’s mobile phone without requiring them to click on a link, or take any action at all.
Once installed, Pegasus can extract data, conversations, contacts, and call logs from the victim’s phone. It can even switch on microphones and cameras to silently record live audio and video.
For a fuller explanation of what Pegasus can do, read OCCRP’s explainer.
The process of identifying Pegasus infections begins with one fortunate fact: Years ago, NSO Group was not as careful at hiding its traces as it is today.
In setting up a Pegasus attack against Ahmed Mansoor, a dissident from the United Arab Emirates who was hacked in 2016, NSO Group left several references to the name “Pegasus” in the malware that infected his phone. The network infrastructure used to conduct the attacks also left a trail that led researchers back to NSO Group servers.
Researchers say that NSO Group’s software has become more clever at hiding its traces in recent years, including intentionally altering system files to hide evidence of infection.
However, when Amnesty International carried out forensic audits of dozens of phones belonging to people whose numbers appeared on the newly leaked lists, they identified uniquely configured web servers that matched the ones identified in 2016.
Also connected to the same Pegasus network infrastructure are iOS “processes” — small programs not necessarily visible to the user — that appeared on infected phones and did not match any legitimate code released by Apple.
“There’s a sequence that shows a website was being visited, an application crashed, some files were modified, and all of these processes executed in a matter of seconds or even milliseconds,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. These processes, he said, were the same ones found in previously known Pegasus infections.
One process called “BH” or “BridgeHead,” identified after an analysis of Mansoor’s phone in 2016, kept appearing throughout the more recently analyzed phones as well. It appears to be a key component of the Pegasus toolkit.
“There’s no doubt in my mind that what we’re looking at is Pegasus,” Guarnieri said. “The characteristics are very distinct and all of the traces that we see confirm each other, essentially. There are no contradictory forensic traces that we have seen.”
Along with this project, Amnesty International is publishing the full technical analysis that allowed their researchers to reach these conclusions. It was independently reviewed by Citizen Lab, a research center at the University of Toronto that has years of experience investigating NSO Group. The Citizen Lab researchers concurred with Amnesty International’s analysis.
Years of reporting by investigative journalists and digital rights advocates has led to the identification of many victims of NSO Group’s software on an ad hoc basis. But those cases depended on the targets coming forward themselves after receiving a suspicious message or otherwise having reason to think their phones were breached.
The Pegasus Project approached the topic from the other direction, identifying potential victims from a leaked list of numbers believed to be selected as targets by NSO Group’s clients.
This allowed reporters not only to identify many new victims, but also to leverage the list as a basis for examining the accuracy of long-held contentions that Pegasus is systematically used to target journalists, activists, and other non-criminal figures. The reporting found widespread additional evidence that this is the case, painting the most complete picture to date of what Pegasus does around the world.
This is a difficult question because of the number and nature of the jurisdictions involved. Generally, countries have the right to investigate criminal activity and monitor people they consider dangerous or criminal. In many cases, they can do this only after receiving a warrant or approval from a judge. But many of the countries that use NSO Group’s software score poorly on measures of rule of law and respect for human rights, making abuses possible even when the formalities are observed. The large number of politicians, journalists, activists, and academics on the leaked lists suggest that some countries were surveilling people for political or other illegitimate purposes.
There is also the issue of NSO Group’s exploitation of weaknesses in commercial software. Apple, Google, WhatsApp, and other tech firms whose software was compromised may have legitimate damage claims against NSO Group, and in fact WhatsApp has launched a high-profile lawsuit against the company.
Yes. Numbers belonging to known criminals appeared on the leaked list for some countries. However, these are naturally harder to identify than the numbers of journalists and politicians. Tens of thousands of the leaked numbers remain unidentified, and the true proportion of criminals in the data may never be fully known.
NSO Group has denied that the list of 50,000 phone numbers could be a list of targeted persons.
A law firm retained by the company wrote that it looked more like a public list of “HLR” or “Home Location Register” data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. It includes information such as whether a phone is in a network, whether it is active, whether it is roaming, and other basic information.
Karsten Nohl, the chief scientist for Security Research Labs in Berlin, said that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking.
Moreover, a source with knowledge of NSO Group’s software said that HRL lookups are integrated into the Pegasus system.
Amnesty International’s forensic analysis, explained in question 2 above, also shows that in many cases the targeting was swiftly followed by an infection, often within minutes. This is consistent with a system that had an integrated HLR lookup. Cases when infection did not follow could correspond to HLR lookups that showed the phone was not available at the time.
In sum, NSO Group could be correct that the 50,000 numbers represent HLR data — and this would not contradict journalists’ findings that the same data could represent the selection of targets for infection with Pegasus.