Pegasus spyware found on journalists’ phones, French intelligence confirms
Announcement is first time an independent and official authority has corroborated Pegasus project findings
French intelligence investigators have confirmed that Pegasus spyware has been found on the phones of three journalists, including a senior member of staff at the country’s international television station France 24.
It is the first time an independent and official authority has corroborated the findings of an international investigation by the Pegasus project – a consortium of 17 media outlets, including the Guardian. Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to a leaked list of 50,000 numbers that, it is believed, have been identified as those of people of interest by clients of Israeli firm NSO Group since 2016, and shared access with their media partners.
France’s national agency for information systems security (Anssi) identified digital traces of NSO Group’s hacking spyware on the television journalist’s phone and relayed its findings to the Paris public prosecutor’s office, which is overseeing the investigation into possible hacking.
Anssi also found Pegasus on telephones belonging to Lenaig Bredoux, an investigative journalist at the French investigative website Mediapart, and the site’s director, Edwy Plenel.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a “target” to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent “targets” of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Forbidden Stories believes at least 180 journalists worldwide may have been selected as people of interest in advance of possible surveillance by government clients of NSO.
A source at France 24 said the broadcaster had been “extremely shocked” to discover one of its staff had potentially been monitored.
“We are stupefied and angry that journalists could be the object of spying. We will not be taking this lying down. There will be legal action,” the source said.
Le Monde reported that the France 24 journalist, based in Paris, had been selected for “eventually putting under surveillance”. Police experts discovered the spyware had been used to target the journalist’s phone three times: in May 2019, September 2020 and January 2021, the paper said.
Bredoux told the Guardian that investigators had found traces of Pegasus spyware on both her and Plenel’s mobile phones. She said the confirmation of long-held suspicions that they had been targeted contradicted the repeated denials of those who were believed to be behind the attempt to spy on them.
“It puts an end to the idea that this is all lies and fake news. It’s the proof we need,” Bredoux said.
French politicians expressed shock after the mobile numbers of the president, Emmanuel Macron, former prime minister Edouard Philippe and 14 serving ministers, including those for justice and foreign affairs, appeared in the leaked data. Research by the Pegasus project suggests that Morocco was the country that may have been interested in Macron and his senior team, raising fears that their phones were selected by one of France’s close diplomatic allies.
NSO said Macron was not and never had been a “target” of any of its customers, meaning the company denies he was selected for surveillance or was surveilled using Pegasus. The company added that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
Morocco has “categorically” rejected and condemned what it called “unfounded and false allegations” that it had used Pegasus to spy on high-profile international figures. Lawyers for the government said last week that it had filed defamation claims in Paris against Amnesty International and Forbidden Stories.
Bredoux added: “It takes a bit of time to realise it, but it’s extremely unpleasant to think that one is being spied on, that photos of your husband and children, your friends – who are all collateral victims – are being looked at; that there is no space in which you can escape. It’s very disturbing.”
But Bredoux, who in 2015 wrote a series of articles on Abdellatif Hammouchi, the director general of Moroccan internal intelligence, said her main concern was for the journalists’ contacts.
“As journalists, what is even more worrying is that sources and contacts may have been compromised, that these are violations not just of your privacy and private life, but of the freedom of the press.
“We are not in the same situation as the journalists in Morocco but are being used like Trojan horses to get at them, so my thoughts are with our colleagues in Morocco.
“That my telephone could be used to help attack these journalists who fight every day makes me very angry.”
Last month when news of the Pegasus project broke, Macron ordered multiple investigations. The French prime minister, Jean Castex, said the Elysee had “ordered a series of investigations”, after vowing to “shed all light on the revelations”.
In Israel last week, authorities inspected NSO’s offices. And on Sunday, the Israeli newspaper Haaretz reported an “emergency” conference had been called for cyber-firms to assess the impact of the revelations on the domestic sector. It is not clear which companies will attend the meeting.
Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by NSO Group. The malware has the capability to infect billions of phones running either iOS or Android operating systems. It enables operators of the spyware to extract messages, photos and emails, record calls and secretly activate microphones.
The appearance of a number on the leaked list does not mean it was subject to an attempted or successful hack.
Human rights activists, journalists and lawyers around the world have been selected as possible candidates for potential invasive surveillance by authoritarian governments using the hacking software, according to the investigation into the massive data leak.
The investigation suggests widespread and continuing abuse of Pegasus, which NSO insists is only intended for use against criminals and terrorists.