Munich, Germany (Special to Informed Comment; Feature) –– Pegasus, the main cyber-surveillance weapon developed by the Israeli company NSO Group, had been at the center of formidable reporting before July 2021. Still, the revelations presented by the Pegasus Project partners in a cascade of articles that began on July 18, 2021, represented a watershed moment.
The Pegasus Project was a working group of international investigative journalists that incorporated 17 media organizations. The project included publications such as the Belgian Le Soir, the Indian The Wire, and the Mexican Proceso alongside bigger media organizations such as The Guardian, Die Zeit, or The Washington Post. Starting on publication day, the 17 media partners released in a synchronized way their reporting on the use of Pegasus to hack into the mobile phones of human rights defenders, journalists, lawyers, and politicians across the globe.
The Pegasus Project ended up involving around 800 journalists. However, it would never have been possible without an initial, individual decision. The one taken by a source whose identity, to this day, is only known by a very few. The source leaked a list of 50,000 phone numbers that had been targeted for hacking through Pegasus.
Before the Pegasus Project became a reality, there was a core group of only four people. The team consisted of two Amnesty International cybersecurity experts, Claudio Guarneri and Donncha Ó Cearbhaill, and two journalists, Laurent Richard and Sandrine Rigaud, the founder and editor, respectively, of the non-profit media organization Forbidden Stories, based in Paris. It was Forbidden Stories that received the list with 50,000 phone numbers targeted by Pegasus. Richard and Rigaud explain the story of the Pegasus Project in their book “Pegasus: The Secret Technology That Threatens the End of Privacy and Democracy.”
In the beginning, the reporters’ main task was to corroborate, thanks to the technical expertise of Guarneri and Ó Cearbhaill, that the list they had received truly included targeted people. They initially did so by matching some phone numbers in the leaked list with journalists who had collaborated with Forbidden Stories in the past and were on the reporters’ phone contact lists.
Richard and Rigaud reached out to the journalists suspected of having been attacked, asking whether they would agree to have their mobile phones remotely scanned by the Amnesty International cybersecurity experts. Some of them also sent their mobile phones for forensic analysis.
Guarneri and Ó Cearbhaill started to discover signs of attempted or successful infection in the devices. Those who turned out their mobile phones at this early stage, brave people such as the Azerbaijani journalist Khadija Ismayilova, spied on by her own government, were fundamental for the success of the investigation.
The investigative effort had to be carried out in the utmost secrecy. This required obvious measures such as keeping mobile phones away from work-related conversations or continuous scans to guarantee that the mobile phones of those involved in the investigation had not been compromised. But it also implied very complicated equilibria, such as approaching suspected targets and convincing them to hand over their mobile phones while sharing little information about the ongoing journalistic investigation.
Previous personal acquaintances helped create the relationships of trust needed for the targeted people to feel confident enough to depart from their mobile phones and the personal information contained there. Here, the success of Forbidden Stories and the partners it later incorporated was all the more impressive against the background of the ongoing COVID-19 pandemic, which limited international travel and face-to-face interactions.
After consulting with the German journalist Bastian Obermayer, who, together with Frederik Obermaier, had been responsible for the Panama Papers investigation, Richard and Rigaud carefully expanded the circle of people involved in the Pegasus reporting. Forbidden Stories embarked four partner media organizations on the project – Le Monde, Die Zeit, Süddeutsche Zeitung, and The Washington Post.
With this decision, the risk of NSO getting wind of the investigation and introducing changes in its Pegasus attacks – something that would have greatly complicated the work of the Amnesty International forensic team – expanded exponentially. But so did the capacity to establish the names behind the 50,000 phone numbers on the list and gain access to new targeted mobile phones for further analysis. After a period of successful cooperation with these four media organizations, and as the intended publication day approached, the Pegasus Project grew to the final 17 partners.
With the help of these partner media organizations, the Amnesty International cybersecurity experts received a constant flow of mobile phones that helped them better understand how Pegasus operated. Guarneri and Ó Cearbhaill progressively developed their own forensic tools to detect Pegasus infections with growing accuracy and detail. In the book, Richard and Rigaud succeed in making understandable the highly complex procedures involved in hacking a mobile phone as well as in detecting these infections.
What the Amnesty International forensic investigation showed was that WhatsApp and SMS messages were two of the easiest and most common avenues to get access to the targeted mobile phones, but not the only ones. The NSO had developed so-called “zero-click” attacks that did not need the targeted person to click on a fake message for the hacking to be successful. Once inside the mobile phone, the attackers using Pegasus had access to any information contained in the device. The mobile phone’s microphone and camera could also be activated to capture everything within their range.
As the investigation would reveal, Pegasus was at the hands of governmental agencies in dictatorships such as the United Arab Emirates, Saudi Arabia, Morocco, or Azerbaijan, as well as illiberal democracies such as Hungary and India. The most proliferous user was Mexico, where Pegasus was deployed against drug traffickers and critical journalists alike. Among the victims of Pegasus were the closest entourage of the Saudi journalist Jamal Khashoggi, murdered in the Saudi consulate in Istanbul in October 2018, or the French President Emmanuel Macron, a target of Morocco.
But these famous names were only the tip of the iceberg, with at least hundreds of human rights advocates, journalists, and lawyers being targeted. The Pegasus Project investigation directly contradicted NSO’s long-standing claim that their cyber surveillance star product, Pegasus, was being deployed by trusted governmental agencies only to prosecute criminals and terrorists and guarantee global security. Before the Pegasus Project revelations, NSO had defended that misuse of Pegasus immediately led to the violator agency losing access to it. The magnitude of the Pegasus Project revelations put this lie to rest.
In their book, Richard and Rigaud provide an interesting portrait of Shalev Hulio and Omri Lavie, who, together with Niv Karmi – the “N” in NSO Group – founded the self-styled cybersecurity company in 2010. Niv Karmi would leave NSO only one month after its foundation. In “Pegasus”, Hulio and Lavie emerge as perfect examples of the dangers inherent in letting profit maximization trump any ethical concern.
What the book leaves relatively unexplored are the strong ties between the Israeli government and NSO. As an Israeli company, NSO’s technology exports have to be approved by the Israeli government. This is something common to many other countries with a powerful weapons industry, which similarly have little compunction about selling their technology to serial human rights violators.
But the connections between the Israeli government and NSO go further than this. As Ronen Bergman and Mark Mazzetti from The New York Times documented, “sales of Pegasus played an unseen but critical role in securing the support of Arab nations in Israel’s campaign against Iran and even in negotiating the Abraham Accords.”[1] After the agreement in September 2020, Israel established diplomatic relations with the UAE and Bahrain.
In his acclaimed 2023 book “The Palestine Laboratory: How Israel Exports the Technology of Occupation around the World”, journalist Antony Loewenstein explains how both the Gaza Strip and the West Bank have served as a display room for the effects of Israeli weapons. These weapons are then exported worldwide securing significant revenue and influence for Israel.
Despite the efforts to keep up the appearance of a clear-cut division between the public and the private realms, Israeli cyber-arms firms, as well as traditional weapons companies, “act as an extension of Israel’s foreign policy agenda, supporting its goals and pro-occupation ideology.”[2]
In his book, Lowenstein explains that in 2020 Saudi Crown Prince Mohammed Bin Salman called the Israeli Prime Minister Benjamin Netanyahu after his defence ministry had decided to suspend the licensing of Pegasus to the Saudi kingdom. Around that time, reports had emerged connecting Pegasus with the killing of Jamal Khashoggi, which shed a bad light on NSO and the Israeli government. Netanyahu, for whom the new Saudi-Israeli geopolitical alignment against Iran weighed more heavily than PR concerns, made sure Saudi Arabia regained access to Pegasus.
Back to Richard and Rigaud, it is no overstatement to say that their book is an incomparable opportunity to understand what serious journalism is about. If this is the case, it is not so much because of the findings the book reveals. These, after all, are accessible through the reporting of the 17 partners in the Pegasus Project and the follow-up stories by hundreds of other media organizations. The genius in “Pegasus” is to be found in the impressive description of an even more impressive process. That is, how a single leak developed into a major-scale international investigation up to the highest journalistic standards, all the while staying below the NSO’s powerful radar.
Right before publication, when the company was approached for comment about the impending revelations, NSO’s PR armor collapsed under the weight and scope of the Pegasus Project findings. Failing to engage with the content of the allegations, NSO threatened defamation lawsuits and attempted a divide-and-rule approach toward the different Pegasus Project partners. This last-ditch effort failed to prevent the 17 media organizations from pressing the publish button when the day arrived.
The revelations by the Pegasus Project had significant consequences, such as the Biden administration’s blacklisting of NSO in November 2021. NSO has kept fighting, though. After the Hamas attack against Israel on October 7, 2023, NSO attempted to have its blacklist status in the US reversed citing the threat of Hamas and the role the Israeli company could play against it. The lobbying efforts did not succeed.
In February 2024, NSO suffered a significant defeat when it was forced to hand its code to WhatsApp as a result of a lawsuit dating back to 2019 over NSO’s hacking using WhatsApp messages. These successes notwithstanding, the lack of a global regulatory framework on the use of cyber-surveillance methods is a strong reason to remain concerned. As Richard and Rigaud themselves note in the epilogue to their book, “NSO might be crippled, but the technology it engineered is not.”[3]
[1] Ronen Bergman and Mark Mazzetti, “The Battle for the World’s Most Powerful Cyberweapon,” The New York Times, January 28, 2022, https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html.
[2] Antony Loewenstein, The Palestine Laboratory: How Israel Exports the Technology of Occupation around the World (London and New York: Verso, 2023), p. 59.
[3] Laurent Richard and Sandrine Rigaud, Pegasus: The Secret Technology That Threatens the End of Privacy and Democracy (London: Pan Macmillan, 2023), p. 301.
© 2024 All Rights Reserved