A major Israeli cyber-surveillance company, NSO Group, came under heightened scrutiny Sunday after an international alliance of news outlets reported that governments used its software to target journalists, dissidents and opposition politicians.
The Israeli government also faced renewed international pressure for allowing the company to do business with authoritarian regimes that use the spyware for purposes that go far afield of the company’s stated aim: targeting terrorists and criminals.
NSO strongly denied the claims.
NSO has attracted scrutiny since 2016, when the company’s software was said to be used against a rights activist in the United Arab Emirates and a journalist in Mexico. Since then, The New York Times has reported that the software was deployed against journalists, rights campaigners and policymakers in Mexico and Saudi Arabia. The new reports that appeared Sunday suggest that the firm’s software has been used against more people in more countries than had previously been reported.
Among other actions, the company is said to have sold a sophisticated surveillance application known as Pegasus that the journalism consortium said appears to have been used to attempt to hack at least 37 smartphones owned by journalists from countries that include Azerbaijan, France, Hungary, India and Morocco. Separately, a person familiar with NSO contracts told The Times that NSO systems were sold to the governments of Azerbaijan, Bahrain, India, Mexico, Morocco, Saudi Arabia and the U.A.E.
The allegations may escalate concerns that the Israeli government has abetted government abuses by granting NSO an export license to sell software to countries that use it to suppress dissent.
The accounts, published by The Washington Post and an alliance of 16 other international news outlets, follow recent reporting by The Times that Israel permitted NSO to do business with Saudi Arabia, and encouraged it to keep doing so even after the Saudi government was implicated in the 2018 assassination of a Saudi journalist and dissident, Jamal Khashoggi.
In a statement, NSO said: “We firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.”
The Israeli prime minister’s office declined to comment, and the Israeli Defense Ministry said it had not been given enough to time to respond to a request for comment. The ministry has previously said it would revoke export licenses granted to any Israeli company that sold software that contravened the terms of the license, “especially after any violation of human rights.”
The new accusations heightened concerns among privacy activists that no smartphone user — even those using software like WhatsApp or Signal — is safe from governments and anyone else with the right cyber-surveillance tech.
Activists say that without access to surveillance-free communications, journalists will no longer be able to contact sources without fear of exposing them to government retaliation. And rights campaigners will be unable to freely communicate with victims of state-led abuses.
“Stop what you’re doing and read this,” tweeted Edward Snowden, the whistle-blower who leaked large numbers of classified information from the National Security Agency in 2013. “This leak is going to be the story of the year.”
The journalist consortium linked NSO to a leaked list of more than 50,000 mobile numbers from more than 50 countries that it said appeared to be proposed surveillance targets for the company’s clients. The alliance said the list contained the numbers of hundreds of journalists, media proprietors, government leaders, opposition politicians, political dissidents, academics and rights campaigners.
The list was first obtained by Amnesty International, the human rights watchdog, and Forbidden Stories, a group that focuses on free speech. They then shared the list with the journalists.
The consortium said the numbers on the list include those of the editor of The Financial Times, Roula Khalaf; people close to Mr. Khashoggi; a Mexican reporter who was gunned down on the street, Cecilio Pineda Birto; and journalists from CNN, The Associated Press, The Wall Street Journal, Bloomberg News and The New York Times.
In a statement posted on its website, NSO said the list of numbers had not come from its database. “Such data never existed on any of our servers,” the statement said.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the statement continued. “We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry.”
In an interview, the firm’s chief executive and founder, Shalev Hulio, said he had first been made aware of the list in June, when four separate people told him that hackers were attempting to sell a list supposedly stolen from the company’s servers.
Mr. Hulio said that NSO did not have any active servers from which such data could be stolen, and that from the moment he saw the list, he realized that it was “not a list of targets attacked by Pegasus, or something born out of Pegasus’ system or any other NSO product.” He said the list appeared to have been produced by users of a separate app called HLR LookUp.
Calling the consortium story “flimsy from the start,” Mr. Hulio took issues with the claims made about the list of phone numbers.
“This is like opening up the white pages, choosing 50,000 numbers and drawing some conclusion from it,” he said.
The Times journalists whose numbers are said to be on the leaked list include Azam Ahmed, a former Mexico City bureau chief who has reported widely on corruption, violence and surveillance in Latin America, including on NSO itself; and Ben Hubbard, The Times’s bureau chief in Beirut, who has investigated rights abuses and corruption in Saudi Arabia and wrote a recent biography of the Saudi crown prince, Mohammed bin Salman.
In January 2020, Mr. Hubbard published an account of a hacking attempt against his own phone. Mr. Hulio denied Mr. Hubbard’s phone was attacked by Pegasus, and suggested he was the target of a product made by a rival Israeli tech firm.
Michael Slackman, The Times’s assistant managing editor for international news, said: “Azam Ahmed and Ben Hubbard are talented journalists who have done important work uncovering information that governments did not want their citizens to know. Surveilling reporters is designed to intimidate not only those journalists but their sources, which should be of concern to everyone.”
With Nicole Perlroth, Mr. Ahmed helped lead Times reporting about how the Mexican government used the Pegasus application against some of the country’s most prominent journalists, democracy advocates, corruption fighters and lawyers — and later against international investigators brought into the country to investigate the tragic disappearance of dozens of students, as well as relatives of the Mexican government’s own inner circle after they began challenging government corruption. Tomás Zerón, who ran the Mexican F.B.I. and was involved in purchasing the spy systems for the country, is now wanted in Mexico for offenses related to the investigation and has found refuge in Israel.
The Times has also reported that Pegasus was deployed in Mexico in 2017 against policymakers and nutrition activists pushing for a soda tax in a country with serious health problems related to soda consumption, as well as the political adversaries of top Emirati officials.
Analysts from Amnesty International looked at 67 smartphones associated with numbers on its leaked list and concluded that 24 had been infected by Pegasus, and that 13 more had been targeted. Tests on the remaining 30 proved inconclusive, the consortium said.
Two of the targeted phones were owned by Szabolcs Panyi and Andras Szabo, investigative reporters in Hungary who regularly cover government corruption. Another belonged to Hatice Cengiz, the fiancée of Mr. Khashoggi, whose phone was penetrated in the days after his murder.
Pegasus can allow spies to gain access to an infected phone’s hard drive and view photos, videos, emails and texts, even on applications that offer encrypted communication. The software can also let spies record conversations made on or near a phone, use its cameras and locate the whereabouts of its users.