A spyware tool licensed by the Israeli company NSO Group was used to target smartphones belonging to 37 journalists, human rights activists and other prominent figures, according to an investigation released on Sunday.
The report drew a prompt response from NSO, which claimed it was “full of wrong assumptions and uncorroborated theories”.
Conducted by the journalism non-profit Forbidden Stories and 17 media partners, the investigation was based on a list of more than 50,000 phone numbers linked to people who had allegedly been selected for possible surveillance by NSO’s clients since 2016, the group said.
Forbidden Stories said Pegasus, a software product NSO sells to government agencies, had been “widely misused” by clients to target lawyers, academics and other professionals in countries including India, Mexico and France.
A forensic analysis conducted by Amnesty International found the 37 phones had been infected or faced attempted infections by NSO spyware, according to the human rights group, which released a separate report on its methodology.
The FT was unable to independently verify the claims reported by the media consortium.
Victims of the attacks are said to include Siddharth Varadarajan, founder of the Indian news site The Wire, and Szabolcs Panyi, an investigative reporter in Hungary for the journalism non-profit Direkt36, according to Forbidden Stories.
Bill Marczak, a senior research fellow at Canadian watchdog group Citizen Lab, said it had reviewed four of the phones and confirmed with “high confidence” they had been targeted with Pegasus software. Marczak said Citizen Lab peer-reviewed Amnesty’s methodology and had found it “sound”.
The consortium partners have promised to reveal the names of others on the wider alleged surveillance list over the coming days. That list included business executives, cabinet ministers, presidents and prime ministers, according to The Guardian newspaper, one of the consortium.
An NSO spokesperson said the company would “continue to investigate all credible claims of misuse”, while denying what it claimed were “false allegations” in the Forbidden Stories report.
“NSO Group has a good reason to believe the claims that are made by the unnamed sources to Forbidden Stories are based on misleading interpretation of data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products,” the spokesperson said.
NSO has said the Pegasus software is meant to only collect mobile data on people suspected of involvement in crime and terrorism. It said its customer agreement required that products not be used to violate human rights, and it had shut down customers’ systems “multiple times in the past” due to misuse.
The investigation adds to the scrutiny of NSO, which was valued at more than $1bn in a buyout by its management team and the private equity firm Novalpina in 2019.
In December, Citizen Lab said dozens of iPhones used by reporters at Al Jazeera had been hacked using NSO spyware. NSO said the claims were based on “speculations, inaccurate assumptions and without a full command of the facts”.
Previously, the Financial Times reported that attackers had used a vulnerability in the messaging app WhatsApp to plant NSO spyware programmes on targeted phones. NSO said then that it was not involved in operating or targeting its technology, which was solely operated by intelligence and law enforcement agencies.
Roula Khalaf, the editor of the FT, was among more than 180 journalists listed as potential targets by NSO’s clients in the investigation, The Guardian reported. The NSO spokesperson said it had confirmed Khalaf “was not a Pegasus target by any of NSO’s customers”.
“Press freedoms are vital, and any unlawful State interference or surveillance of journalists is unacceptable,” an FT spokesperson said.