Calls mount for further investigation into the Israeli company, the NSO Group, after it was learned that Pegasus, a spyware sold by the firm to “authoritarian governments,” was used to spy and gather information on more than 50,000 journalists and activists according to an investigation into a massive data leak by 17 media outlets.

The investigation lists targets of surveillance in over 50 countries. The governments of Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates were among the ones using the spyware.

The Guardian, one of the news media sites participating in the investigation, stated that the mention of phone numbers in the leaked data does not necessarily mean that the associated devices were hacked. 

The targets included journalists for media organizations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America, according to the Guardian’s report. 

Suspected infections by NSO Group's Pegasus spyware.
An earlier report on Pegasus software data breaches highlights the targeted areas. (Citizen Labs 2018 report)

An International Outcry

Two targets of the software were the wife of the murdered Saudi columnist Jamal Khashoggi, Hanan Elatr, who was targeted six months before he was killed, and his fiancée, Hatice Cengiz.

“I am deeply shocked that I have been targeted while I was in such pain waiting to find out what had happened to Jamal. This was the worst time of my life and yet the killers were spying on me. They have no shame. They must be brought to justice,” Cengiz posted on Twitter.

This massive investigation was coordinated by the Paris-based journalism nonprofit Forbidden Stories. Amnesty International’s Security Lab provided technical support.

Amnesty International said the spying and data breach by the Pegasus software highlights the need for limits on this technology. 

“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling the public narrative, resisting scrutiny, and suppressing any dissenting voice,” said Amnesty International secretary-general Agnes Callamard.

“These revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations,” Callamard added.

NSO Group Strongly Denies Allegations

The NSO Group said in a statement that the Pegasus software is intended only for use by government intelligence and law enforcement agencies to fight terrorism and crime.

The company’s released statement denied the reporting by Forbidden Stories and that Pegasus software was used in the Khashoggi murder.

“The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality,” the company said in the statement.

“After checking their claims, we firmly deny the false allegations made in their report,” the statement added.

Pegasus Is Silent and Pervasive

This isn’t the first time that Pegasus has been in the news. In 2016, 2018, and 2019, journalists and activists received messages from their WhatsApp platform informing them that Pegasus had compromised their phones.

How Pegasus works is easy. A malicious link is sent to the user and if they click on it Pegasus is installed on the targeted phone. In most cases, the user has no idea that their phone (either iPhones or Androids) has been hacked.

Pegasus can read messages, track calls, user activity within apps, gather location data, access a phone’s video cameras, or listen through its microphone. It can even access secure chat messaging systems like WhatsApp or Signal.  

This wasn’t random spying. Rather, the affected individuals were specifically targeted as NSO Group charges a hefty price of some millions for the software and only sells it to governments.