Senior government officials around the world – including individuals in high national security positions who are “allies of the US” – were targeted by governments with NSO Group spyware in a 2019 attack against 1,400 WhatsApp users, according to the messaging app’s chief executive.
Will Cathcart disclosed the new details about individuals who were targeted in the attack after revelations this week by the Pegasus project, a collaboration of 17 media organisations which investigated NSO, the Israeli company that sells its powerful surveillance software to government clients around the world.
Cathcart said that he saw parallels between the attack against WhatsApp users in 2019 – which is now the subject of a lawsuit brought by WhatsApp against NSO – and reports about a massive data leak that are at the centre of the Pegasus project.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
The leak contained tens of thousands of phone numbers of individuals who are believed to have been selected as candidates for possible surveillance by clients of NSO, including heads of state such as the French president, Emmanuel Macron, government ministers, diplomats, activists, journalists, human rights defenders, and lawyers.
It includes some people whose phones showed infection or traces of NSO’s Pegasus spyware, according to examinations of a sample of the devices conducted by Amnesty International’s security lab.
“The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then,” Cathcart said in an interview with the Guardian. In addition to the “senior government officials”, WhatsApp found that journalists and human rights activists were targeted in the 2019 attack against its users. Many of the targets in the WhatsApp case, he said, had “no business being under surveillance in any way, shape, or form”.
“This should be a wake up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.”
When NSO’s Pegasus spyware infects a phone, government clients who use it can gain access to an individual’s phone conversations, messages, photos and location, as well as turn the phone into a portable listening device by manipulating its recorder.
The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
The appearance of a number on the leaked list that was accessed by the Pegasus project does not mean it was subject to an attempted or successful hack. NSO said Macron was not a “target” of any of its customers, meaning the company denies there was any attempted or successful Pegasus infection of his phone.
NSO has also said the data has “no relevance” to the company, and has rejected the reporting by the Pegasus project as “full of wrong assumptions and uncorroborated theories”. It denied that the leaked data represented those targeted for surveillance by the Pegasus software. NSO has called the 50,000 number exaggerated and said it was too large to represent individuals targeted by Pegasus.
But Cathcart questioned NSO’s claim that the figure was in itself “exaggerated”, saying that WhatsApp had recorded an attack against 1,400 users over a two-week period in 2019.
“That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” he said. “That’s why we felt it was so important to raise the concern around this.”
When WhatsApp says it believes its users were “targeted”, it means the company has evidence that an NSO server attempted to install malware on a user’s device.
NSO has declined to give specific details about its customers and the people they target. However, a source has claimed the average number of annual targets per customer was 112.
When WhatsApp announced two years ago that users had been targeted by the NSO malware, it said it had found that about 100 of 1,400 targets were members of civil society – journalists, human rights defenders and activists. The users were targeted through a WhatsApp vulnerability that was later fixed.
Cathcart said he had discussed the 2019 attacks against WhatsApp users with governments all around the world. He praised recent moves by Microsoft and others in the technology industry who are speaking out about the dangers of malware, and called on Apple – whose phones are vulnerable to malware infections – to adopt their approach.
“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’,” he said.
“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure.”
He also called on governments to help create accountability for spyware makers.
“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this. Should they stop? Should there be a discussion about which governments were paying for this software?”
WhatsApp launched its lawsuit against NSO in late 2019, claiming that the Israeli company was responsible for sending malware to WhatsApp users phones. A judge in the case pointed out that the underlying facts in the case – that malicious code owned by NSO was sent through WhatsApp’s service – did not appear to be disputed. Instead, the lawsuit has revolved around whether NSO’s “sovereign customers” were to blame, or the company itself.
NSO has argued that it ought to be immune to the suit because its clients are foreign governments. It has said its clients are contractually obliged to use Pegasus to target criminals and that it investigates allegations of abuse. It said it has no insight into how government clients use the spyware or who they target, unless the company requests an investigation into allegations of wrongdoing.
An NSO spokesperson said: “We are doing our best to help creating a safer world. Does Mr Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”