180 journalists identified by clients of spyware firm
Data leak and forensics suggest NSO’s surveillance tool used against journalists at some of world’s top media companies
The editor of the Financial Times is one of more than 180
editors, investigative reporters and other journalists around the world who
were selected as possible candidates for surveillance by government clients of
the surveillance firm NSO Group, the Guardian can reveal.
Roula Khalaf, who became the first female editor in the
newspaper’s history last year, was selected as a potential target throughout
2018.
Her number is included in a leaked list of mobile phone
numbers selected for possible surveillance by clients of NSO, an Israeli firm
that manufactures spyware and sells it to governments. Its principal product,
Pegasus, is capable of compromising a phone, extracting all of the data stored
on the device and activating its microphone to eavesdrop on conversations.
Other journalists who were selected as possible candidates
for surveillance by NSO’s clients work for some of the world’s most prestigious
media organisations. They include the Wall Street Journal, CNN, the New York
Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, Associated
Press, Le Monde, Bloomberg, Agence France-Presse, the Economist, Reuters and
Voice of America.
NSO has long insisted that the governments to whom it
licenses Pegasus are contractually bound to only use the powerful spying tool
to fight “serious crime and terrorism”.
Analysis of the leaked data suggests that Khalaf’s phone was
selected as a possible target by the United Arab Emirates (UAE). At the time,
Khalaf was a deputy editor at the FT. A spokesperson for the Financial Times
said: “Press freedoms are vital, and any unlawful state interference or
surveillance of journalists is unacceptable.”
The leaked records were initially accessed via Forbidden
Stories, a nonprofit journalism organisation, and Amnesty International. They
shared access with the Guardian and select other media outlets as part of the
Pegasus project, an international investigative collaboration.
A successful Pegasus infection gives NSO customers access to
all data stored on the device. An attack on a journalist could expose a
reporter’s confidential sources as well as allowing NSO’s government client to
read their chat messages, harvest their address book, listen to their calls,
track their precise movements and even record their conversations by activating
the device’s microphone.
Reporters whose numbers appear in the data range from local
freelancers, such as the Mexican journalist Cecilio Pineda Birto, who was
murdered by attackers armed with guns one month after his phone was selected,
through to prize-winning investigative reporters, editors and executives at
leading media organisations.
In addition to the UAE, detailed analysis of the data
indicates that the governments of Azerbaijan, Bahrain, Hungary, India,
Kazakhstan, Mexico, Morocco, Rwanda and Saudi Arabia all selected journalists
as possible surveillance targets.
It is not possible to know conclusively whether phones were
successfully infected with Pegasus without analysis of devices by forensic
experts. Amnesty International’s Security Lab, which can detect successful Pegasus
infections, found traces of the spyware on the mobile phones of 15 journalists
who had agreed to have their phones examined after discovering their number was
in the leaked data.
Among the journalists confirmed by analysis to have been
hacked by Pegasus were Siddharth Varadarajan and Paranjoy Guha Thakurta, a
co-founder and a reporter at the Indian news website the Wire. Thakurta was
hacked in 2018 while he was working on an investigation into how the Hindu
nationalist government of Narendra Modi was using Facebook to systematically
spread disinformation among Indian people online.
“You feel violated,” Varadarajan said of the hacking of his
device and the selection of his colleagues for targeting. “This is an
incredible intrusion and journalists should not have to deal with this. Nobody
should have to deal with this, but in particular journalists and those who are
in some way working for the public interest.”
Omar Radi, a Moroccan freelance journalist and human rights
activist who has published repeated exposés of government corruption, was
hacked by an NSO client believed to be the government of Morocco throughout
2018 and 2019.
The Moroccan government has since accused him of being a
British spy, in allegations described by Human Rights Watch as “abusing the
justice system to silence one of the few remaining critical voices in Moroccan
media”.
Saad Bendourou, a deputy head of mission at the Moroccan
embassy in France, dismissed the consortium’s findings.
“We remind you that the unfounded allegations already
published by Amnesty International and relayed by Forbidden Stories have
already been the subject of an official response by the Moroccan authorities,
who categorically denied such allegations,” he said.
Khadija Ismayilova, an award-winning Azerbaijani
investigative journalist, was also confirmed by technical analysis to have been
hacked with Pegasus in 2019. She has spent years reporting on the network of
corruption and self-enrichment that surrounds the autocratic president, Ilham
Aliyev, who has ruled his country since seizing power in 2003.
She has faced a sustained campaign of harassment and
intimidation in retaliation for her work. In 2012 intimate videos of her,
filmed using a camera installed in her apartment without her knowledge, were
published online shortly after she received a letter warning her to “behave or
be defamed”.
In 2014 she was arrested on charges of alleged tax evasion,
“illegal business” offences, and the “incitement to suicide” of a still-living
colleague. She was released from a jail sentence of seven and a half years
following an appeal, though remained subject to a travel ban as well as an
asset freeze preventing her from accessing her own bank account until recently.
Her phone was almost certainly hacked by agents of the
Aliyev regime, according to analysis of the leaked data. The same NSO customer
also selected as surveillance candidates more than 1,000 other Azerbaijani
phones, many belonging to Azerbaijani dissidents, as well two of Ismayilova’s
lawyers.
“I feel guilty for the sources who sent me [information],
thinking that some encrypted messaging ways are secure. They did it and they
didn’t know my phone was infected,” Ismayilova said.
“My family members are also victimised, people I’ve been
working with. People who told me their private secrets are victimised. It’s not
just me.”
She said she was angry with those who “produce all of these
tools and sell them to the bad guys like the Aliyev regime. It’s despicable,
it’s heinous … When the video was exposed, it was just me. Now I don’t know who
else has been exposed because of me, who else is in danger because of me.”
Comments
Post a Comment