Saudis behind NSO spyware attack on Jamal Khashoggi’s

Forensic analysis shows phones of those close to journalist were targeted before and after he was murdered

In the wake of the brutal murder of the journalist Jamal Khashoggi, the NSO Group emphatically denied that its government clients had used its hacking malware to target the journalist or his family.

“I can tell you very clear. We had nothing to do with this horrible murder,” Shalev Hulio, the chief executive of the Israeli surveillance firm, told the US TV news programme 60 Minutes in March 2019. It was six months after Khashoggi, a Washington Post columnist, was killed in Turkey by assassins dispatched by Saudi Arabia, a client of NSO.

Now a joint investigation by the Guardian and other media, based on leaked data and forensic analysis of phones, has uncovered new evidence that the company’s spyware was used to try and monitor people close to Khashoggi both before and after his death.

In one case, a person in Khashoggi’s inner circle was hacked four days after his murder, according to peer-reviewed forensic analysis of her device.

The investigation points to an apparent attempt by Saudi Arabia and its close ally the United Arab Emirates to leverage NSO’s spy technology after Khashoggi’s death to monitor his associates and the Turkish murder investigation, even going so far as to select the phone of Istanbul’s chief prosecutor for potential surveillance.

Khashoggi was killed and dismembered at the Saudi consulate in Istanbul in October 2018. While the investigation mostly points to Khashoggi’s close associates being targeted in the months after the murder, it also identified evidence suggesting that an NSO client targeted the phone of his wife, Hanan Elatr, several months before his death, between November 2017 and April 2018.

The client appears to have used NSO’s spyware, Pegasus, which can transform a phone into a surveillance device, with microphones and cameras activated without a user knowing.

A forensic examination of Elatr’s Android phone found that she was sent four text messages that contained malicious links connected to Pegasus. The analysis indicated the targeting came from the United Arab Emirates, a Saudi ally. However, the examination did not confirm whether the device had been successfully infected.

“Jamal warned me before that this might happen,” Elatr said. “It makes me believe they are aware of everything that happened to Jamal through me.” She added that she was concerned his conversations with fellow dissidents might have been monitored through her phone. “I kept my phone on the tea table [in their Virginia home] while Jamal was talking to a Saudi guy twice a week.”

Elatr’s number was also contained in a leak of numbers that were selected by clients of NSO as candidates for possible surveillance. Access to the leak was shared with the Guardian and other media by Forbidden Stories, a nonprofit organisation, as part of a collaborative investigation called the Pegasus project. Examination of phones was done by Amnesty International’s Security Lab, a technical partner on the Pegasus project.

US intelligence agencies have already concluded that the Saudi crown prince, Mohammed bin Salman, was responsible for ordering the murder of Khashoggi, a former Saudi government insider whose criticism of the kingdom’s regime in the pages of the Washington Post was seen as a threat to the Saudi heir.

A team of Saudi agents killed Khashoggi inside the Saudi consulate in Istanbul during his visit there to pick up documents he needed to get married to his fiancee, Hatice Cengiz, who later became an outspoken advocate for accountability over his murder.