Two female activists in Bahrain and Jordan hacked with NSO spyware | world news

The plight of women’s rights activists in Bahrain and Jordan is under the spotlight after new revelations that two prominent activists have been repeatedly hacked by countries using NSO Group spyware.

An investigation by the human rights group Front Line Defenders (FLD) and the non-profit digital rights group Access Now found that the mobile phones of Ebtisam al-Saegh, a Bahraini human rights defender , and Hala Ahed Deeb, who works for human rights and feminist groups in Jordan, had been hacked using NSO’s Pegasus spyware.

Both women said the findings, which were confirmed by security researchers at the University of Toronto’s Citizen Lab, looked like life-changing privacy breaches, underscoring how such attacks on women were “particularly serious” given how sensitive information could be weaponized against them. .

“Since discovering that their phones were infected, they each live in a daily state of anxiety and fear. They are particularly afraid of the possibility of exposing other activists and victims they work with, and fear that their families and friends are now in danger,” FLD and Access Now said.

According to Citizen Lab’s analysis, al-Saegh’s mobile device was found to have been hacked at least eight times between August and November 2019 using NSO spyware. This followed various incidents in which al-Saegh, who works for Salam for Democracy and Human Rights, was harassed by Bahraini authorities, including being summoned to Muharraq police station, interrogated, physically assaulted and sexually and threatened with rape if she did. not stop his activism, FLD and Access Now said.

Quick guide

What does the Pegasus Project data contain?

To show

What’s in the data leak?

The data leak is a list of more than 50,000 phone numbers which, since 2016, have allegedly been selected as those of persons of interest by government customers of the NSO Group, which sells surveillance software. The data also contains the time and date the numbers were selected or entered into a system. Forbidden Stories, a Paris-based nonprofit journalism organization, and Amnesty International initially had access to the list and shared access with 16 media organizations, including the Guardian. Over 80 journalists worked together for several months on Project Pegasus. Amnesty’s Security Laboratory, a technical partner in the project, carried out the forensic analyses.

What does the leak indicate?

The consortium believes the data points to potential targets that NSO government clients have identified prior to possible surveillance. Although the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the monitoring tool of signature of the company, or if an attempt was successful. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals that some targets have been selected by NSO’s customers when they couldn’t be infected by Pegasus. However, forensic examinations of a small sample of cell phones with numbers on the list revealed strong correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did the forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of these, 23 were successfully infected and 14 showed signs of attempted penetration. For the other 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that run Android don’t log the kinds of information needed for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-related SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a University of Toronto research group specializing in studying Pegasus, which confirmed they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods and found them to be sound.

Which ONS customers were selecting numbers?

Although the data is organized into clusters, showing individual ONS customers, it does not specify which ONS customer was responsible for selecting a given number. NSO claims to sell its tools to 60 customers in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual customers in the leaked data, media partners were able to identify 10 governments believed to be responsible for target selection: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia , Hungary, India. , and the United Arab Emirates. Citizen Lab also found evidence that the 10 were all NSO customers.

What does the NSO group say?

You can read the full statement from NSO Group here. The company has always claimed that it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium made “incorrect assumptions” about which customers use the company’s technology. He said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe that the list viewed by the consortium “is not a list of numbers targeted by governments using Pegasus, but rather may be part of a larger list of numbers that could have be used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questioning, the lawyers said that the consortium based its conclusions “on a misleading interpretation of the data disclosed from accessible and obvious background information, such as HLR search services, which have no bearing on the target list of Pegasus customers or any other NSO products… we still see no correlation between these listings and anything related to the use of NSO Group technologies”. Following the release, they explained that they considered a phone that had either a successful or attempted (but failed) infection by Pegasus to be a “target”, and reiterated that the list of 50,000 phones was too much. long to represent “targets”. from Pegasus. They said the fact that a number appeared on the list did not indicate whether it had been selected for surveillance using Pegasus.

What is HLR research data?

The term HLR, or home location register, refers to a database essential to the operation of mobile telephone networks. These logs maintain records of phone users’ networks and general locations, as well as other identifying information used regularly to route calls and text messages. Telecommunications and surveillance experts say that HLR data can sometimes be used in the first phase of a surveillance attempt, to determine if it is possible to connect to a phone. The Consortium understands that NSO customers have the ability, via an interface to the Pegasus system, to conduct HLR search queries. It is unclear whether Pegasus operators are required to perform HRL lookup searches through its interface to use its software; an NSO source pointed out that its customers may have different reasons – unrelated to Pegasus – for performing HLR lookups through an NSO system.

Thank you for your opinion.

Al-Saegh said knowing she had been hacked put her in a state of “daily fear and dread” and robbed her of a sense of security she had felt at home, as she felt now that her phone was “spying” on her at all times.

“Home was the only safe space for me, a place of personal freedom where I could remove the veil and exercise my religious and social freedoms without limits,” she said in a statement shared by FLD. “Fear has limited my work. I am constantly anxious and afraid that I have put others in danger because of their contact with me.

When successfully deployed against a mobile phone, Pegasus can intercept a mobile user’s messages and photos, track their location, and turn the phone into a remote listening device.

NSO said its software is licensed for use by client countries against suspected terrorists and other serious criminals, and that it investigates credible allegations of abuse by its clients.

An NSO spokesperson said: ‘We cannot directly comment on a report we have not seen, nor investigate based on names received in a press enquiry.

The spokesperson added: “NSO’s strong position on these issues is that the use of cyber tools to monitor dissidents, activists and journalists, regardless of gender, is a serious misuse of any technology. and goes against the desired use of these critical tools.. The international community should have a zero tolerance policy towards such acts, so global regulation is needed. NSO has proven in the past that it has a zero tolerance for these types of abuse, by terminating multiple contracts.

The discovery of spyware on the phones of the two activists follows multiple reports from other activists and journalists who have been targeted in the past, including deceased Emirati activist Alaa Al-Siddiq and Al Jazeera journalist Ghada Oueiss.

Researchers confirmed that Deeb’s mobile device was infected with Pegasus in March 2021. Deeb said the hack made her feel “violated, naked and without dignity”.

“I have often said that I have nothing to hide, but I have realized that privacy in itself is my right,” she said in a statement shared by FLD.

She added: “I don’t communicate with my friends and I avoid talking on the phone as much as possible. I practice a kind of self-censorship sometimes when I wonder what behaviors would provoke those who hacked my phone?

Comments are closed.