Spyware hijacks smartphones, threatens journalists around the world

Guillaume Gbato (left), Secretary General of a major press syndicate in Côte d'Ivoire (SYNAPP-CI) , with Ivorian journalist Abraham Kouassi (right) during CPJ's visit to Abidjan, May 16, 2018. Photo: CPJ/Jonathan Rozen.

In May 2016, the Mexican investigative journalist Sebastián Barragán was working on an explosive story. An anonymous source had sent Aristegui Noticias, the investigative outlet where he worked, a grainy video that appeared to show a scene of brutal torture; in it a group of police officers surround a man handcuffed to a chair; they strike him over and over again, and pull a plastic bag over his head. One of the men in the video is wearing a jacket with the letters PGJEM, The Prosecutor General for the State of Mexico, a state that surrounds Mexico City like a horseshoe. Barragan called the PGJEM and the Mexican Attorney General’s (PGR) office for comment. A few hours later, Barragán was sent an odd text message that read, “I have credible evidence against public servants”; underneath, there was a link. Researchers at the Canada-based digital rights group Citizen Lab would later analyze that link and discover it was engineered to infect Barragan’s phone with Pegasus, an advanced exploit that can hijack the microphones and cameras on any smartphone, and slurp up contacts and correspondence. In Barragán’s mind it was clear what had just happened: “The Mexican government wanted to hack me” Barragán told me recently.

His suspicions were all but confirmed a year later when leaked government documents revealed a $32 million contract between the Mexican Attorney General’s office and a local intermediary for the NSO Group, the Israeli company that sells Pegasus to law enforcement agencies.

The attack against Barragán isn’t an isolated incident. Earlier this month, Citizen Lab published a report that found traces of Pegasus in over 45 countries, including a number of places where the government is known to aggressively prosecute reporters, such as Turkey and Kazakhstan. The threat this poses to journalists can’t be overstated: A Pegasus operator can quietly transform a cellphone into a surveillance hub, tracking the reporters movements, identify sources, even potentially impersonate that journalist in the digital world. Given the global nature of the threat, this past week, the Committee to Protect Journalists issued a security advisory, its first ever on Pegasus, to alert journalists everywhere that they could be targeted a manner similar to Barragán.

Citizen Lab has been tracking Pegasus—which the NSO Group says is intended for legitimate anti-terror and law enforcement activities—for years. It was first detected on the phone of Ahmed Mansour, a human rights activist in the United Arab Emirates, in 2016. “It was more sophisticated than anything I’d ever seen before,” Bill Marczak, the Citizen Lab researcher who first identified Pegasus on Mansour’s phone told me recently. Researchers knew about spyware that could siphon off some private data from cell phones, but Pegasus took things further: It could completely take over a phone remotely, without the owner knowing, and without leaving any trace besides a text message.

ICYMI: Emptywheel’s Marcy Wheeler knows more than she tells, but she tells a lot

Pegasus operators stage their attacks from publicly accessible websites. Targets are sent text messages with links to those domains, and if they click, their phones begin secretly running software that turns over control to the Pegasus operator. The new Citizen Lab report, which tracks the likely location of these attacks by scanning the internet for evidence of the NSO infrastructure—does not identify the human targets of the attacks themselves—that would require the analysis of a specific text message or targeted phone. It only hints at where such attacks may be taking place—so far, nobody knows how many journalists may have been impacted.

Sign up for CJR's daily email

Journalists living in countries where infections were detected are on alert. In the Ivory Coast, for example, Anderson Diédri, a reporter who worked on reporting there as part of the West Africa Leaks, a international corruption investigation, says that Pegasus’s presence in the country would constitute an “unacceptable threat to the freedom of the press, especially investigative journalism.” But, given the secretive nature of the technology, he can’t be sure what to expect. “If it is confirmed that Ivorian citizens or all those who live in the country are targeted or put under surveillance, this situation would be extremely serious,” he says. Farida Nabourema, a human rights activist from Togo, another country where Citizen Lab found evidence of Pegasus, says the news fit into a larger pattern of abuse by a government often intolerant of dissent: “They [the government] noticed that technology is being used today by activists to fight,” she says, so “they decided to invest in surveillance in order to track activities of opponents.” According to the Citizen Lab report, the suspected infections in the Ivory Coast seem to be linked to a much larger campaign of spying across North Africa, whereas the suspected infections in Togo suggested an operator who was only spying in Togo.

Mexico has been ground zero for Pegasus’s deployment against journalists. At least six reporters have been targeted there, according to exhaustive research by both Citizen Lab and the Mexican digital rights group R3D. Those attacks coincided with major journalistic investigations that challenged the Mexican government. For example: three reporters who were targeted worked on the “Casa Blanca Scandal,” a major story exposing how Mexico’s first lady was given a mansion by a government contractor who later received lucrative contracts. Mexican television journalist Carlos Loret de Mola was targeted while he was reporting on extrajudicial killings. Although three Mexican federal agencies have access to Pegasus, the government has denied it ever launched any attacks on reporters.

Journalists are particularly vulnerable to Pegasus, which is advertised by NSO to target terrorists, human traffickers, and other criminals. The text messages sometimes mimic the language of a whistleblower, or source. Luckily for Barragán, when he received the text messages, he was suspicious, and didn’t click. He was on alert, because some of his colleagues had already been attacked. Rafael Cabrera, an investigative reporter who also has also been a thorn in the side of the Mexican governments was barraged with seven different links in 2015 and 2016—some imitating news articles, others mentioning his sex life—at the time, he had no idea they were spyware attacks. In August of 2015 he received a series of urgent text messages warning that he could be arrested for his reporting on the Mexican president: “I thought: what the fuck?,” he recalls. And then he clicked, possibly exposing his phone to Pegasus.

Cabrera’s not sure if the government was after his sources, trying to track his movements, or attempting to siphon private information to blackmail him. “I expect that someday I might wake up and embarrassing information will be all over the internet,” he tells me. “I don’t know what they they’ll do—but I’m preparing myself.” It’s not an unreasonable fear: Another possible victim of Pegasus in Mexico, the prominent human rights lawyer Jorge Santiago, had his phone calls recorded, edited together in a misleading fashion, and leaked on Facebook in an attempt to discredit him.

 

The text messages sometimes mimic the language of a whistleblower, or source.

 

Danya Centeno, a lawyer with the Mexican digital rights organization R3D, says the Pegasus attacks have had a chilling effect, raising the risks for reporters who may want to do hard-hitting stories on the Mexican state. The Mexican government has launched an internal investigation into its own use of Pegasus, overseen by the Attorney General’s Office—the very entity that bought the tools to begin with. “The investigation is bullshit,” Cabrera says.

Despite its potentially shady application, selling Pegasus to governments seems to be quite profitable. NSO Group, the company that makes Pegasus, was acquired by the American private equity firm Francisco Partners for $110 million in 2014; last year, it was valued at nearly billion dollars. Pegasus is expensive to implement and operate: copies of its price list obtained by The New York Times in 2016 show NSO charges $650,000 for 10 targets, on top of a $500,000 initial fee. “Repressive governments are willing to spend large sums of money to ensure there are no political change in their countries,” Marczak explains. This past summer both Goldman Sachs and the Blackstone Group announced investments in Francisco Partners, the firm that’s had a controlling stake in NSO since 2014, and has presided over both its explosion in value and the deployment of its spyware against journalists and human rights defenders. (Francisco Partners did not respond to requests for comment. The NSO Group provided a statement similar to that given to Citizen Lab, and would not clarify how they handled the Mexican case.)

Still, the scope of the company’s maneuvers remains opaque. NSO Group insists its products are not intended to be used against journalists and human rights defenders—and that it will yank licenses from errant users. In a statement given to Citizen Lab on September 18, it explained that its products are “only licensed to operate in countries approved under our Business Ethics Framework,” though it didn’t explain what that framework is. Just a month before NSO issued that statement, however, Amnesty International detected what appeared to be NSO-powered attacks on human rights workers in Saudi Arabia.

Marczak, with Citizen Lab, estimates there have been thousands of attacks yet to be discovered. For journalists and advocacy groups trying to defend from devastating hacks, there are many troubling unanswered questions about the technology’s global application: Exactly which governments have bought Pegasus? Who has it been deployed against on the ground? How many of those targets are legitimate law enforcement targets, and, how often are reporters like Barragán and Cabrera attacked?

So far, the evidence is piecemeal—and it’s not reassuring. A new lawsuit filed against NSO Group last month in Israeli court provides a disturbing, if limited, window into how the technology is being used globally. Copies of emails included in the suit show intelligence officials in the UAE and an NSO affiliate, a company called Circles, coordinating a step-by-step attack against two journalists, the Saudi Arabian editor Abdulaziz Alkhamis and the Qatari editor Abdullah Al-Athbah. The Circles employee directly sent the UAE government official an audio recording of Alkhamis’s phone calls, apparently intercepted, as part of a sales pitch for a software upgrade (Alkahmis told me he didn’t want to discuss the incident, on advice of his lawyer). Abdullah Al-Athbah, who was alerted to the presence of the spyware on his phone by a source who leaked him documents, smashed his SIM Card with a hammer when he found out. “I needed to protect my sources,” he told the AP.

The way Pegasus operates, it’s incredibly difficult for individual journalists to know if they’ve been infected. The links that carry the infection appear to redirect users to nondescript websites—even while they secretly load the malicious code—and there’s no easy way to scan a device after an infection has taken place. “99 percent of victims don’t know and have no way to know,” explains Mazen al-Masri, a lawyer in London who is working on the lawsuit against the NSO Group in Israel. For example: The Citizen Lab report identified a high concentration of potential attacks linked to Turkey, the world’s worst jailor for journalists. But there are no publicly known cases of  journalists being infected with Pegasus there. Alp Toker, a Turkish digital rights activist and the founder of TurkeyBocks, says he’s aware of instances in which major reporters in Turkey have been been sent links that resemble a Pegasus attack; but they haven’t been formally analyzed. “There are indications,” he says, “but no smoking gun.”

For journalists around the world seeing their countries named on the Citizen Lab report can provoke a sense of fear—and of helplessness: “I feel very concerned,” says Guillaume Gbato, reporter in the Ivory Coast, where Citizen Lab detected a potential Pegasus infection. Gbato often covers sensitive national security issue for the newspaper Notre Voie, and is the Secretary General of the country’s press syndicate. “I’m afraid for the safety of those I talk to—especially my sources, he says. “If journalists and their sources are realizing that they can be listened to without their knowledge, freedom of the press would be emptied of its contents.”

Jonathan Rozen contributed reporting.

RELATED: Everything to know about FARA, and why it shouldn’t be used against the press

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Avi Asher-Schapiro is a former staffer at VICE News, International Business Times, and Tribune Media, and an independent investigate reporter who has published in outlets including The Atlantic, The Intercept, and The New York Times.