Spyware made by the Israeli company NSO Group has been used far more extensively than previously known to target journalists and human rights defenders around the world.

This raises the question of why Israel, the state actor without which NSO Group would not exist and could not operate, is not being held accountable.

The extent of the spying has come to light thanks to a major investigation spearheaded by the global reporting consortium Forbidden Stories and the human rights group Amnesty International.

“An unprecedented leak of more than 50,000 phone numbers selected for surveillance by the customers of the Israeli company NSO Group shows how this technology has been systematically abused for years,” according to Forbidden Stories.

The spyware, called Pegasus, can be installed remotely on a targeted person’s smartphone without requiring them to take any action such as clicking on a link or answering a call.

“Once installed, it allows clients to take complete control of the device, including accessing messages from encrypted messaging apps like WhatsApp and Signal, and turning on the microphone and camera,” Forbidden Stories states.

Pegasus is supposedly only sold to governments for use in legitimate law enforcement purposes.

But according to Forbidden Stories, “contrary to what NSO Group has claimed for many years, including in a recent transparency report, this spyware has been widely misused.”

Among those selected for targeting with Pegasus are at least 180 journalists in countries including India, Mexico, Hungary, Morocco, France, Spain, the United Kingdom, Egypt, Lebanon and the United Arab Emirates.

Other potential targets include human rights defenders, academics, lawyers, trade unionists, doctors, politicians and even heads of state.

Forbidden Stories says it is impossible to know if any of the 50,000 phone numbers on the list it obtained were successfully targeted unless the actual device associated with a number is examined.

Amnesty International’s Security Lab performed forensic examinations on the phones of more than a dozen journalists and nearly 70 phones in total, “revealing successful infections through a security flaw in iPhones as recently as this month,” Forbidden Stories states.

“This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware,” Amnesty states.

Prior to the latest revelations, the use of Pegasus was already linked to the 2018 murder of Washington Post columnist Jamal Khashoggi inside the Saudi Arabian consulate in Istanbul.

Following the Khashoggi murder, NSO Group’s damage control efforts included hiring well-connected former Obama administration officials Juliette Kayyem, who worked in the US Department of Homeland Security, and Daniel Shapiro, who served as US ambassador to Israel.

The new investigations reveal that Rodney Dixon, a prominent UK-based human rights lawyer, was selected for targeting by Pegasus in 2019, but examination of his device found no successful infection.

Dixon has represented a British man jailed in the United Arab Emirates, the Gulf dictatorship closely allied with Israel and long known to be a Pegasus user.

Dixon has also represented Hatice Cengiz, who was engaged to Khashoggi. Forensic examination found that Cengiz’s own phone was targeted and actually infected.

Dixon is also a lawyer for victims of Israel’s 2010 attack on the ship Mavi Marmara who have been attempting to obtain justice at the International Criminal Court.

The new revelations about NSO Group are receiving widespread media coverage, though the Israeli role, specifically that of its government, is being downplayed by key English-language members of the Forbidden Stories consortium.

The Guardian’s leading article on the subject makes no reference to Israel in its headline, and only one mention in the article itself, describing NSO Group as an Israeli company.

The Washington Post does marginally better with the headline, “Private Israeli spyware used to hack cellphones of journalists, activists worldwide.”

But this emphasis on “private” obscures how the Israeli government is central to NSO Group’s existence and ongoing nefarious activities.

Buried 35 paragraphs deep in the Post article is the acknowledgment that “Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills.”

“The Israeli defense ministry must approve any license to a government that wants to buy it, according to previous NSO statements,” the Post adds.

The Israeli government’s role in licensing NSO Group’s sales does not appear to be merely a passive process of issuing approvals. Rather, Israel sees these firms as extensions of its reach as it fosters ties with governments across the region.

Citing an Israeli official and company sources, The New York Times, reported this week that the Israeli government “encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses.”

Last year, an Israeli court rejected an attempt by Amnesty International to force the Israeli government to revoke NSO Group’s export license.

Amnesty called it a “disgraceful ruling” and a “a cruel blow to people put at risk around the world by NSO Group selling its products to notorious human rights abusers.”

To its credit, The New York Times – which was not part of the Forbidden Stories consortium – emphasizes that the latest revelations “may escalate concerns that the Israeli government has abetted government abuses by granting NSO an export license to sell software to countries that use it to suppress dissent.”

Previously, The New York Times has reported that Pegasus was largely developed by veterans of Unit 8200.

Unit 8200 is the Israeli military’s cyberwarfare division that has been directly responsible for massive surveillance and human rights abuses of Palestinians living under Israeli military occupation.

Undoubtedly, spying technologies now being used against human rights defenders worldwide were developed and tested on a captive Palestinian population.

Contrast the relative silence about the Israeli government’s direct and undisputed role in the nefarious activities of NSO Group with Western governments’ latest campaign against China.

On Monday, the Biden administration accused China’s government of hacking Microsoft email systems used by corporations and government entities around the world.

A White House statement attributed these malicious cyber attacks to the Chinese government “with a high degree of confidence” – intelligence agency code for the US having no solid evidence.

Canada also echoed the US accusations against Chinese “state-backed actors,” but a statement from the foreign ministry in Ottawa is peppered with mealy mouthed words – “Canada is confident …” “Canada believes it is highly likely …” – indicating that these are accusations, not incontrovertible facts.

Indeed, this lack of evidence is confirmed by the European Union’s statement, which is even more vague about who might be responsible for the alleged Microsoft hacks.

In contrast to its American and Canadian allies, the EU does not directly accuse China or Chinese “state-backed actors,” but only claims that “the EU and its member states assess these malicious cyber activities to have been undertaken from the territory of China.”

Given that human rights defenders and journalists in several EU member states have been targeted or selected for targeting by Pegasus, The Electronic Intifada asked the EU’s foreign policy spokesperson whether the bloc was concerned about malicious cyber activity emanating from Israel, a state with which it is closely allied.

The 187-word response from the EU spokesperson for foreign affairs and security policy did not mention Israel at all.

“National intelligence service matters are a national competence and it is for national authorities to oversee their own services,” the EU said.

That is a clear indication that the EU has no intention whatsoever of looking into how Hungarian Prime Minister Viktor Orban is reportedly using the Israeli spyware against critics and journalists in an EU member state.

“Surveillance technologies, where used ethically and in accordance with law, can be effective law enforcement tools,” the EU added in an apparent endorsement of the malware in question.

The bloc did acknowledge however that “increasing reports of abuses and human rights violations are reported due to the use of digital surveillance tools,” especially against journalists and human rights defenders.

The EU called on states to “implement legislation and safeguards to protect people from unlawful or unnecessary surveillance, including any arbitrary or mass surveillance.”

It also said it would use “all our political tools, including human rights dialogues, to keep raising concerns over the unlawful use of surveillance technologies.”

That’s a toothless promise given the EU’s total silence about Israel, a major state actor enabling such abuses all around the world and within the EU itself.

As of now, NSO Group is scheduled to take part in a Paris “homeland security” exhibition later this year. The Milipol exhibition is sponsored by the French government.


Cover Photograph: Hatice Cengiz, left, who was engaged to murdered Saudi columnist Jamal Khashoggi, was targeted with powerful spyware made by NSO Group, a firm backed by Israel’s government. (Martijn Beekman /Netherlands Ministry of Foreign Affairs)

Electronic Intifada