NSO Group's Pegasus spyware used to target journalists, activists around the world

Forensic analysis has confirmed the targeting of 37 phones

Pegasus spyware, which is sold by the Israeli surveillance firm NSO Group, may have been used to snoop on more than 1,000 journalists, rights activists, and other prominent individuals from about 50 countries, according to Paris-based non-profit organisation Forbidden Stories and Amnesty International.

The allegations are based on a list of 50,000 phone numbers of potential targets that are believed to be of interest to the clients of the NSO Group.

Amnesty International and Forbidden Stories, which first accessed the list, shared it with seventeen international media outlets, including The Washington Post, The Guardian and Le Monde, as part of a collaborative investigation.

It was unclear where the list came from or exactly how many devices were compromised, although forensic analysis of 37 phones showed that there had been "attempted and successful" hacks

Media reports also claimed that nearly 1,000 people have been identified so far from the list.

The majority of phone numbers present in the list are from 10 countries: Mexico, Saudi Arabia, the United Arab Emirates, India, Bahrain, Azerbaijan, Hungary, Kazakhstan, Morocco, and Rwanda. Mexico topped the list with 15,000 numbers.

The database includes phone numbers of activists, journalists, business executives, politicians, the heads of state, the members of the Qatari royal family, and 180 journalists, including from the New York Times, the FT, CNN and Al Jazeera.

The Washington Post reported that murdered Saudi journalist Jamal Khashoggi's wife's phone was targeted using Pegasus between September 2017 and April 2018, while his fiancé's phone was infected a few days after his death.

Pegasus spyware, which is reportedly sold to governments around the world, can be used to snoop on iPhones and Android-based devices.

After infecting a device, the spyware allows operators to record calls, exfiltrate emails, photos, and messages, and activate cameras/microphones.

NSO denies any wrongdoing, saying its software helps law enforcement agencies to tackle terrorists and criminals and is sold only to countries with good human rights records.

In a statement to the Washington Post, the company described the investigation's findings as exaggerated and baseless.

It also said that it "has no insight" into their specific intelligence activities.

"The company cares about journalists and activists and civil society in general," NSO CEO Shalev Hulio said.

"We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO's] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system."

Hulio also said that the NSO had terminated two contracts in the past 12 months over allegations of human rights abuses.

Pegasus has been linked to phone surveillance before.

In 2019, Facebook filed a lawsuit against the NSO Group, alleging that its Pegasus spyware exploited a security flaw in WhatsApp to hack into the mobile phones of hundreds of government officials, journalists, attorneys, and human rights activists in multiple countries to keep an eye on their activities.

The researchers who discovered the security incident said the attackers just needed to ring targets' phones to install the Pegasus surveillance tool.

The spyware was installed even if users didn't respond to an attacker's phone calls.

Moreover, such calls disappeared from the call logs after some time.