Data linked to mobile devices used by world leaders including French president Emmanuel Macron appears on a list of 50,000 alleged targets of illicit government surveillance, according to new reporting in an unfolding spyware scandal uncovered by media non-profit Forbidden Stories and human rights charity Amnesty International.
The UK’s Guardian newspaper has now reported that the list of telephone numbers includes data linked to other world leaders including South African president Cyril Ramaphosa, Pakistani prime minister Imran Khan and former Mexican president Felipe Calderón, as well as prominent political figures including the director general of the World Health Organization, Thedros Adhanom Ghebreyesus, and European Council president and former Belgian prime minister Charles Michel.
Contacted by Le Monde, a spokesperson for the French presidency said that if true, the allegations were extremely serious and would be investigated.
The Pegasus spyware at the centre of the allegations was developed by NSO Group, an Israeli cyber security firm, and was allegedly used to target those on the list by clients of the firm, which has flatly denied this.
The software is legitimately used for a number of purposes. NSO says it has actively prevented terrorist attacks, broken up child exploitation, sex- and drug-trafficking rings, and located survivors trapped in collapsed buildings after earthquakes. The firm also says it carefully vets government clients and does not sell to those with poor human rights records.
NSO again branded the allegations as false. A spokesperson said: “The list is not a list of Pegasus targets or potential targets. The numbers in the list are not related to NSO group in any way.
“Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.”
However, NSO has confirmed in the past that it is alert to the potential for its spyware to be used for malicious purposes and does maintain a number of options if it finds this is happening, including shutting down customer access to its systems. The company’s founder and CEO, Shalev Hulio, has himself confirmed this has been done “out of necessity in the recent past”.
The media partners working alongside Forbidden Stories and Amnesty maintain that close examination of selection patterns has enabled them to identify the governments responsible for targeting politicians, activists and journalists as clients of NSO. They have not, however, been able to access any of the targeted devices, and so cannot confirm whether or not the Pegasus spyware was ever installed on the listed phones.
Commenting on the latest Pegasus Project revelations, Eset’s Jake Moore said high-profile public figures would always be high on a list of potential targets for malicious actors – whether state-backed or not – and should do all they can to mitigate having their devices compromised.
“Keeping a device up to date on the latest operating system is absolutely vital for anyone, but those at higher risk must remain astute to security patches,” said Moore.
“To mitigate being compromised, personal messaging platforms such as WhatsApp would ideally be on a separate device. However, this can not always eradicate the problem, so such high-profile, high-wealth targets need to err on the side of caution and remain aware of the techniques used by sophisticated adversaries by leaving their devices out of earshot to extremely sensitive conversations.”
Aaron Cockerill, chief strategy officer at Lookout – which has previously conducted extensive technical analysis of the Pegasus spyware – said the number and variety of individuals on the list demonstrated that advanced spyware and surveillance technology is not just the concern of governments.
“Security and IT teams also need to be able to detect surveillanceware and device exploitation across all employee smartphones and tablets,” he said. “If this malware is detected on a device, they should be able to block the device from accessing corporate resources until the issue is resolved.
“Protection against mobile phishing attacks is also a key part of securing the entire organisation against surveillanceware campaigns. These attacks frequently start with a phishing attack that delivers the malicious payload to the device. Considering the number of apps that iOS and Android devices have with messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or dating apps.”
Cockerill added: “Implementing mobile phishing protection will secure both managed and BYOD devices from compromise before the connection can be made and the payload is executed.”