Journalists, activists and human rights workers have been targeted by authoritarian governments using spyware sold by an Israeli company, according to a leaked report published in the Guardian.
Hacking software sold by the Herzliya-based NSO Group is alleged to have targeted more than 50,000 phone numbers, which have been identified as belonging to people of interest to foreign regimes.
The technology, Pegasus, is a form of malware that allows its operators to access messages, photos and emails, record phone calls and activate the microphones of target iPhone and Android devices.
Among those believed to have had their phones compromised are business executives, religious figures, academics, cabinet ministers, presidents, prime ministers and more than 180 journalists including the editor of the Financial Times.
Reporters and editors at CNN, the New York Times, the Economist and Reuters have reportedly been targeted.
The NSO Group claims Pegasus is only intended to be used against terrorists and criminals.
The company sells its malware to military, police and intelligence agencies in 40 undisclosed countries, which it claims are thoroughly vetted before transactions are made.
However, leaked data, which has been analysed by a consortium of human rights organisations and media outlets, identified Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates as possible NSO clients.
Forensic analysis shows that Pegasus was possibly used by Saudi Arabia and the United Arab Emirates to compromise phones belonging to associates of the murdered journalist Jamal Khashoggi.
Hungarian President Viktor Orban has also reportedly used the technology to target independent media executives and investigative journalists.
In statements issued to The Guardian through its lawyers, NSO denied “false claims” about the activities of its customers, and said it would “continue to investigate all credible claims of misuse and take appropriate action”. The company also told The Guardian the leaked report containing possible compromised phones could not be a list of numbers “targeted by governments using Pegasus”, and labelled the 50,000 figure as “exaggerated”.
