Military-grade spyware reportedly found on phones of journalists, activists

Nicole Cozma/CNET

Military-grade spyware licensed by an Israeli firm was used in attempted and successful hacks of smartphones belonging to journalists and human rights activists, according to an investigation by The Washington Post and 16 media partners.

In all, 37 phones, including those belonging to two women close to murdered Saudi journalist Jamal Khashoggi, were attacked with spyware licensed by the Israeli firm NSO Group to governments for tracking terrorists and criminals, the investigation found. The phones were included on a list of more than 50,000 numbers concentrated in countries known to conduct surveillance on their citizens.

Cut through the chatter

Subscribe to CNET's Mobile newsletter for the latest phone news and reviews. The list was shared with news organizations by Forbidden Stories, a Paris-based journalism nonprofit, and human rights group Amnesty International.

The investigation, called the Pegasus Project, included a forensic analysis of the phones. The numbers on the list are unattributed, but investigators were able to identify more than 1,000 across more than 50 countries. "The Pegasus Project lays bare how NSO's spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril," Agnes Callamard, secretary general of Amnesty International, said in a statement.

"While the company claims its spyware is only used for legitimate criminal and terror investigations, it's clear its technology facilitates systemic abuse," Callamard said. Amnesty International's analyzed 67 phones that were suspected attack targets,  23 of which were found to be successfully infected and 14 showed evidence of attempted penetration, according to the investigation. The list, which dates back to 2016, includes reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.

Heads of state and prime ministers were also reportedly on the list. NSO Group said the Forbidden Stories report contained "false accusations" with "misleading accusations." "The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources," an NSO Group spokesperson said in a statement. "It seems like the "unidentified sources" have supplied information that has no factual basis and are far from reality."

NSO Group has been implicated by previous reports and lawsuits in other hacks, including a reported hack of former Amazon CEO Jeff Bezos. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year. Journalists and activists from Mexico and Qatar have also sued the company for providing tools that hacked their devices.

A Citizen Lab report from January said a New York Times journalist writing about a Saudi dissident received a link containing a NSO Group hacking tool on his phone in 2018.