The NSO “Surveillance List”: What It Is and Isn’t
A series of blockbuster stories published this week around a leaked list of 50,000 phone numbers have created confusion about whether the owners of those numbers were targets of surveillance or not.
When more than a dozen media outlets published stories this week about a spy tool that targeted the phones of journalists, activists, and others, the public took note in ways it hadn't in the past.
It wasn’t the first time articles about the Pegasus spy tool had been published; nor were the stories the first to reveal that NSO Group — the Israeli company behind the tool — sold it to repressive regimes around the world, who used it to spy on dissidents and journalists, despite NSO claims to the contrary.
But this time the articles took hold for two reasons: The information was published simultaneously by a consortium of 17 media outlets in a blast of stories that have dominated the news cycle for several days. And the stories were based in large part on a massive list of 50,000 phone numbers that had been leaked to the consortium, a list that has become highly controversial because of mysteries surrounding the identity of the leaker and the identity of the person or people who created the list.
To give readers a little clarity about the list and its revelations, I’ve laid out what we do and don’t know about it and how it might have been used.
What is Pegasus?
Pegasus is powerful surveillance software that can steal passwords for accounts and siphon content from phones — such as contacts and call records, emails, text messages, photos, and stored audio recordings. It can also grab screenshots and monitor browsing activity, surreptitiously enable the phone’s mic for real-time monitoring of conversations, or turn on the camera to capture images of people in the phone’s vicinity and their environment.
The software can be planted on phones remotely by sending a text message to the phone with a link — when the user clicks on the message it takes their phone’s browser to a malicious site that downloads the malware. Or it can be planted on phones with what’s called a zero-click exploit. A zero-click exploit is malware that can be sent via an iMessage, for example, that doesn’t require the user to interact with it at all before it installs the spyware on their phone.
NSO Group says Pegasus is sold only to governments and law enforcement agencies for purposes of tracking terrorists, pedophiles and other criminals. But a number of repressive regimes with poor human rights records have been caught using the tool to spy on human rights activists, journalists and anyone else who is critical of their regime.
What exactly is this list?
The list contains about 50,000 phone numbers, which belong to people who are largely based in countries with regimes that are known to spy on their citizens and are also known to be or have been at one time NSO customers, according to the Post.
Someone leaked the list to Forbidden Stories, a collaborative non-profit journalism organization based in France. Forbidden Stories and the human rights group Amnesty International then shared the list with more than 80 journalists from 17 media organizations who worked to identify the owners of the phone numbers and track them down, under the banner of the Pegasus Project. The consortium was able to identify the owners of about 1,000 phones in more than 50 countries, according to the Post, and found that the list included several heads of state, cabinet ministers, diplomats, 85 human rights activists, 189 journalists, 65 business executives, military officers and others of note. The latter includes the former wife of assassinated journalist Jamal Khashoggi, and Princess Latifa bint Mohammed al-Maktoum, daughter of Dubai’s ruler, who plotted an elaborate escape from her country and family in 2018, only to be captured and returned home.
The Organized Crime and Corruption Reporting Project — a member of the consortium — has put together a page showing a small subset of people who have been identified so far as having a phone number on the list.
Where did this list come from?
Forbidden Stories won’t say who leaked the list or where it came from, and it’s not clear if other members of the consortium know the source. But NSO Group revealed in an interview this week that an information broker was shopping around the list to various people last month. The broker said a hacker had stolen the information from NSO servers in Cyprus.
"Around one month ago we received the first approach from an information broker," NSO chief executive Shalev Hulio told the Israeli media outlet Calcalist. "He said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don't have servers in Cyprus and don't have these types of lists, and the [50,000] number doesn't make sense in any way so it has nothing to do with us.”
NSO is based in Israel, but in 2014 it merged with a company called Circles Technologies, which was registered in Cyprus. Circles was founded by an Israeli named Tal Dilian, a former commander in the Israeli military’s Intelligence Corps Technological Units, who claimed that Circles’s technology could track any phone in six seconds using just its phone number.
NSO wanted to integrate into Pegasus the ability to track the location of phones. But apparently Dilian oversold the capabilities of his technology, and NSO wasn’t pleased with its performance. So NSO Group closed Circles's Cyprus office last year and let go of employees. The question is, could the database have been stolen from Circles’s servers by a hacker or by an insider? It’s hard to say. Hulio might be splitting hairs in saying that NSO doesn’t have servers in Cyprus, when presumably Circles did have servers there at one time.
But Hulio also says his company doesn’t maintain lists of surveillance targets or even know who its customers are spying on with their Pegasus software. More than this, he says the 50,000 number doesn’t make sense as a list of targets.
“If you take NSO's entire history, you won't reach 50,000 Pegasus targets since the company was founded,” Hulio said. “Pegasus has 45 clients, with around 100 targets per client a year. In addition, this list includes countries that aren't even our clients and NSO doesn't even have any list that includes all Pegasus targets - simply because the company itself doesn't know in real-time how its clients are using the system."
There is nothing on the list to indicate what purpose it’s meant to serve or who compiled it, according to the Post and other media outlets participating in the Pegasus reporting project. There is also nothing on the list that indicates if the phones were spied on, were simply added to the list as potential targets for spying or if the list was compiled for a completely different reason unrelated to spying.
The members of the consortium have varied in the statements they have made about the list. The Guardian wrote that "the leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016."
Forbidden Stories is more definitive. It says the 50,000 phone numbers on the list were selected by NSO customers for targeted surveillance. Amnesty International also says “the data is irrefutably linked to potential targets of NSO Group’s Pegasus spyware.”
Those varying descriptions have created confusion and controversy around the reporting and the list, with readers wondering exactly what the list is for. The controversy doesn’t negate the central thesis and findings, however: that NSO Group has sold its spy tool to repressive regimes, and some of those regimes have used it to spy on dissidents and journalists.
What’s the basis for calling the list a spy list?
There is evidence that some of the phones on the list were indeed infected with the Pegasus spyware or were targeted for spying with that software.
After identifying the owners of some of the phone numbers, the consortium contacted some of those people to ask if they would allow Amnesty International to forensically examine the phones for evidence of spying.
Amnesty International’s Security Lab was able to do forensic analysis of 67 of the phones, according to the Post, after which their analysis was peer-reviewed by the University of Toronto's Citizen Lab. Amnesty found evidence on 37 of those phones that someone had either attempted to infect the phones with Pegasus or was successful at doing so.
Of those 37 phones, 23 showed signs of a successful Pegasus infection and 14 showed signs of an attempted infection. The 23 infected phones were all iPhones. Of the phones that showed attempted infections, 11 were iPhones and 3 were Android phones. All of the Pegasus infections or attempted infections occurred between 2014 and July 2021.
A total of 15 of the 67 phones examined were Android phones, but no evidence of successful infections was found on them, only evidence of infection attempts on three of them. Amnesty believes this low number may be skewed by the fact that Android logs don’t store all the information needed to determine if the phones were targeted or hacked. Google, which makes the Android operating system, told the Post this is by design, since more extensive logs could be useful to attackers.
Amnesty found that in the case of some of the 37 phones that showed evidence of targeting or successful infection, the phone number was added to the database just minutes or seconds before the targeting occurred, according to the Washington Post, potentially suggesting that the list was used in the surveillance operations.
Amnesty attributed the activity to Pegasus spyware based in part on the internet servers and other infrastructure that were used to deliver the spyware to phones — the domain names for those servers were known to be used by Pegasus. They also based it in part on forensic artifacts the infections left behind on the phones.
Does the fact that 37 out of 67 examined phones showed evidence of being targeted with Pegasus suggest that the same percentage of the entire 50,000 list of phones were also targeted with Pegasus spyware? Not necessarily. The 67 phones examined could belong to people who were already known to have been targets of surveillance or were strong candidates for surveillance. This could have increased the likelihood that these particular phones would have evidence that Pegasus was used to hack them. Those 37 phones then could have reinforced a bias that the list was a spy list.
Is there a surveillance case that stands out on the list?
Among the phones that were targeted were those of Hanan Elatr, Jamal Khashoggi’s wife at the time of his death, and his fiancee, Hatice Cengiz. A forensic examination conducted by Amnesty International found evidence that someone masquerading as Elatr’s sister sent texts to Elatr’s phone in November 2017 and April 2018 (six month’s before Khashoggi’s murder) with links that could have downloaded the spyware to her phone. She told the Washington Post that she had no memory of clicking on the links, and the Amnesty team could not determine if the attempts were successful, because the logs on Ekatr’s Android phone were not sufficient to do this.
Cengiz’s phone was successfully infected with Pegasus, however, four days after Khashoggi’s murder, and five more times over subsequent days, according to the Post.
A close associate of Khashoggi was also successfully hacked after the journalist’s murder. But Amnesty’s analysis “could not determine what was taken from the phone or whether any audio surveillance took place,” according to the Post. Khashoggi’s own phone is in the hands of Turkish authorities, who refused to say if his phone had been hacked.
A former Al Jazeera journalist who was an associate of Khashoggi also had his phone infected with Pegasus, though it’s not clear if his name was in the database leaked to Forbidden Stories. Two senior Turkish officials involved in the Khashoggi homicide investigation do appear on the phone list, the Washington Post reports. They declined to provide their phones for a forensic examination, but one of them told the Post that shortly after the murder, Turkish intelligence officials told him that his iPhone had been hacked and that he had been under surveillance. But they didn’t say who had hacked him or what spy tool was used.
In addition to the evidence found on the phones of the people on the list, there is another datapoint that some people say suggests that the list was compiled to spy on people.
The database of phone numbers recorded a timestamp each time a phone was added to the list, and some of the phones for Princess Latifa and her associates were added during the period when Dubai and others were searching for her to bring her back to Dubai. For example, her phone number and the numbers of her friends were added to the list in February 2018 in the hours and days after she went missing. But the Post notes that by the time her number was added to the list, she and the person assisting with her escape had already left their phones behind in the bathroom of a Dubai cafe to thwart surveillance. But the phones of multiple associates of the princess were subsequently added to the list.
After Latifa’s return home, the phone numbers of one of the sheikh’s wives, Haya bint Hussein, was also added to the database, as were many of her associates. She had expressed support for Latifa and a year later staged her own escape with her two children.
What does NSO say about the list and accusations?
NSO’s CEO has said the list has no connection with his company or with Pegasus and that it is in no way a list of people being targeted for spying with Pegasus.
He also denies outright that Pegasus was used to monitor Khashoggi or his wife and fiancee. The company claims it looked into the allegations and concluded that its spyware played no part in their surveillance.
“[O]ur technology was not associated in any way with the heinous murder of Jamal Khashoggi,” NSO said in a statement. “This includes listening, monitoring, tracking, or collecting information.”
But Hulio has made contradictory statements. He has said that NSO does not know who the targets of its customers are and does not have access to that information. He also asserts confidently that Khashoggi was never targeted with Pegasus. How can he know this? Hulio says that per their customer contract, if NSO gets reports of a customer misusing their spyware, customers are required to provide NSO with access to their logs to see which phone numbers they targeted for surveillance. It’s not clear, however, if it’s possible for customers to alter those logs in ways that wouldn't be detected or provide false logs.
Hulio says he was given a list of the 37 phone numbers that Amnesty found were targeted with Pegasus and after doing an investigation concluded that not a single one of them was targeted with Pegasus spyware, he told Forbes.
“It is not a list of targets or potential targets of NSO’s customers, and your repeated reliance on this list and association of the people on this list as potential surveillance targets is false and misleading,” NSO told the Washington Post.
Hulio insists that the consortium has made “wrong assumptions” about the database, and that the journalists misinterpreted the leaked data.
If not a spy list, what is it?
Hulio and his team at NSO believe the database might have come from an HLR lookup service. HLR stands for Home Location Register, which is a database used by cellular phone networks. HLR lookups involve a query sent to a mobile operator's HLR database to see if a specific mobile number (MSISDN) is registered and to also identify the approximate location (i.e., network node) in which the phone is registered. An HLR lookup service is a company that conducts these lookups on behalf of customers.
HLR lookups are normally done for purposes of delivering SMS to a user’s device. But they can also be used to set the stage for surveillance, notes Cathal McDaid, CTO of AdaptiveMobile, in a blog post examining the issue. Adaptive specializes in security and threat intelligence for mobile phone networks and messaging systems.
A source with “direct knowledge of NSO’s systems” told the consortium that HLR lookups were integrated into Pegasus spying after NSO and Circles merged, according to the Post. The lookups would determine if a phone was turned on or if it was based in a country that allows Pegasus targeting. NSO, for example, has said that it is “technically impossible" for Pegasus to be used to spy on U.S. phone numbers — those with a +1 country code.
But because NSO has insisted that the list of phone numbers leaked to the consortium is not related to NSO or Pegasus, this would suggest this database was not part of that integrated lookup. It could, however, be a database maintained by a third-party HLR lookup service whose customers include regimes that use Pegasus. Or it could also be an HLR lookup database that is completely benign and not used in conjunction with spying at all, as NSO suggests, and it just happens to include numerous people who have been spied on or would be coveted targets for spying by NSO customers.
The bottom line is that there are still a lot of unanswered questions about the database that served as the basis for the Pegasus Project stories. And it’s not clear if answers to those questions will come any time soon.
If you found this article useful or interesting, feel free to share it.
If you’d like to receive articles like this directly to your inbox in the future, subscribe here:
Great story, Kim! Thanks for pulling all that together. Fascinating stuff.
Amnesty just checked 67/50000 phones, only 20+ infected , can't claim that whole list was NSO targets. They haven't released payload IOC's , just forensically verified , that also adds lot of doubt on this research. Lot of main stream media gave this too much attention than it warranted.