Critics have previously claimed that NSO Group spyware was misued to target the media and other innocent people, but new findings might have revealed the extent of that misuse. The Washington Post has shared a multi-partner investigation claiming that NSO's Pegasus software was used to successfully hack 37 phones, including journalists, activists and the two women closest to murdered Saudi journalist Jamal Khashoggi.
The victims were on a 2016-era list of 50,000 phone numbers from countries believed to conduct both extensive surveillance and use of NSO tools, such as Hungary and Saudi Arabia. The list included 1,000 people who didn't obviously fit the software's intended criminal targets, including over 600 politicians, 189 journalists, 85 humans rights activists and 65 business executives.
Roughly a dozen Americans working overseas were on the list, but the investigation partners couldn't conduct forensic studies on most of their phones or find evidence of successful hacks. NSO previously said Pegasus couldn't be used to snoop on American devices.
NSO flatly denied the claims stemming from the investigation. It maintained that the information had "no factual basis," and rejected the notion that Pegasus was used to target Khashoggi or his associates. It maintained that it shut down access "multiple times" over past abuses, and that the list was too large to be focused solely on numbers its client countries would have targeted. The company went so far as to hire a libel attorney, Thomas Clare, that accused the investigation partners of having "misinterpreted and mischaracterized" data while making "speculative and baseless assumptions."
NSO has historically pinned abuse claims on the countries themselves, and has said it reviewed the human rights records of a given nation before doing business.
The report comes a year and a half after Facebook sued NSO for allegedly enabling call exploit attacks against WhatsApp, and mere months after Citizen Lab claimed that NSO software was used to hack Al Jazeera journalists' iPhones using an iMessage flaw. However true the accusations might be, they'll at least affect NSO's reputation — they cast doubt on the company's assertion that it only serves customers pursuing obvious targets like terrorists.