Malware used to infect phones of activists, journalists and human rights defenders in 45 countries

Supported by Amnesty International and the Citizen Lab, analysis reveals relations and patterns between separate incidents in the physical and digital sphere, demonstrating how infections are entangled with real-world violence and extend within the professional and personal networks of civil society actors worldwide.

NSO Group Technologies Ltd. was founded in Israel in 2010 by Niv Carmi, Shalev Hulio and Omri Lavie. Part of an ecosystem of Israeli cyber-weapons companies—developed in the context of its ongoing occupation and settler-colonial surveillance of Palestinians—NSO’s Pegasus malware has reportedly been used since at least 2015 in at least 45 countries worldwide to infect the phones of activists, journalists and human rights defenders.

Forensic Architecture’s interest in the NSO Group dates back to 2017 when reporting by The Citizen Lab revealed that members of Centro Prodh, the collaborators in investigating the disappearance of 43 students from Ayotzinapa, Mexico, had been hacked using Pegasus.

The investigation into NSO Group began two years later when Forensic Architecture learnt that the close associates, members of the legal team leading a suit against NSO on behalf of a number of human rights defenders, were informed by WhatsApp in 2019 that their phones had also been infected.

While reporting on this issue incrementally exposed new cases of infection, undertook this project in order to provide the public, researchers and the legal team with a general tool to explore relations among different types of NSO-related activities worldwide.

NSO has yet to confirm a single state or corporate client and continues to receive security export licences from Israel’s Ministry of Defence for the sale of Pegasus—despite being challenged in Israeli and international courts.

The investigation consists of:

1. A navigable digital platform,

2. Video investigations to tell the stories of human rights defenders from around the world reportedly targeted by Pegasus, and

3. An interactive diagram and a video presenting new research into the web of corporate affiliations within which the NSO Group is nested.

With this, Forensic Architecture has for the first time mapped the global landscape of NSO-related activities to demonstrate new connections and patterns between ‘digital violence’ using Pegasus and real-world violence directed at lawyers, activists, and other civil society figures.

The platform

The data for the project is based on fifteen months of open-source research that extracted data from hundreds of pages of documents as well as interviews. The Platform offers the most comprehensive database to date (containing over a thousand data points) of the reported infections of the phones using Pegasus.

Forensic Architecture developed bespoke open-source software to present this data as an interactive 3D platform, which will be updated as the investigation continues.

Key finds

The infections enabled by NSO’s Pegasus malware that have thus far been publicly exposed likely form only a part of a more expansive deployment against civil society actors across the world. However, the data collected does already suggests possible patterns in the ways that digital targeting using Pegasus operates:

1. Digital infections do not target civil society actors as individuals, but rather as networks of collaboration. Our platform shows that in Mexico, Saudi Arabia and India digital targeting (blue dots) starts with one person before their professional networks are targeted within a similar time period. In each of these examples, the use of Pegasus occurs after or during periods where these civil society networks expose or confront controversial or criminal state policy.

2. Digital infections of civil society groups occur alongside other forms of violence experienced in the physical world. Cyber-surveillance is consistently entangled with a spectrum of physical violations, including break-ins, intimidation, assaults, arrests, lawsuits and smear campaigns, and murder, in the case of prominent Saudi journalist Jamal Khashoggi, whose friends and colleagues were targeted by Pegasus.

3. Digital targeting extends the reach of state power to include human rights dissenters in exile, while also physically targeting their colleagues and families in their home country.

Methodology

Data mining

Data-mined dozens of human rights reports—including Citizen Lab and Amnesty International’s exposure of NSO-related hacks, legal documents, hundreds of news reports from newspapers around the world including the Washington Post, Aristegui Noticias, Vice, The Hindu, The New York Times, Forensic News, The Guardian, Haaretz, Aljazeera amongst others, and more than a dozen interviews conducted with investigators and dissenters, activists, journalists and public figures targeted using Pegasus.

Each data entry point was categorised by the individuals targeted or the organizations they work with, plotted by its time, or time range, according to the documented fields from which Pegasus operates —including Mexico, the United Arab Emirates, Saudi Arabia, Morocco, Rwanda, India, Spain and Togo.

Data Points were classified as either digital, physical or contextual events. Each of these categories was further refined and sub-categorised:

• Digital events include suspected and successful Pegasus infections as reported by the Citizen Lab or Amnesty International in the form of either zero-click or one-click exploits, and were subclassified as such.

• Physical events encompass all incidents of violations in the physical world and are organized along with murder (fatal violence or assassination), assault (instances of physical violence), intimidation (violence aimed at causing fear, emotional and psychological distress) and Black Cube (which refers to intimidation specifically enacted by agents of the private Israeli intelligence company, Black Cube).

• Contextual events are subdivided into: corporate transformations and financial transactions that relate to NSO Group and its affiliates; exposures of NSO related operations (in the form of news articles, civil society reports, petitions and lawsuits); and global, regional or local events surrounding NSO-related digital infections or physical violence, including political or criminal events investigated by the people targeted.

Read more and check the video source: Forensic Architecture

Read more from the below TAGS

People also reading-

• New investigation shows global human rights harm of NSO Group’s spyware

• Thailand: Police violence and harmful chemical irritants routinely unleashed on young protesters

• Turkey’s withdrawal from Istanbul Convention rallies the fight for women’s rights across the world