The data leak is a list of more than 50,000 cell numbers that, since 2016 are believed to have been selected as people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were entered in or selected to a system. Forbidden Stories, a Paris-based nonprofit journalist organisation, and Amnesty International shared access to the list and initially had access to 16 media organisations including the Guardian. More than 80 journalists have worked together as part of the Pegasus project over several months. Amnesty Security Lab, a forensic partner in the project, conducted the technical analyses.
What is the leak, and why?
The consortium believes the data indicates the potential targets identified NSO Government clients in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of US telephone numbers that NSO says are technically impossible to access with its tools, reveals some targets were selected by NSO customers even though they could not be infected with Pegasus. However, forensic examinations of a sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the commencement of Pegasus activity in some cases as little as a few seconds.
Amnesty examined 67 mobile phones where attacks were suspected. Of those, 23 were successfully infected and 14 showed some signs of attempted penetration. For the remaining 30, the tests were inconclusive, several cases because the handsets had been replaced. Fiveteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty's detective work. Three Android phone showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared backup copies of four iPhones with Citizen Lab, a research group at the University Of Toronto who specialise in studying Pegasus, confirmed that they showed signs of pegasus infection. Citizen Lab also conducted a peer review of Amnesty's forensic methods, which were found to be sound.
While the data is organized into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to market its tools to 60 clients in 40 countries, but refuses to identify them. By closely studying the pattern of targeting through individual clients in leaked data, media partners were able to identify 10 states believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates. Citizen Lab has also found evidence of all 10 clients being clients of NSO.
What is the NSO Group?
Also visit the NSO Group website and read their full statement. The company has always said it doesn't have access to the database of its customers targets. Through its lawyers, NSO said the consortium had made inaccurate assumptions about which clients have used the company's technology. It says the 50,000 number is exaggerated and that the list could not be a list of numbers targeted by governments using Pegasus The lawyers said NSO had reason to believe the list accessed by the consortium is not a list of numbers targeted by governments using Pegasus, but rather, may be part of a larger list of numbers that might have been used for other purposes by NSO Group customers. They further explained that the consortium was basing its findings on misleading interpretation of the information from accessible and overt basic sources, such as HLR Lookup services which have no bearing on the list of customers' targets of Pegasus or any other NSO products we still do not see any correlation of these lists to anything related to use of NSO Group technologies After publication, they considered a target to be a phone that was the subject of a successful or attempted but failed infection by Pegasus, and reiterated that the list of 50,000 They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected using Pegasus for surveillance.
The term HLR, or home location register, refers to a database that is essential for operating mobile networks. Such registers keep records on the networks of referring users and their general locations, along with other identifying information which is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to phone. The consortium understands NSO clients has the capability to conduct the HLR lookup in Pegasus system through an interface on the NSO system. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons unrelated to Pegasus for conducting HLR lookups via an NSO system.