Military-grade spyware leased by the Israeli firm NSO Group to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners led by the Paris-based journalism nonprofit Forbidden Stories.
Forbidden Stories and Amnesty International, a human rights group, had access to a list of more than 50,000 numbers and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did forensic examination of the phones.
In Uganda, the report said Rwanda had used the spyware to tap phones of a string of high profile officials including General David Muhoozi, the former chief of defense forces and now junior minister for Internal Affairs, former Prime Minister Dr Ruhakana Rugunda and former Minister of Foreign Affairs Sam Kutesa.
Last week, Rwanda President was interviewed by the Financial Times to respond specifically to allegations of spying on Ugandan officials. Kagame said Rwanda runs a sophiscated intelligence system that leans largely on individuals and not on the pricey Israeli military-grade spyware and that Kigali knows a lot about her enemies.
Read Kagame’s Transcript
They singled out people and gave them names against whom that technology is used because they talked about human rights activists and even talked about specific names. I want to explain my point. Let me start with the story of the human rights activists.
The names, which were mentioned, are actually names that are known to all of us. These are actually not human rights activists. These are people who in fact have indicted themselves by their own activities, including the ones who are appearing in the court of law here… That is for a fact.
Some of them are the same people who are appearing even in the reports of the UN as people who are part of the insecurity and violence in our region especially in eastern DRC. Again that is for the record. It is not me who wrote the report. I am not one of those investigators and I did not meet them nor talk to them.
If a newspaper, wherever they got their sources from, is already speaking on behalf of or sympathising with a certain group they call innocent human rights activists the government is acting against –that is already a falsehood that we can take to another step now.
The other step is –our country like any other country does intelligence. In fact they even monitor people’s communication. For us to know our enemies and what they do wherever they are is something we have always tried to do within our rights like it is in the rights of all the countries we know in this world.
Of course there are rules that govern all these things we do. Probably more things happen discreetly than those that happen in the open that is why some people will pretend and accuse people of doing certain things that they do even more than the people they are accusing.
I have only read about that story of the (pegaus) technology in the news and I think there was somebody who was in Canada and another who was in the USA and that is how they knew that somebody who was in Canada was doing something against a certain country and that is how they got to know the movement of the one who later died. It was not involving Rwanda or any African country.
In fact, now that you are asking me about it, well, I actually wish I could have access to this technology. But I also know that it is very costly. That is what I have heard and read about it and I know how best to spend my money because I wouldn’t spend so much money over nobody or nothing.
There is somebody I saw saying that we used the technology against somebody who lives in the UK. I wouldn’t spend that money, which I saw the technology costs to run after that fellow who is of absolutely no consequence. I worry about these fellows who enter and kill people (in Rwanda). But the other one who is fed by the UK government; he has no job. So it is absolute nonsense.
But that technology they are talking about was not made for me. It is very expensive and I don’t have that much money. I don’t have anybody to spend so much on following around. The few dollars that we have we spend them on education but we have done intelligence and we are going to do it for the future because that is how countries operate.
I don’t think Rwanda would be an exception. That is how we get to know about our enemies and those that support our enemies. We know a lot about them but we use mainly human intelligence. We are very good at that for your information. We really do a good job of that.
Financial Times not so long ago was writing a story about Rwanda faking data and again through human intelligence, we realised and came to know and have facts that this man who wrote this has been working with some of these enemies of ours. There is somebody who used to work for me here who lives in Canada who is faking news about us every day. So he found a friend in this writer of Financial Times and now they work together.
They wrote about how I dictate whatever is written about Rwanda. According to them everything about Rwanda is not supposed to be good and if there is anything good, Kagame has dictated it. In other words, I have dictated things with the economy, World Bank, World Economic Forum. I have dictated what Rwandans feel and say.
He has attributed a lot of powers to me, which I wish I had. If what I wished happened the way I wanted it and I had such powers I would be a happy person. So those are the powers he gave me. From this now he moves to the accusations in defence against us, in defence of certain human rights activists and using certain technology.
One thing that I also learnt that was being said was that this technology originates from Israel and Rwanda is a friend of Israel. I wish things work like that every day. We would be further ahead than where we are today. We would be very close to our targets. But for doing intelligence, I am guilty. We do a lot of it.
Pegasus Project: Key takeaways
Thirty-seven targeted smartphones appeared on a sprawling list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 phones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance attempts, in some cases as brief as a few seconds.
Politicians, journalists, activists found on list: The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats and military and security officers, as well as 10 prime ministers, three presidents and one king. The purpose of the list could not be conclusively determined.
Company says it polices its clients for abuses: The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals.
The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses. NSO Chief Executive Shalev Hulio said that he was “very concerned” by The Post’s reports.
“We are checking every allegation, and if some of the allegations are true, we will take stern action, and we will terminate contracts like we did in the past.” He added, “If anybody did any kind of surveillance on journalists, even if it’s not by Pegasus, it’s disturbing.”
NSO Group at the center of a global debate: The company, which began in an Israeli kibbutz, is now valued by investors at more than $1.5 billion. Hulio, the CEO, said in a lengthy late-night interview that he would “shut Pegasus down” if there were a better way to help governments deliver security. But he acknowledged that NSO’s ability to investigate abuse is crippled by its policy of having no visibility into clients’ activities.
Apple iPhone shown to be vulnerable: The discovery on a list of phone numbers of 37 smartphones that had been either penetrated or attacked with Pegasus spyware fuels the debate over whether Apple has done enough to ensure the security of its devices, popular the world over for their reputation for resisting hacking attempts. Thirty-four of the 37 were iPhones.
New details of hacking carry worldwide implications: Among the 37 phones confirmed to have been targeted, 10 were in India and another five in Hungary, most linked to journalists, activists or businesspeople. The finding will add to concerns about extralegal government surveillance conducted with private spyware in both countries.
Hundreds more numbers from India and Hungary appear on the broader global list. A third country, Mexico, was home to nearly one-third of the numbers on the list, adding to questions about its past use of Pegasus software. Each country says it acts legally in carrying out any surveillance activity.
A princess raced to escape: In the years since commandos dragged Princess Latifa, a daughter of Dubai’s ruler, from her getaway yacht in the Indian Ocean in 2018, her friends and associates have wondered: How had her careful escape plan been foiled? A new investigation shows that in the days after she went missing, her phone number and those of friends were added to a list that also includes numbers of phones targeted by the powerful Pegasus spyware.
Numbers for the ruler’s estranged wife, Princess Haya, and members of her legal and security team were also entered into the list when she fled later to London. The surveillance of the princesses was among the reasons the spyware’s owner, NSO Group, terminated Dubai’s contract, a person familiar with the company’s operations told The Post.