The leaked database at the heart of the Pegasus project includes the mobile phone numbers of the French president, Emmanuel Macron, and 13 other heads of state and heads of government, the Guardian can reveal.
The South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, are also listed in the data, which includes diplomats, military chiefs and senior politicians from 34 countries.
The appearance of a number on the leaked list – which includes numbers selected by governments that are clients of NSO Group, the Israeli spyware firm – does not mean it was subject to an attempted or successful hack. NSO insists the database has “no relevance” to the company.
NSO said Macron was not a “target” of any of its customers, meaning the company denies he was selected for surveillance using Pegasus, its spyware. The company added that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
But the list is believed to be indicative of individuals identified as persons of interest by government clients of NSO. It includes people who were later targeted for surveillance, according to forensic analysis of their phones.
NSO insists it requires its government clients to only use its powerful spying tools for legitimate investigations into terrorism or crime.
The Guardian and other media partners in the Pegasus project, an international consortium, identified those governments believed to be responsible for selecting individual numbers in the data by closely examining the patterns of selection.
Political figures whose numbers appear in the list include:
• The South African president, Cyril Ramaphosa, who appears to have been selected by Rwanda in 2019.
• Emmanuel Macron, the French president, who appears to have been selected as a person of interest by Morocco in 2019. An Élysée official said: “If this is proven, it is clearly very serious. All light will be shed on these media revelations.”
• Tedros Adhanom Ghebreyesus, the World Health Organization’s director general, who also appears to have been of interest to Morocco in 2019.
• Saad Hariri, who resigned as prime minister of Lebanon last week and appears to have been selected by the UAE in 2018 and 2019.
• Charles Michel, the president of the European Council, who appears to have been chosen as a person of interest by Morocco in 2019, when he was prime minister of Belgium.
• King Mohammed VI of Morocco, who was selected as a person of interest in 2019, apparently by security forces in his own country.
• Saadeddine Othmani, Morocco’s prime minister, who was also selected as a person of interest in 2018 and 2019, again possibly by elements within his own country.
• Imran Khan, the prime minister of Pakistan, who was selected as a person of interest by India in 2019.
• Felipe Calderón of Mexico, the former president. His number was selected in 2016 and 2017 by what is believed to have been a Mexican client during a period when his wife, Margarita Zavala was running for the country’s top political job.
• Robert Malley, a longtime American diplomat who was chief negotiator on the US-Iran deal, and who appears to have been selected as a person of interest by Morocco in 2019. NSO has said its government clients are prevented from deploying its software against US numbers because it has been made “technically impossible”.
The Pegasus project could not examine the mobile phones of the leaders and diplomats, and could therefore not confirm whether there had been any attempt to install malware on their phones.
In addition to denying Macron was a “target”, an NSO Group spokesperson also said King Mohammed VI and Tedros Ghebreyesus “are not, and never have been, targets or selected as targets of NSO Group customers”.
Lawyers for NSO said the firm defined targets as people who were “selected for surveillance using Pegasus, regardless of whether an attempt to infect her or his device is successful”.
The surveillance company says it does not have access to the data of its customers, but says that they are obligated to provide the firm with such information when they have placed them under investigation. The company appears to have undertaken such an investigation into Morocco, which is believed to be one of its clients.
Forensic examinations of a sample of 67 phones in the leaked data belonging to human rights activists, journalists and lawyers found 37 had contained traces of Pegasus infection or attempted infection. The analysis was done by Amnesty International’s Security Lab, a technical partner on the project.
The leaked data also suggests Saudi Arabia and the United Arab Emirates have appeared eager to consider monitoring Egyptian officials, despite both countries’ close ties to Egypt’s authoritarian ruler, Abdel Fatah al-Sisi.
Among the numbers selected as individuals of interest by an NSO client believed to be the Saudi government was that of the Egyptian prime minister, Mostafa Madbouly.
Both Saudi and UAE are believed to have selected Barham Salih, the president of Iraq, who is close to the US, as a candidate of interest to their governments. Salih’s UK number also appeared in the list.
Neither Saudi Arabia or the UAE have responded to requests for comment.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Rwandan authorities have staunchly denied having access to NSO Group technology, but have long been suspected of being a client of the Israeli firm. An analysis of the leaked data shows that Ruhakana Rugunda was selected as a candidate for potential surveillance in 2018 and 2019, when he served as prime minister of Uganda – a selection seemingly made by the government of Rwanda.
Morocco has denied spying on any foreign leaders, and has said reporters investigating NSO were “incapable of proving [the country had] any relationship” with the Israeli company. But an analysis of the leaked records showed Morocco appeared to have listed dozens of French officials as candidates for possible surveillance, including Macron.
Neither India or Pakistan have commented specifically on claims that Delhi may have selected Khan for targeting. India has said it has well established protocols for interception which requires approval from highly ranked national or regional officials for “for clear stated reasons only in national interest.”
Several state agencies in Mexico have acquired the Pegasus spyware starting with the defence ministry in 2011, and pervasive corruption in the country has prompted concerns that it could end up in the wrong hands.
The country’s former interior minister Miguel Ángel Osorio Chong, who served between 2012 and 2018, told the Pegasus project that during his term of office the interior ministry “never, never authorised or had knowledge or information that Cisen [Mexico’s national security intelligence service] owned or acquired the Pegasus hacking kit, and never authorised anything to do with hacking”.
In its statement, NSO said the leaked list “is not a list of targets or potential targets of NSO’s customers”. Through its lawyers, NSO previously said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”.
Following the launch of the Pegasus project, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute the leaked data “has any relevance to NSO”, but added that he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he said.
Additional reporting by Shah Meer Baloch in Islamabad