On Monday, security experts revealed that spyware from the infamous Israeli hacker-for-hire firm NSO Group was discovered on the cell phones of six Palestinian human rights activists, half of whom were linked with organizations that Israel’s defense minister alleged were involved in terrorism.
The disclosure is the first time that the military-grade Pegasus malware has been used to target Palestinian activists. Since 2015, it has been used against journalists, human rights campaigners, and political dissidents from Mexico to Saudi Arabia.
Intruders gain access to everything a person stores and do on their phone, including real-time communications, if a Pegasus infection is successful.
According to Mohammed al-Maskati of the nonprofit Frontline Defenders, the researcher who first discovered the NSO spyware on the activists’ phones, it’s unclear who installed it.
Israeli Defense Minister Benny Gantz declared six Palestinian civil society groups’ terrorist organizations shortly after the first two intrusions were discovered in mid-October. Frontline Defenders, based in Ireland, and at least two of the victims believe Israel is the main suspect, and that the designation was made to obscure the hacks’ discovery, though they have provided no evidence to back up their claims.
Israel has provided little public evidence to support the terrorism designation, which Palestinian groups claim is intended to deprive them of funding and silence their opposition to Israeli military rule. Three of the Palestinians who were hacked work for civil society organizations. Frontline Defenders claim that the others do not and desire to remain nameless.
The forensic findings, which were independently confirmed by security researchers from Amnesty International and the University of Toronto’s Citizen Lab in a joint technical report, come as NSO Group faces mounting criticism for the misuse of its spyware and Israel faces criticism for the lax oversight of its digital surveillance industry.
The NSO Group and a lesser-known Israeli competitor, Candiru, were blacklisted by the Biden administration last week, preventing them from accessing US technology.
When asked about the allegations that its software was used against Palestinian activists, NSO Group responded in a statement that it does not identify its customers for contractual and national security reasons, does not know who they hack, and only sells to government agencies for use against “serious crime and terror.”
In a brief statement, an Israeli defense official said the identification of the six organizations was based on strong evidence and that any accusation that it is linked to the deployment of NSO software is false. There were no other details in the statement, and officials denied demands for additional information. To discuss security concerns, the official spoke on the condition of anonymity.
The Israeli Defense Ministry has approved the export of spyware developed by NSO Group and other private Israeli firms that recruit from Israel’s top cyber-capable military units. The procedure, according to critics, is unclear.
According to security researchers, it’s unclear when or how the phones were hacked. According to Citizen Lab and Amnesty International researchers, four of the six hacked iPhones used SIM cards issued by Israeli telecom companies with Israeli +972 area code numbers. As a result, they questioned NSO Group’s claims that exported Pegasus versions can’t be used to steal Israeli phone numbers. NSO Group has also stated that it does not target numbers in the United States.
Ubai Aboudi, a 37-year-old economist, and US citizen was one of those hacked. He is the director of the Bisan Center for Research and Development in Ramallah, in the Israeli-occupied West Bank, which is one of the six organizations Gantz designated as terrorists on Oct. 22.
Ghassan Halaika of the Al-Haq rights group and attorney Salah Hammouri of Addameer, another human rights organization, are the other two hacked Palestinians who agreed to be named. Defense for Children International-Palestine, the Union of Palestinian Women’s Committees, and the Union of Agricultural Work Committees are the other three authorized organizations.
Aboudi claimed he lost “any sense of safety” through the “dehumanizing” hack of a phone that is at his side day and night and holds images of his three children. He stated his wife “didn’t sleep from the prospect of having such deep intrusions into our private” for the first three nights after learning of the breach.
He was particularly concerned that eavesdroppers might be listening in on his conversations with foreign ambassadors. The researchers discovered that Aboudi’s phone had been infected by Pegasus in February.
After failing to persuade European governments and others to cut off financial support, Aboudi accused Israel of “sticking the terrorist emblem” on the organizations.
The groups are said to be linked to the Popular Front for the Liberation of Palestine (PFLP), a leftist political group with an armed wing that has killed Israelis. The PFLP is considered a terrorist organization by Israel and Western governments. Aboudi was sentenced to a year in prison last year after being convicted of PFLP involvement, but he denies ever being a member of the group.
The discoveries are “very worrisome,” according to Tehilla Shwartz Altshuler of the Israel Democracy Institute, especially if it is shown that Israel’s security agencies, who are generally immune from the country’s privacy regulations, have been employing NSO Group’s commercial spyware.
“This truly complicates the government’s relationship with NSO,” said Altshuler, if the government is both a client and a regulator in a secret connection.
On Monday, Aboudi spoke at a news conference in the occupied West Bank with officials from Al-Haq and Addameer, condemning the hacks as an attack on civil society. Sahar Francis, the director of Addameer, has called for an international investigation.
“Of course, we’re not going to shut down our businesses,” Francis said. “We will carry on with our work and provide services.”
Andrew Anderson, the executive director of Frontline Defenders, claims that the NSO Group can’t be trusted to keep its spyware from being used illegally by its customers and that Israel should face international repercussions if it doesn’t bring the company to heel.
“If the Israeli government refuses to act, this should have ramifications in terms of trade regulation with Israel,” he wrote in an email.
When asked who he thought was behind the hack, Halaika said, “As human rights defenders living under occupation, we expect it was the (Israeli) occupation.”
According to the researchers, the phone of the third named hacking victim, Hammouri, was apparently compromised in April. Hammouri, a dual French and Israeli national who lives in Jerusalem, previously served a seven-year sentence for security offenses, and Israel accuses him of being a PFLP operative, which he denies.
“We have to determine who had the ability and who had the motive,” Hammouri said, declining to speculate on who was behind the hack.
Following Halaika’s tip, Al-Maskati said he checked 75 Palestinian activists’ phones and discovered the six infections. He was unable to ascertain how the phones were hacked, despite the timeline of evidence indicating the usage of a so-called “iMessage zero-click” attack employed on iPhones by NSO Group. The attack is quite effective, and unlike most phishing attempts, it does not require user interaction.
Facebook has sued NSO Group for allegedly intruding into its globally famous encrypted WhatsApp messaging program using a similar hack.
Since a group of international news organizations reported in July on a list of possible NSO Group surveillance targets, a cascade of new revelations about the hacking of public figures has occurred, including Hungarian investigative journalists, the fiancée of slain Saudi journalist Jamal Khashoggi, and an ex-wife of Dubai’s ruler. Amnesty International and the Paris-based journalistic charity Forbidden Stories got the list from an anonymous source.
According to the Washington Post, reporters from various news organizations were able to confirm at least 47 additional successful hacks from that list of 50,000 phone numbers. The NSO Group has denied ever keeping such a list.
