(New York) – The targeting of a Human Rights Watch staff member with Pegasus spyware underscores the urgent need to regulate the global trade in surveillance technology, Human Rights Watch said today. Governments should ban the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place.
Lama Fakih, Crisis and Conflict director and head of the Beirut office at Human Rights Watch, was targeted with Pegasus spyware five times between April and August 2021. Pegasus is developed and sold by the Israel-based company NSO Group. The software is surreptitiously introduced on people’s mobile phones. Once Pegasus is on the device, the client is able to turn it into a powerful surveillance tool by gaining complete access to its camera, calls, media, microphone, email, text messages, and other functions, enabling surveillance of the person targeted and their contacts.
“Governments are using NSO Group’s spyware to monitor and silence human rights defenders, journalists, and others who expose abuse,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “That it has been allowed to operate with impunity in the face of overwhelming evidence of abuse, not only undermines efforts by journalists and human rights groups to hold powerful actors to account, but also puts the people they are trying to protect in grave danger.”
Fakih, a dual US-Lebanese citizen, oversees crisis response from countries as far ranging as Syria, Myanmar, Israel/Palestine, Greece, Kazakhstan, Ethiopia, Lebanon, Afghanistan, and the United States. This includes documenting and exposing human rights abuses and serious international crimes during armed conflicts, humanitarian disasters, and severe social or political unrest. This work may have attracted the attention of various governments, including some that are suspected NSO clients, Human Rights Watch said.
“It is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices,” Fakih said. “They seem to believe that by doing so, they can consolidate power, muzzle dissent, and protect their manipulation of facts.”
On November 24, 2021, Apple notified Fakih via email, iMessage, and an alert on the AppleID login screen that state-sponsored attackers may be targeting her personal iPhone. The Human Rights Watch information security team established that Fakih’s current and former iPhones had been infected with Pegasus after they performed forensic analysis on the devices. Amnesty International’s Security Lab peer reviewed the analysis and confirmed the findings.
Fakih’s phones were infected with a “zero-click” exploit, meaning that her devices were compromised without the need for any action by Fakih such as clicking on a link. This is an advanced and sophisticated attack technique that is effective at compromising devices, while also being very difficult for the target to detect or prevent.
The targeting of Human Rights Watch with Pegasus adds to the ever-growing list of human rights activists, journalists, politicians, diplomats, and others whose devices have been compromised by the spyware in violation of their rights. In July 2021, a consortium coordinated by Forbidden Stories, a Paris-based media nonprofit, with the technical support of Amnesty International, exposed that Pegasus software had been used to infect the devices of dozens of activists, journalists, and opposition figures in multiple countries. The consortium identified potential NSO clients in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).
Over the past three months alone, investigations have revealed that Pegasus spyware was used to infect the devices of six Palestinian human rights activists, four Kazakh civil society activists, eleven US Embassy officials in Uganda, two Polish opposition figures, a member of an independent UN human rights investigation team for Yemen, a human rights activist in Bahrain, a human rights activist in Jordan, and thirty-five journalists and members of civil society in El Salvador, among others.
In response to evidence that Pegasus has been used to target human rights defenders, journalists, and dissidents, NSO Group has said repeatedly that its technology is licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime, and that it does not operate the spyware it sells to government clients.
NSO Group responded to Human Rights Watch’s request for comment saying that it is “not aware of any active customer using [its] technology against a Human Rights Watch staff member” and that it would open an initial assessment into our allegation to determine if an investigation is warranted. The company said it takes “any allegation of the misuse of [its] system against a human rights defender most seriously,” and that such misuse would violate their policies and the terms of its contracts with customers. It referred us to its Whistleblower Policy and Transparency Report, which outline how they respond to such allegations.
Recent actions by governments and others against surveillance firms are positive steps, but coordinated and more ambitious government regulation is needed to rein in the burgeoning surveillance technology industry that includes NSO Group and others, Human Rights Watch said. Governments should implement a moratorium on the sale, export, transfer, and use of surveillance technology until human rights safeguards are in place.
“Governments need to act on the damning evidence of rights abuses that the unbridled sale of surveillance technology unleashes around the world,” Brown said. “Human rights defenders are calling for regulation, major companies are suing, while governments’ failure to take decisive action against the spyware industry constitutes a dangerous threat to fundamental human rights.”
For technical analysis of the targeting of Fakih, details of the development of surveillance technology, and recent actions by companies and governments against spyware companies, please see below.
Recent Actions Against Spyware Companies
In recent months, companies and governments have begun to take steps against spyware companies. On July 19, 2021, on the heels of the Pegasus Project reporting, Amazon Web Services announced it had disabled cloud accounts linked to NSO Group. On November 3, the US Commerce Department announced its decision to add NSO Group and Candiru, another Israel-based company that produces spyware, to its trade restriction list (Entity List), for “acting contrary to the foreign policy and national security interests of the United States.”
The decision prohibits the export from the US to NSO Group and Candiru of any type of hardware or software without a special license from the US Commerce Department. While the decision does not legally prohibit any material support (financial or technical), it effectively blacklists the two companies in the US.
On September 9, 2021, the European Union’s updated rules for the export of surveillance technology went into effect. The regulation does not go as far as human rights groups had wanted, for instance by banning the sale of surveillance technology to abusive governments. But it requires the EU Commission to publicly report the number of export license applications for each type of surveillance technology, for each member state, and the destination of the export. It also adds human rights risks as a criterion to be considered when granting an export license. The impact of the new regulation should be maximized through expansive interpretation and rigorous application, Human Rights Watch said.
In November, Apple began notifying users whom it suspects may have been targeted by a state-sponsored spyware attack, leading to the notification that Fakih received.
On November 23, 2021, Apple filed a lawsuit against NSO Group and its parent company for the surveillance and targeting of Apple users. This follows a lawsuit by WhatsApp over allegations that NSO Group spyware was used to hack 1,400 users of the app in 2019.
Long History of Abuse Using Spyware
Human rights organizations, academics, and journalists have been reporting on government use of commercial spyware to violate rights for more than two decades.
Commercially sold surveillance technology includes hardware, software, and services to enable covert and non-covert surveillance by and of digital systems with the goal of monitoring, extracting, collecting, and analyzing data. As people’s dependence on digital tools and technologies has grown exponentially over the past two decades, so has many governments’ interest in surveillance technology. The development of ever more advanced and intrusive surveillance technology has also increased the risk its misuse poses to human rights.
Commercial surveillance technology can perform a variety of functions, including surreptitious data extraction from personal devices; location tracking, which can contain sensitive and revealing insights about a person’s identity, location, behavior, associations, and activities; deep packet inspection, which enables the monitoring, analysis, and redirection of internet traffic and can be used to infect devices with malware and block them from accessing certain websites; and facial and affect recognition technology, which seeks to capture and detect a person’s facial characteristics or infer their emotions or intentions from facial expressions, based on highly questionable classification systems.
Many companies selling commercial spyware are based in the US, Canada, Europe, the UK, and Israel, though the opacity under which the commercial surveillance industry operates makes it impossible to know the full scope or scale of its reach.
Targeting the Devices of a Human Rights Watch Staff Member
Apple notified Lama Fakih, Crisis and Conflict director at Human Rights Watch, via email, iMessage, and an alert on the AppleID login screen that state-sponsored attackers might be targeting her iPhone on November 23 and 24, 2021.
Abir Ghattas, associate director for information security at Human Rights Watch, confirmed the legitimacy of Apple’s notifications, then performed forensic analysis on Fakih’s current iPhone and previous iPhone that were associated with the same AppleID to establish whether the devices had been infected. Human Rights Watch analysis indicated that two devices (iPhone 12 and iPhone XS) were infected with NSO Group’s Pegasus spyware.
Examination of the logs showed traces of processes on both devices that Amnesty International Security Lab’s research previously connected to NSO’s Pegasus.
Human Rights Watch shared the forensic data with Amnesty International’s Security Lab, which peer reviewed and independently confirmed the findings (see key technical findings below).
Recommendations
To address the high risk of abuse associated with all surveillance technology, Human Rights Watch recommends:
- Governments should immediately impose a moratorium on the sale, export, transfer, and use of surveillance technology until adequate human rights safeguards are in place. They should also disclose any existing contracts or use of such technology.
- Governments should apply relevant sanctions frameworks, such as the EU’s global human rights sanctions regime and the US Global Magnitsky Human Rights Accountability Act, to commercial spyware companies that are responsible for or complicit in serious human rights abuses to cut them off from the financial or technical infrastructure they need to operate until they can demonstrate that they have undertaken specific measures or demonstrated a change of policy that will end the human rights abuses or violations that gave rise to the sanctions.
- Governments should ensure that any use of surveillance technology in their countries is subject to domestic laws that only permit their use in accordance with the international human rights standards of legality, necessity, proportionality, and legitimacy of objectives. Governments should meaningfully enforce or reform those laws, as appropriate; remove legal or other barriers to effective remedies for victims of unlawful surveillance; and ensure that both judicial and nonjudicial paths are available for victims to seek a remedy for the harm surveillance technology may have caused.
- Governments should allow the sale, export, and transfer of surveillance technology to resume only when they have enforceable legal frameworks requiring human rights due diligence that prevents surveillance technology from reaching governments that do not have human rights safeguards in place. Governments that have demonstrated substantial disregard for human rights and a pattern of abusive use of technology should be on a “no sale” list.
- Governments should also require private companies based in their countries to disclose information on products and services offered, the results of their regular due diligence, their sales and exports, including the identity of clients, and potential clients rejected for failing to meet standards of human rights or good governance. Governments should establish independent oversight to monitor private companies’ compliance with due diligence and transparency requirements. Governments should make this information available in public registries. The purchase of surveillance technology by law enforcement in any country should be transparent so that it can be subject to public debate.
- To encourage accountability, the relevant experts associated with the United Nations and regional human rights mechanisms should monitor and investigate the use of spyware by governments and sales of spyware by companies, and report to member states on abuses involving the use of such spyware.
Key Technical Findings from Human Rights Watch’s Forensic Analysis
Fakih’s two devices contained traces of Pegasus infection. Forensic traces from the devices indicate that both phones were compromised using a vulnerability in iMessage. These traces are consistent with the use of the NSO Group’s Megalodon/FORCEDENTRY zero-click exploit, which has previously been reported by Amnesty International and Citizen Lab. In September 2021, Apple patched Megalodon/FORCEDENTRY in iOS 14.8. The attacks in this report coincided with the time period when this vulnerability is known to have been exploited.
- Target: Lama Fakih
- Position: Crisis and Conflict director and director of the Beirut office at Human Rights Watch
- Approximate Dates Phone Hacked with Pegasus:
- April 6, 2021
- June 3, 2021
- June 23, 2021
- July 5, 2021
- Around August 23, 2021
- Exploit: Megalodon/FORCEDENTRY iMessage zero-click 0-days
- SIM: Lebanese SIM on Touch Network
Targeting iPhone XS
The iPhone XS was used between January 2019 and July 2021. It was replaced by an iPhone 12 in July 2021.
The XS device was infected with Pegasus on three occasions:
- April 6, 2021
- June 3, 2021
- June 23, 2021
Table 1 shows records of suspicious processes found on the iPhone XS attributed to Pegasus. Human Rights Watch’s analysis is based on known indicators of processes linked to Pegasus. There may be other instances of infections using Pegasus processes that have not yet been identified.
Date (UTC) |
Event |
2021-04-06 05:16:33 |
Traces related to iMessage exploitation observed before Pegasus processes ran on the device |
2021-04-06 05:17:30 |
Process: MobileSMSd |
2021-04-06 05:17:34 |
Process: ABSCarryLog |
2021-04-06 05:18:13 |
Process: bfrgbd |
2021-04-07 17:07:33 |
Process: bfrgbd |
|
|
2021-06-03 07:29:51 |
Process: JarvisPluginMgr |
2021-06-03 07:29:59 |
Process: wifip2ppd |
2021-06-03 07:30:42 |
Process: frtipd |
2021-06-13 14:33:17 |
Process: frtipd |
|
|
2021-06-23 07:30:46 |
Process: gatekeeperd |
2021-06-23 07:31:28 |
Process: logseld |
2021-06-23 07:30:46 |
Process: vm_stats |
2021-06-23 11:48:56 |
Process: logseld |
2021-06-23 15:51:40 |
Process: logseld |
2021-06-23 20:09:53 |
Process: logseld |
Targeting iPhone 12
The iPhone 12 was successfully infected with Pegasus on July 5, 2021, and August 23, 2021. Table 2 shows records of suspicious processes found on the iPhone 12 attributed to Pegasus.
Date (UTC) |
Event |
2021-07-05 06:47:10 |
Traces related to iMessage exploitation observed before Pegasus processes ran on the device |
2021-07-05 06:47:11 |
Process: gatekeeperd |
2021-07-05 06:47:20 |
Process: CommsCenterRootH |
2021-07-05 06:47:36 |
Process: mobileargd |
2021-07-05 11:45:25 |
Process: mobileargd |
2021-07-05 12:09:47 |
Process: mobileargd |
|
|
2021-08-23 14:15:41 |
unnamed process linked to Pegasus |
Analysis of the extracted phone data, specifically an iOS file called “com.apple.identityservices.idstatuscache.plist,” which contains a list that indicates when apps like Facetime and iMessage first established contact with other registered Apple IDs, revealed an entry showing an email address, provided below, that connected with Fakih’s Apple ID over iMessage. Fakih is not familiar with this address and never communicated with it, which makes it a suspicious account. The email address also matches the patterns used to register iCloud accounts in other known Pegasus attacks. Research into the infrastructure Pegasus relies on suggests that NSO Group may create those email and iCloud accounts on behalf of their clients.
A similar technique of compromising iPhones with Pegasus using the Megalodon /FORCEDENTRY exploit was documented in cases that Citizen Lab has linked to Saudi Arabia, a suspected NSO client. However, it is possible for other NSO clients to use the same technique.
Determining that a government is an NSO Group client is challenging because the company does not publish its client list and it is rare for governments to confirm they purchased Pegasus. However, the existence of a Pegasus operator in a country, confirmed cases of devices being targeted with Pegasus, and a pattern of unlawful and arbitrary surveillance of their citizens and external critics are good indicators that a government may be a client.
The email address is included in this report in case it is useful for others who are also investigating Pegasus attacks.
User: nielscherer[at]gmail[dot]com
Date: 2021-06-29 06:33 UTC
Use of Pegasus in Lebanon
Fakih is the first publicly reported confirmed case of Pegasus being used to target a worker for a nongovernmental organization in Lebanon. Previous known targets in Lebanon include:
- The New York Times bureau chief in Beirut, Ben Hubbard, was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021, according to forensic analysis carried out by Citizen Lab. Citizen Lab reported that the targeting resulted in confirmed Pegasus infections in July 2020 and June 2021. It concluded with high confidence that an iPhone belonging to Hubbard was successfully infected with Pegasus spyware on June 13, 2021, and found traces consistent with the FORCEDENTRY zero-click exploit that was used to infect Fakih’s devices. Hubbard has investigated rights abuses and corruption in Saudi Arabia and wrote a recent biography of the Saudi crown prince, Mohammed bin Salman.
- According to the Lebanese online magazine Daraj, which is a member of the Pegasus Project consortium, around 300 Lebanese phone numbers (country code +961) were included on a list of 50,000 numbers that Forbidden Stories and members of their consortium made public and identified as potential Pegasus targets. Le Monde reported that among the phone numbers on the list were those of President Michel Aoun; former Prime Minister Saad Hariri; former Minister of Foreign Affairs Gibran Bassil; Abbas Ibrahim, head of one of the main security services; the central bank governor, Riad Salamé; Hezbollah officials; and a plethora of ministers, journalists, and ambassadors. So far, none of these targets is confirmed through forensic analysis.
- NSO Group has denied that the list consisted of potential or actual Pegasus targets, but none of the Pegasus Project partners has retracted their reporting. A phone number belonging to Hubbard reportedly appeared on the Pegasus Project list in July 2019. However, according to Citizen Lab forensic evidence is not available for this timeframe.
- An Al Akhbar journalist, Radwan Mortada, also posted on Twitter on November 24 and 26, 2021, that Apple notified him that state-sponsored attackers may be targeting his iPhone. Human Rights Watch has not verified whether his device was infected with Pegasus.
- According to a lawsuit against DarkMatter, an Emirati cybersecurity company that Reuters reported in 2019 was under investigation by the US Federal Bureau of Investigation, Ghada Oueiss, a Lebanese broadcast journalist at Al Jazeera, was infected with Pegasus in 2020. It’s unclear if she was in Lebanon or using a Lebanese number when targeted.
Resources for Checking Whether Devices Have Been Infected with Pegasus:
- Access Now’s Digital Security Helpline: https://www.accessnow.org/help/
- Contact Amnesty Security Team on share@amnesty.tech (for journalists and human rights defenders)
- MVT Project on GitHub: https://github.com/mvt-project/mvt
- How to backup and analyse iOS devices against Pegasus IOCs using Docker and MVT: https://defensive-lab.agency/2021/07/pegasus-ios-forensic/
For questions or to be in touch about the Human Rights Watch technical analysis, please contact infosec@hrw.org.