How Does Pegasus Work?


By Phineas Rueckert,
Reading time: 21m

This article has been reposted with permission from Forbidden Stories.

Khadija Ismayilova’s home in Baku had become like a prison. In Azerbaijan, an oil-rich nation nestled next to the Caspian Sea that since 2014 has increasingly stifled free speech and dissent, Ismayilova’s investigations into the ruling family had made her a prime target of her own government.

The Azerbaijani investigative journalist knew she was constantly being watched – and had been told as much by friends and family who had been asked to spy on her.

The authorities had thrown the book at her: surreptitiously installing cameras in her home to film her during sex; arresting her and accusing her of driving a colleague to suicide; and eventually charging her with tax fraud and sentencing her to seven years in prison.

She was released on bail after 18 months and banned from leaving the country for five years.

So in May 2021, at the end of the travel ban, when Ismayilova packed away her belongings and boarded a plane to Ankara, Turkey, she may have thought she was leaving all of that behind.

Little did she know the most invasive spy was coming with her.

For nearly three years, Khadija Ismayilova’s phone was regularly infected with Pegasus, a highly-sophisticated spyware tool developed by Israeli company NSO Group that gives clients access to the entirety of a phone’s contents and can even remotely access the camera and microphone, according to a forensic analysis by Amnesty International’s Security Lab, in partnership with Forbidden Stories.

“All night I’ve been thinking about what did I do with my phone,” she told journalists from her temporary home in Ankara the day after learning her phone had been compromised. “I feel guilty for the messages I’ve sent. I feel guilty for the sources who sent me [information] thinking that some encrypted messaging ways are secure and they didn’t know that my phone is infected.”

“My family members are also victimized,” she added. “The sources are victimized, people I’ve been working with, people who told me their private secrets are victimized.”

Khadija Ismayilova (on left), with Pegasus Project journalist Miranda Patrucic from the OCCRP, when she learned her phone was regularly infected with Pegasus for nearly three years PBS/FORBIDDEN FILMS

The Pegasus Project

Ismayilova is one of nearly 200 journalists around the world whose phones have been selected as targets by NSO clients, according to the Pegasus Project, an investigation released today by a global consortium of more than 80 journalists from 17 media outlets in 10 countries, coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab.

Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance. According to an analysis of these records by Forbidden Stories and its partners, the phones of at least 180 journalists were selected in 20 countries by at least 10 NSO clients. These government clients range from autocratic (Bahrain, Morocco and Saudi Arabia) to democratic (India and Mexico) and span the entire world, from Hungary and Azerbaijan in Europe to Togo and Rwanda in Africa. As the Pegasus Project will show, many of them have not been afraid to select journalists, human rights defenders, political opponents, businesspeople and even heads of state as targets of this invasive technology.

Stating “contractual and national security considerations” NSO Group wrote in a letter to Forbidden Stories and its media partners that it “cannot confirm or deny the identity of our government customers.” Forbidden Stories and its media partners reached out to each of the government clients cited in this project, all of whom either failed to respond to the questions by the deadline or denied being clients of NSO Group.

It is impossible to know whether a specific phone number appearing in the list was successfully compromised without analyzing the device. However, Amnesty International’s Security Lab, in partnership with Forbidden Stories, was able to perform forensics analyses on the phones of more than a dozen of these journalists – and 67 phones in total – revealing successful infections through a security flaw in iPhones as recently as this month.

The leaked phone numbers, which Forbidden Stories and its partners analyzed over months, reveal for the first time the staggering scale of surveillance of journalists and human rights defenders – despite NSO Group’s repeated claims that its tools are exclusively used for targeting serious criminals and terrorists – and confirm the fears of press advocates about the scope of spyware being used against journalists.

“The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” said Agnes Callamard, secretary general of Amnesty International. “It is about controlling public narrative, resisting scrutiny, suppressing any dissenting voice.”

Journalists appearing in these records have received legal threats, others have been arrested and defamed, and some have had to flee their countries due to persecution – only to later find that they were still under surveillance. In rare cases journalists have been killed after having been selected as targets. Today’s revelations make clear that the technology has emerged as a key tool in the hands of repressive government actors and the intelligence agencies that work for them.

“Putting surveillance on a journalist has a very strong chilling effect,” Carlos Martinez de la Serna, program director at the Committee to Protect Journalists, told Forbidden Stories. “This is a very, very important problem that everyone needs to take seriously, not only in context of where journalists are working in a hostile environment for journalism, but in the US and Western Europe and other places.”

                 Countries where journalists were selected as targets FORBIDDEN STORIES

NSO group, in a written response to Forbidden Stories and its media partners, wrote that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories” and reiterated that the company was on a “life-saving mission.”

“NSO Group firmly denies false claims made in your report which many of them are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story,” the company wrote. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”

“The alleged amount of ‘leaked data of more than 50,000 phone numbers,’ cannot be a list of numbers targeted by governments using Pegasus, based on this exaggerated number,” NSO Group added.

In a legal letter sent to Forbidden Stories and its media partners, NSO Group also wrote: “NSO does not have insight into the specific intelligence activities of its customers, but even a rudimentary, common sense understanding of intelligence leads to the clear conclusion that these types of systems are used mostly for purposes other than surveillance.”

As dangerous as a suspected terrorist

For Szabolcs Panyi, an investigative journalist at Direkt36 in Hungary, learning that his cell phone had been infected with Pegasus spyware was “devastating.”

“There are some people in this country who consider a regular journalist as dangerous as someone suspected of terrorism,” he told Forbidden Stories over an encrypted line of communication.

Panyi is in his mid-30s. He wears round frame glasses, and has short stubble. The award-winning journalist has reported on defense, foreign affairs and other sensitive subjects and has a rolodex of thousands of contacts across multiple countries, including the United States, where he spent a year on a Fulbright scholarship – making him an ideal target for intelligence services, who are known to be distrustful of US influence in Hungary.

Panyi was working on two major scoops during the time his phone was compromised in 2019. Forbidden Stories, in partnership with the Amnesty International’s Security Lab, was able to confirm successful infections of his phone over a 9-month period from April to December. These infections, Panyi said, often matched his official requests for comment and important meetings with sources.

Hungarian journalist Szabolcs Panyi ANDRAS PETHO (DIREKT36)

One of the digital intrusions occurred when he was meeting with a Hungarian photojournalist who had been serving as a fixer for a reporter from a US-based news outlet working on a story about the International Investment Bank, a Russia-backed bank that in 2019 was pushing to establish branches in Budapest.

Around that time, the photojournalist fixer was also selected as a target, according to the records accessed by Forbidden Stories.

“It’s real likely that those who are operating this system were interested in what these Hungarian and American journalists were going to write about this Russian bank,” Panyi said.

Like Panyi, many journalists who are the subject of digital threats and cyber surveillance are interesting to state intelligence agencies on account of their sources, according to Igor Ostrovskiy, a private investigator in New York City who previously spied on journalists including Ronan Farrow, Jodi Kantor and Wall Street Journal reporter Bradley Hope as a subcontractor for the Israeli company Black Cube and now trains journalists in information security.

“We all know that journalists have a ton of information passing through their hands so that could be why state security could be interested,” he said. “State security could be interested in who’s leaking inside the government, or inside of a business that’s vital to the government, and they might be looking for that source.”

Halfway around the world, the phone of Paranjoy Guha Thakurta, an Indian investigative journalist and author of a number of books about Indian business and politics, was hacked in 2018. Thakurta told Forbidden Stories that he often spoke with sources on the condition of anonymity, and said that at the time of his targeting he was working on an investigation into the finances of the late Drirubhai Ambani, formerly the richest man in India.

“They would know who our sources were,” Thakurta said. “The purpose of getting into my phone and looking at who are the people I’m speaking to would be to find out who are the individuals who have been providing information to me and my colleagues.”

Thakurta is one of at least 40 Indian journalists selected as targets of an NSO client that appears to be the Indian government, based on the consortium’s analysis of the leaked data.

The Indian government has never confirmed nor denied being a client of NSO Group. “The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever,” wrote a spokesperson for the Ministry of Electronics and Information Technology in a response to detailed questions sent by Forbidden Stories and its partners.

While previous reporting showed four journalists among the 121 Pegasus targets revealed in India in 2019, the records accessed by Forbidden Stories show that this surveillance may have been much more extensive. More than 2,000 Indian and Pakistani numbers were selected as targets between 2017 and 2019, among them Indian journalists from nearly every major media outlet, including The Hindu, Hindustan Times, the Indian Express, India Today, Tribune, and The Pioneer. Local journalists were also selected as targets, including Jaspal Singh Heran, the editor in chief of a Punjab-based outlet that publishes only in Punjabi.

The phones of two of the three cofounders of the independent online news outlet The Wire – Siddharth Varadarajan and MK Venu – were both infected by Pegasus, with Venu’s phone hacked as recently as July. A number of other journalists who work for or have contributed to the independent news outlet – including columnist Prem Shankar Jha, investigative reporter Rohini Singh, diplomatic editor Devirupa Mitra and contributor Swati Chaturvedi – were all selected as targets, according to the records accessed by Forbidden Stories and its partners, which include The Wire.

“It was alarming to see so many names of people linked to The Wire, but then there are lots of people not linked to the Wire,” Varadarajan, whose phone was compromised in 2018, said. “So this seems to be a general predisposition towards subjecting journalists to high level surveillance on the part of the government.”

Many of the journalists who spoke with Forbidden Stories and its partner news organizations expressed dismay at having learned that despite the precautions they had taken to secure their devices – such as using encrypted messaging services and updating their phones regularly – their private information was still not secure.

“We’ve been recommending each other this tool or that tool, how to keep [our phones] more and more secure from the eyes of the government,” Ismayilova said. “And yesterday I realized that there is no way. Unless you lock yourself in [an] iron tent, there is no way that they will not interfere into your communications.”

Panyi worried that the public knowledge of his targeting could dissuade sources from getting in contact with him in the future.

“It’s every journalist who has been targeted’s concern that once it’s revealed that you were surveilled and even our confidential messages could have been compromised, who the hell is going to talk to us in the future?” he asked. “Everyone will think that we’re toxic, that we’re a liability.”

“Reading over your shoulder”: How Pegasus is used to spy on journalists in zero clicks

Amnesty International Security Lab’s forensics analyses of cell phones targeted with Pegasus as part of the Pegasus Project are consistent with past analyses of journalists targeted through NSO’s spyware, including the dozens of journalists allegedly hacked in the UAE and Saudi Arabia and identified by Citizen Lab in December of last year.

“There are a bunch of different pieces, essentially, and they all fit together very well,” Claudio Guarnieri, director of Amnesty International’s Security Lab, said. “There’s no doubt in my mind that what we’re looking at is Pegasus because the characteristics are very distinct and all of the traces that we see confirm each other.”

In all, the Committee to Protect Journalists (CPJ) had previously documented 38 cases of spyware – developed by software companies in four countries – used against journalists in nine countries since 2011.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation (EFF), was one of the first security researchers to identify and document cyber attacks against journalists and human rights defenders in Mexico, Vietnam and elsewhere in the early 2010s.

At the time, in the early 2010s, most malware attacks were less sophisticated than they are today, she explained.

“Back in 2011, you would receive an email and the email would go to your computer and the malware would be designed to install itself on your computer,” she said.

It wasn’t until around 2014 that a “mobile-first” approach to spying on journalists gained popularity, as smartphones became more ubiquitous, she said. Clients of companies like NSO, Hacking Team and FinFisher used “social engineering” to send specifically-crafted messages to targets, often baiting them with information about potential scoops or targeted information about members of their families. Targets would have to click a link in order for the malware to be installed onto their phones.

Journalists are obvious targets for intelligence agencies, Ostrovskiy said, because they are always seeking new sources of information – opening themselves up to phishing attempts – and because many often don’t follow “industry best practices on digital security.”

Some of the first Pegasus infections of journalists were identified in Mexico in 2015 and 2016.

In January 2016, Carmen Aristegui, an investigative journalist in Mexico and the founder of Aristegui Noticias, began to receive messages with suspicious links after she published an investigation into property owned by former Mexican President Enrique Pena Nieto.

Aristegui received more than 20 text messages containing malicious Pegasus links, digital rights group Citizen Lab would later reveal in the 2017 Gobierno Espia (“Government Spying”) report. According to the report, the phones of a number of her colleagues and family members were also targeted with text messages containing malicious links during that same time period, including those of colleagues Sebastian Barragan and Rafael Cabrera and her son Emilio Aristegui – just 16-years-old at the time.

Forbidden Stories and its partners were able to identify for the first time three other people close to Aristegui who were selected as targets for surveillance in 2016: her sister Teresa Aristegui, her CNN producer Karina Maciel and her former assistant Sandra Nogales.

“It was a huge shock to see others close to me in the list,” Aristegui, who was part of the Pegasus Project, said. “I have six siblings, but at least one of them, my sister, was entered into the system. My assistant Sandra Nogales, who knew everything about me – who had access to my schedule, all of my contacts, my day-to-day, my hour-to-hour – was also entered into the system.”