Uncertainty about the nature of the list of 50K potential Pegasus targets created confusion and controversy, but doesn’t negate the investigation’s key findings (Kim Zetter/Zero Day)

uncertainty 50k zeroday

When more than a dozen media outlets published stories this week about a spy tool that targeted the phones of journalists, activists, and others, the public took note in ways it hadn’t in the past.

It wasn’t the first time articles about the Pegasus spy tool had been published; nor were the stories the first to reveal that NSO Group — the  Israeli company behind the tool — sold it to repressive regimes around the world, who used it to spy on dissidents and journalists, despite NSO claims to the contrary.

But this time the articles took hold for two reasons: The information was published simultaneously by a consortium of 17 media outlets in a blast of stories that have dominated the news cycle for several days. And the stories were based in large part on a massive list of 50,000 phone numbers that had been leaked to the consortium, a list that has become highly controversial because of mysteries surrounding the identity of the leaker and the identity of the person or people who created the list.

To give readers a little clarity about the list and its revelations, I’ve laid out what we do and don’t know about it and how it might have been used.

What is Pegasus?

Pegasus is powerful surveillance software that can steal passwords for accounts and siphon content from phones — such as contacts and call records, emails, text messages, photos, and stored audio recordings. It can also grab screenshots and monitor browsing activity, surreptitiously enable the phone’s mic for real-time monitoring of conversations, or turn on the camera to capture images of people in the phone’s vicinity and their environment.

The software can be planted on phones remotely by sending a text message to the phone with a link — when the user clicks on the message it takes their phone’s browser to a malicious site that downloads the malware. Or it can be planted on phones with what’s called a zero-click exploit. A zero-click exploit is malware that can be sent via an iMessage, for example, that doesn’t require the user to interact with it at all before it installs the spyware on their phone.

NSO Group says Pegasus is sold only to governments and law enforcement agencies for purposes of tracking terrorists, pedophiles and other criminals. But a number of repressive regimes with poor human rights records have been caught using the tool to spy on human rights activists, journalists and anyone else who is critical of their regime.

What exactly is this list?

The list contains about 50,000 phone numbers, which belong to people who are largely based in countries with regimes that are known to spy on their citizens and are also known to be or have been at one time NSO customers, according to the Post.

Someone leaked the list to Forbidden Stories, a collaborative non-profit journalism organization based in France. Forbidden Stories and the human rights group Amnesty International then shared the list with more than 80 journalists from 17 media organizations who worked to identify the owners of the phone numbers and track them down, under the banner of the Pegasus Project. The consortium was able to identify the owners of about 1,000 phones in more than 50 countries, according to the Post, and found that the list included several heads of state, cabinet ministers, diplomats, 85 human rights activists, 189 journalists, 65 business executives, military officers and others of note. The latter includes the former wife of assassinated journalist Jamal Khashoggi, and Princess Latifa bint Mohammed al-Maktoum, daughter of Dubai’s ruler, who plotted an elaborate escape from her country and family in 2018, only to be captured and returned home.


Related Posts