uncertainty 50k zeroday
When more than a dozen media outlets published stories this week about a spy tool that targeted the phones of journalists, activists, and others, the public took note in ways it hadn’t in the past.
It wasn’t the first time articles about the Pegasus spy tool had been published; nor were the stories the first to reveal that NSO Group — the Israeli company behind the tool — sold it to repressive regimes around the world, who used it to spy on dissidents and journalists, despite NSO claims to the contrary.
But this time the articles took hold for two reasons: The information was published simultaneously by a consortium of 17 media outlets in a blast of stories that have dominated the news cycle for several days. And the stories were based in large part on a massive list of 50,000 phone numbers that had been leaked to the consortium, a list that has become highly controversial because of mysteries surrounding the identity of the leaker and the identity of the person or people who created the list.
To give readers a little clarity about the list and its revelations, I’ve laid out what we do and don’t know about it and how it might have been used.
What is Pegasus?
The software can be planted on phones remotely by sending a text message to the phone with a link — when the user clicks on the message it takes their phone’s browser to a malicious site that downloads the malware. Or it can be planted on phones with what’s called a zero-click exploit. A zero-click exploit is malware that can be sent via an iMessage, for example, that doesn’t require the user to interact with it at all before it installs the spyware on their phone.
NSO Group says Pegasus is sold only to governments and law enforcement agencies for purposes of tracking terrorists, pedophiles and other criminals. But a number of repressive regimes with poor human rights records have been caught using the tool to spy on human rights activists, journalists and anyone else who is critical of their regime.
What exactly is this list?
Someone leaked the list to Forbidden Stories, a collaborative non-profit journalism organization based in France. Forbidden Stories and the human rights group Amnesty International then shared the list with more than 80 journalists from 17 media organizations who worked to identify the owners of the phone numbers and track them down, under the banner of the Pegasus Project. The consortium was able to identify the owners of about 1,000 phones in more than 50 countries, according to the Post, and found that the list included several heads of state, cabinet ministers, diplomats, 85 human rights activists, 189 journalists, 65 business executives, military officers and others of note. The latter includes the former wife of assassinated journalist Jamal Khashoggi, and Princess Latifa bint Mohammed al-Maktoum, daughter of Dubai’s ruler, who plotted an elaborate escape from her country and family in 2018, only to be captured and returned home.