Pegasus Spyware Used Against Dozens of Activist Women in the Middle East

The attacks add to a growing catalog of shame for spyware-maker NSO Group.

An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. - Apple iPhone owners, earlier in the week, were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers.Lookout and Citizen Lab worked with Apple on an iOS patch to defend against what was called "Trident" because of its triad of attack methods, the researchers said in a joint blog post.Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. (Photo by JACK GUEZ / AFP) (Photo by JACK GUEZ/AFP via Getty Images)
A woman with her iPhone is seen in front of the NSO Group building on Aug. 28, 2016, in Herzliya, Israel. Photo: Jack Guez/AFP via Getty Images

Dozens of women journalists and human rights defenders in Bahrain and Jordan have had their phones hacked using NSO Group’s Pegasus spyware, according to a report by Front Line Defenders and Access Now.

The report adds to a growing public record of Pegasus misuse globally, including against dissidents, reporters, diplomats, and members of the clergy. It also threatens to increase pressure on the Israel-based NSO Group, which in November was placed on a U.S. trade blacklist.

“When governments surveil women, they are working to destroy them,” wrote Marwa Fatafta, Middle East and North Africa policy manager at Access Now, in a statement accompanying the report. “Surveillance is an act of violence. It is about exerting power over every aspect of a woman’s life through intimidation, harassment, and character assassination. The NSO Group and its government clients are all responsible, and must be publicly exposed and disgraced.”

NSO Group was placed on the trade blacklist after a consortium of journalists working with the French nonprofit Forbidden Stories reported multiple cases in which journalists and activists appear to have been targeted by foreign governments using the spyware. (NSO denied the allegations.) The same month, researchers from Amnesty International and the University of Toronto’s Citizen Lab said they found Pegasus on the phones of six Palestinian human rights activists. Last week, another Citizen Lab report found that dozens of Salvadoran human rights activists’ phones had been hacked using Pegasus.

Pegasus is breathtaking in its ability to take complete control of a device without detection and is often referred to as “military grade” spyware. Researchers have said that it can access every message the subject has sent and received, including from encrypted messaging services; it can also access the camera and microphone, record the screen, and monitor the subject’s location via GPS.

Apple sued NSO Group in November, trying to stop the company’s software from compromising its operating systems. That followed a similar suit from Facebook in 2019 alleging that the company was hacking the social media giant’s WhatsApp messaging service.


How to Defend Yourself Against the Powerful New NSO Spyware Attacks Discovered Around the World

NSO Group did not immediately respond to a request for comment on the new report. But earlier this week, in the wake of the El Salvador research, it said that it only grants licenses to government intelligence and law enforcement agencies following “a process of investigation and licensing” by the Israeli Ministry of Defense. The company added that the use of its cybersecurity tools to monitor dissidents, activists, and journalists is a serious misuse of that technology.

In a study published in December 2020, Citizen Lab identified 25 countries whose governments had acquired surveillance systems from Circles, a company affiliated with NSO Group: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates, Vietnam, Zambia, and Zimbabwe.

The hacks of the activists in Jordan and Bahrain now add two more countries to the list.

Beaten by Police Then Hacked Eight Times

The report documents how Pegasus can have a particularly egregious impact on women, who are disproportionately vulnerable to the weaponization of personal information when governments seek to intimidate, harass, and publicly smear dissidents.

It details the case of Ebtisam al-Saegh, a renowned human rights defender who works in Bahrain with the advocacy group SALAM for Democracy and Human Rights. Al-Saegh’s iPhone was hacked at least eight times between August and November 2019 with Pegasus spyware, according to the researchers.

The privacy violations extended what the report described as brutal harassment by Bahraini authorities. On May 26, 2017, the report said, Bahrain’s National Security Agency summoned al-Saegh to the Muharraq Police Station. Interrogators subjected her to verbal abuse and physically beat and sexually assaulted her. They threatened her with rape if she did not halt her human rights activism. Upon release, she was immediately taken to a hospital.

“I am in a state of daily fear and terror after I was informed by Front Line Defenders that I was spied on.”

“I am in a state of daily fear and terror after I was informed by Front Line Defenders that I was spied on,” the report quotes al-Saegh as saying. “I started to be afraid of having the phone next to me, especially when I am in the bedroom or even at home among my family, my children, my husband.”

Front Line Defenders’ forensic investigation found that al-Saegh’s phone was compromised multiple times in August 2019 (on August 8, 9, 12, 18, 28, and 31); on September 19, 2019; and on November 22, 2019. Traces of process names linked to Pegasus were identified on her phone, such as “roleaccountd,” “stagingd,” “xpccfd,” “launchafd,” “logseld,” “eventstorpd,” “libtouchregd,” “frtipd,” “corecomnetd,” “bh,” and “boardframed.” Amnesty International’s Security Lab and the Citizen Lab have both attributed these process names to the NSO spyware.

Another victim described in the report is Hala Ahed Deeb, a human rights activist and member of the legal team defending the Jordan Teachers’ Syndicate, one of the country’s largest labor unions. The Jordanian government dissolved the union in December 2020 in response to mass protests. Deeb’s phone was compromised by Pegasus on March 16, 2021, according to the report.

Other victims mentioned in the report include Emirati activist Alaa al-Siddiq, Alaraby journalist Rania Dridi, and Al Jazeera broadcast journalist Ghada Oueiss.

The report calls for an “immediate moratorium on the use, sale, and transfer of surveillance technologies produced by private firms until adequate human rights safeguards and regulation is in place” and a “move to take serious and effective measures against surveillance technology providers like NSO Group.”

Join The Conversation