The mobile phone of a UN-backed investigator who was examining possible war crimes in Yemen was targeted with spyware made by Israel’s NSO Group, a new forensic analysis of the device has revealed.
Kamel Jendoubi, a Tunisian who served as the chairman of the now defunct Group of Eminent Experts in Yemen (GEE)– a panel mandated by the UN to investigate possible war crimes – was targeted in August 2019, according to an analysis of his mobile phone by experts at Amnesty International and the Citizen Lab at the University of Toronto.
The targeting is claimed to have occurred just weeks before Jendoubi and his panel of experts released a damning report which concluded that the Saudi-led coalition in the Yemen war had committed “serious violations of international humanitarian law” that could lead to “criminal responsibility for war crimes”.
Jendoubi’s mobile number also appears on a leaked database at the heart of the Pegasus Project, an investigation into NSO by the Guardian and other media outlets, which was coordinated by Forbidden Stories, the French non-profit media group.
The leaked list contained numbers of individuals who were believed to have been selected as potential surveillance targets by NSO’s government clients.
What is in the Pegasus project data?
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a “target” to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent “targets” of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Thank you for your feedback.
The data suggests that Jendoubi was selected as a potential surveillance target by Saudi Arabia, which was a longtime client of NSO before it was dropped earlier this year after allegations that it abused the surveillance tool.
In a statement in response to questions about Jendoubi’s case, an NSO spokesperson said: “Based on the details you have provided us we can confirm that Kamel Jendoubi was not targeted by any of our current customers”.
Jendoubi, a human rights defender and opponent of former president Ben Ali’s regime in Tunisia, was appointed by the Office of the UN high commissioner for Human Rights to lead a group of international experts to investigate human rights violations in 2017.
The UN mandate to investigate the possible war crimes came to an abrupt halt this October, after the members of the Human Rights Council voted to end the investigation.
Citing political and diplomatic experts with close knowledge of the matter, the Guardian reported earlier this month that Saudi Arabia used “incentives and threats” as part of a lobbying campaign to shut down the UN investigation.
Jendoubi told the Pegasus Project that the targeting of his phone marked the actions of a “rogue state”.
“There are no other words. As international investigators, we are supposed to be at least protected. But I am not at all surprised. I’ve been apprehensive about this since 2019,” he said.
“We knew that we [the panel] could be potentially targeted since the publication of our 2018 report. That report had created a shock in Saudi Arabia and the UAE. They did not expect such findings.”
Jendoubi added: “They used all their propaganda, their media … to defame us and discredit our work. Everything you would expect from them. Until the 2021 vote that ended our mission.”
The investigator said he did not believe that his work had been compromised on the targeted phone because he had used another device to conduct his investigations. He said the targeting of his phone was indicative of a state that did not care about “commitments and minimum international rules”.
Melissa Parke, an expert investigator on the GEE and former Australian MP, said in response to the news of Jendoubi’s targeting: “If only this extraordinary technology and energy could be applied for the benefit of the people of Yemen, instead of the reverse. The calls for accountability for crimes committed in Yemen will only increase in the wake of these revelations.”
The Pegasus Project approached Jendoubi after it was confirmed that his mobile number was listed in the leaked database.
Experts at Amnesty International’s Security Lab and Citizen Lab, who research sophisticated digital surveillance attacks, found traces of Pegasus on Jendoubi’s mobile phone, which also correlated to a timestamp in the database that indicated when the number was selected.
The experts said the forensic analysis showed that a client of NSO had attempted to hack the device.
There was no clear evidence that the mobile had successfully been hacked or data exfiltrated, however, because that data could not be retrieved.
If a phone is infected with NSO’s signature spyware, called Pegasus, operators of the spyware have total access, including the ability to intercept phone calls, read text messages, infiltrate encrypted apps and track an individual’s physical location. The spyware can also turn a mobile into a listening device by remotely controlling the mobile’s recorder.
NSO has staunchly denied that the leaked database at the heart of the Pegasus Project is in any way connected to the company or its clients. NSO has also said that its government clients are only meant to use its surveillance tools to fight serious crime and terrorism and that it investigates credible allegations of misuse.
A spokesperson for the Saudi embassy in Washington did not respond to a request for comment.
The revelation that Jendoubi’s phone was targeted drew a tepid response from the office of UN secretary general António Guterres. A UN spokesperson said Jendoubi was an independent expert and that the UN would leave it to him to comment more specifically on his own situation.
“More generally, regarding Pegasus, the UN has been in touch with relevant parties to ensure that our communications are protected. We take very seriously the need to uphold the security of all our communications and have been following up on all reports of potential hacking,” said Farhan Aziz Haq.
Rupert Colville, spokesperson for Michelle Bachelet, the UN High Commissioner for Human Rights, said: “The targeting of human rights defenders, journalists and politicians is just another example of how tools allegedly meant to address security risks can end up being weaponised against people with dissenting opinions.”
Agnes Callamard, the secretary general of Amnesty International, who previously served as a UN special rapporteur, called the news of Jendoubi’s alleged targeting “shocking and unacceptable”.
“That he was targeted in the course of inquiry into violations by all parties to an armed conflict and at the hands of a lead party to that conflict? That alleged conduct demonstrates far more than cynicism and callous disregard for the principle of accountability, although it certainly does that,” Callamard said.
“It suggests further reprehensible evidence of the Saudi authorities’ utter disregard for international law, their willingness to do anything to maintain their impunity, and it demonstrates yet again a complete disrespect for the United Nations, multilateral instruments and human rights procedures.”
Stephanie Kirchgaessner in Washington