As per an investigation into a massive data leak, human rights activists, journalists, and lawyers worldwide are being targeted by governments using Pegasus, a hacking software sold by Israeli surveillance company NSO group, the Guardian reported. The leak contains a list of over 50,000 phone numbers of people of interest to the clients of NSO since 2016. This includes business executives, religious figures, academics, employees of NGOs, trade union officials and government officials, including cabinet ministers, presidents and prime ministers, across 45 countries and four continents.
Forbidden Stories, a Paris-based media nonprofit organisation, and Amnesty International, who initially had access to the leaked list, shared access with media partners as part of the Pegasus project, a reporting consortium.
Pegasus is a malware that infects iPhones and Android devices enabling operators to extract messages, photos, and emails. The hacking spyware, which the company claims is intended to be used against criminals and terrorists, can also record calls and secretly activate microphones.
Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE) are believed to be its customers. However, Rwanda, Morocco, India, and Hungary, denied having made use of Pegasus. Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, and the UAE have not responded to the revelation yet. The most numbers were selected in Mexico, where multiple government agencies are known to have bought Pegasus, followed by UAE.
The list comprises the phone numbers of 180 journalists, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, The Economist, Associated Press and Reuters.
In India, the phone numbers of 40 journalists were targeted. The Wire analysed the data and revealed that most of the Indian names were added in the run-up to the Lok Sabha general elections between 2018 and 2019. While some journalists have been added more or less at the same time, others are single entries. Though the presence of a phone number in the data is not proof of whether a device was infected with Pegasus, the data is indicative of the potential targets of the governments identified in advance of possible surveillance attempts, the consortium believes.