A huge information leak has revealed that several Muslim nations, including Saudi Arabia and the UAE, bought Israeli spyware which can be used as a cyber-surveillance weapon.
A joint investigation by several prominent media outlets suggests that Saudi Arabia, the UAE, Bahrain, Azerbaijan, Kazakhstan and Morocco bought the Israeli company NSO’s hacking spyware Pegasus which can be used to monitor mobile phones.
Human rights activists, journalists and lawyers across the world were targeted by governments using the hacking software, according to the investigation.
Pegasus is a malware that infects iPhones and Android devices to enable operators to extract messages, photos and emails, record calls and secretly activate microphones.
The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
The investigation uncovered new evidence that the spyware was used to try and monitor people close to murdered Saudi journalist Jamal Khashoggi both before and after his death.
In one case, a person in Khashoggi’s inner circle was hacked four days after his murder, according to peer-reviewed forensic analysis of her device.
Subscribe to our newsletter and stay updated on the latest news and updates from around the Muslim world!
The investigation points to an apparent attempt by Saudi Arabia and its close ally the United Arab Emirates to leverage NSO’s spy technology after Khashoggi’s death to monitor his associates and the Turkish murder investigation, even going so far as to select the phone of Istanbul’s chief prosecutor for potential surveillance.
The United Arab Emirates may have also used the Israeli spyware to hack a mobile phone belonging to the editor of the UK’s Financial Times newspaper.
Roula Khalaf was one of more than 180 journalists around the world selected as candidates for surveillance by government clients of the Israeli NSO group.
The investigation found that the UAE was also possibly behind the hacking of journalists at The Economist and Wall Street Journal, and may have deployed malware against a further 10,000 phone numbers belonging to activists and lawyers.
Both Morocco and the UAE selected more than 10,000 numbers, according to the analysis suggested.
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.”
The company says it sells only to military, law enforcement and intelligence agencies in 40 unnamed countries, and that it rigorously vets its customers’ human rights records before allowing them to use its spy tools.
The governments of Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, and the UAE did not respond to invitations to comment. Morocco denied using Pegasus.