clock menu more-arrow no yes

Filed under:

New analysis further links Pegasus spyware to Jamal Khashoggi murder

Forensics suggest that a UAE government agency installed spyware on the phone of Hanan Elatr, Khashoggi’s wife, months before his death 

Illustration by Alex Castro / The Verge

New forensic analysis indicates that representatives of the United Arab Emirates government installed Pegasus spyware on the phone of Hanan Elatr, wife of murdered journalist Jamal Khashoggi, just months before her husband was killed. The analysis was conducted by Toronto-based privacy and security research laboratory Citizen Lab on behalf of The Washington Post, which reported the findings on Tuesday.

According to the Posts report, a forensic investigation of two Android phones owned by Elatr revealed that an unknown person used one of the phones to visit a website that uploaded Pegasus spyware onto the phone. This took place after security agents at the Dubai airport had confiscated the phone from Elatr. Further analysis from Citizen Lab suggested the website was controlled by NSO group on behalf of a customer in the United Arab Emirates, the report states.

NSO has denied that its spyware was used to target Khashoggi or his associates, including Hanan Elatr — but Citizen Lab’s analysis makes it hard to believe that claim. Phone numbers belonging to Elatr and to Khashoggi’s Turkish fiancée, Hatice Cengiz, were also found in a list of 50,000 numbers in a data leak that revealed potential targets of Pegasus spyware, although this alone does not confirm that the targeted number was compromised.

That leak was part of a larger investigation by a coalition of news outlets around the world. The investigation, branded The Pegasus Project, exposed widespread targeting of journalists, activists, and politicians, up to and including heads of state.

The list contained numbers belonging to hundreds more government officials, and a total of 180 journalists from outlets including CNN, The New York Times, Bloomberg, Le Monde, and El País were also included. A phone number belonging to French president Emmanuel Macron was among the numbers in the list, along with another belonging to South African president Cyril Ramaphosa and Pakistani prime minister Imran Khan.

The deep technical sophistication of surveillance exploits developed by NSO was recently revealed in a blog post from Project Zero, a Google security research group. The post gave details of a “zero-click” exploit for iMessage in which a target’s cellphone could be compromised simply by sending them an SMS message containing a link, without the need for the target to open or read the message.

As a spyware company, NSO’s operations have long been shrouded in secrecy. But in the face of mounting evidence of the company’s willingness to assist repressive and authoritarian regimes around the world — including surveilling American officials in some cases — the US government has begun to take action against the Israeli company.

NSO was recently placed on a blacklist by the US Department of Commerce, preventing US companies from providing NSO with goods or services. Some have called for more action from the administration in light of the threat presented by the growth of the spyware industry: one group of lawmakers has called for the imposition of stricter sanctions on NSO Group and other spyware companies, which would freeze bank accounts and bar employees from traveling to the United States.

“Fortunately, most journalists haven’t historically had to worry about attacks or surveillance from state-level adversaries,” said Parker Higgins, director of advocacy at Freedom of the Press Foundation. “Organizations like the NSO Group threaten to bring that level of danger to a much broader swath of reporters and sources.”