Spyware found on journalist's phone days after maker's anti-abuse pledge
Technologists who discovered spyware made by an Israeli company targeting journalists in several itarian countries said they found the same spyware used against a Moroccan journalist three days after the company announced a policy against such uses.
Amnesty International's Security Lab, the forensic technology arm of the human rights organization, said it found telltale signs that NSO Group's Pegasus software had been used to infect the cellphone of an award-winning Moroccan journalist and human rights defender, Omar Radi. On Sunday, the group released its analysis of Radi's phone.
In its report, Amnesty said its research "demonstrates NSO Group's continued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy." Because NSO says it sells its software only to governments, Amnesty assumes the surveillance was conducted by Moroccan ities.
In a statement, a company spokesman said: "NSO is deeply troubled by the allegations in the Amnesty International letter. We are reviewing the information therein and will initiate an investigation if warranted." It would not confirm or deny whether Morocco is a client.
The Moroccan government did not respond to requests for comment from The Washington Post.
NSO says it markets its tools to governments for fighting terrorism and crime. Israel classifies Pegasus as a weapon and must approve any exports of the technology. The software can surreptitiously gain access to a phone's camera, microphone, text messages, emails and location information.
NSO has become the target of intense scrutiny by nongovernmental technologist groups and journalists in recent years, and lawsuits have said Pegasus software was used against nonviolent dissidents, journalists and human right activists.
The firm, founded in 2010, has denied that its products have been misused and has said it conducts due diligence of potential clients. NSO software was instrumental in the capture of Mexican cartel leader Joaquin "El Chapo" Guzman.
In 2018, the Citizen Lab at the University of Toronto's Munk School issued a report alleging that Pegasus was used by six countries with a record of spyware abuse against civil society: Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.
A lawsuit filed in Israel by a Saudi dissident says Saudi ities used Pegasus to infect his phone and track his friend Washington Post contributing columnist Jamal Khashoggi before Khashoggi was killed and dismembered on orders, U.S. intelligence officials concluded, of Crown Prince Mohammed bin Salman. WhatsApp, a communications application owned by Facebook, also is suing NSO, alleging it inserted spy software through its application in violation of federal anti-hacking laws.
NSO in September adopted a policy pledging to continue to uphold United Nations human rights standards, to conduct due diligence before sales, to forgo sales if the risk of abuse of its software is high and to investigate serious allegations of abuse of its software.
David Kaye, the U.N. special rapporteur for human rights, said in an interview that NSO's new human rights policy "is a first step" but that "there is nothing about their statement that's enforceable by anyone outside the company." NSO has declined to make public the list of countries that use Pegasus or details about the technology, saying both are confidential.
In the Radi case, Amnesty said it discovered the same type of "network injection" attacks it had documented against another Moroccan journalist, Maati Monjib, in 2019. During such an attack, the software hijacks the victim's browser momentarily and reroutes the victim's request for a particular website to one that is infected by the spyware.
Radi, who works for the LeDesk media outlet, was arrested by Moroccan ities in December 2019. He was charged with "insulting a public servant" for a tweet he posted that criticized a judge who had convicted 43 people and sentenced them up to 20 years in prison for their participation in a 2017 protest in the northern Rif region. Radi was convicted of the charge and given a four-month suspended sentence. Morocco, a monarchy with an elected legislature, has in recent years increasingly cracked down on speech, independent media and protests.
In an interview, Radi,who lives in Rabat, said his job has been hampered by the government surveillance and publication of some of his private conversations on a website he described as friendly to police ities.
"The biggest negative effect is that it makes people reluctant to talk," he said. "It's a deterrent if they know that I'm being bugged."
Other Moroccan journalists have reported having their cellphones infected with spyware when they clicked on a link. In Radi's case, he said he was using the Twitter app to visit the Ministry of Justice website when the website address went "change, change, change. . . . That's when I got infected."
Bill Marczak, a senior research fellow at Citizen Lab who read the Amnesty report on the Radi case, called its technical analysis "very compelling" and said the method of inserting Pegasus software when calling up a website was harder for a cellphone user to detect. "It's very scary, the prospect that visiting a benign website can become a vector for [infecting] your phone."
Radi said government surveillance has become an expected part of journalists' life in Morocco. "You have to live with it," he said. "It's like the coronavirus."
Amnesty's report was released to Forbidden Stories, an international consortium of journalists, including The Post, which investigates threats and violence against journalists.
New York Times journalist targeted by spyware linked to Saudi Arabia, according to report
Khashoggi friend sues Israeli firm over hacking he says contributed to the journalist's killing
Washington must wake up to the abuse of software that kills
Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.