It is not known precisely when or how the phones were violated, the security researchers said. But four of the six hacked iPhones exclusively used SIM cards issued by Israeli telecom companies with Israeli +972 area code numbers, said the Citizen Lab and Amnesty researchers on Monday.
Asked about the allegations its software was used against the Palestinian activists, NSO Group said in a statement that it does not identify its customers for contractual and national security reasons, is not privy to whom they hack and sells only to government agencies for use against “serious crime and terror.”
The findings question claims by NSO Group that exported versions of Pegasus cannot be used to hack Israeli phone numbers. NSO Group has also said it does not target US numbers.
Tehilla Shwartz Altshuler, a legal expert at the Israel Democracy Institute, called the findings “really disturbing,” especially if it is proven that Israel’s security agencies, who are largely exempt from the country’s privacy laws, have been using NSO Group’s commercial spyware.
“This actually complicates the relationship of the government with NSO,” said Altshuler, if the government is indeed both a client and regulator in a relationship conducted under secrecy.
The revelation, disclosed by security researchers on Monday, marks the first known instance of Palestinian activists being targeted by the military-grade Pegasus spyware.
Other surveillance targets
The executive director of Frontline Defenders, Andrew Anderson, said the NSO Group cannot be trusted to ensure its spyware is not used illegally by its customers and says Israel should face international reproach if it does not bring the company to heel.
“If the Israeli government refuses to take action then this should have consequences in terms of the regulation of trade with Israel,” he said via email.
Facebook has sued NSO Group over the use of a somewhat similar exploit that allegedly intruded via its globally popular encrypted WhatsApp messaging app.
A snowballing of new revelations about the hacking of public figures — including Hungarian investigative journalists, the fiancée of slain Saudi journalist Jamal Khashoggi and an ex-wife of the ruler of Dubai — has occurred since a consortium of international news organisations reported in July on a list of possible NSO Group surveillance targets.
The list was obtained from an unnamed source by Amnesty International and the Paris-based journalism nonprofit Forbidden Stories.
From that list of 50,000 phone numbers, reporters from various news organizations were able to confirm at least 47 additional successful hacks, The Washington Post has reported.
A successful Pegasus infection surreptitiously gives intruders access to everything a person stores and does on their phone, including real-time communications.