Ultra-intrusive spyware targeting journalists and activists has UK links

Woman with face hidden holding out phone
Support us and go ad-free

Produced by Israeli company NSO, the ultra-intrusive Pegasus spyware targets journalists, dissidents, and human rights advocates. There’s now evidence that UK servers are implicated in the transmission of the spyware.

Spyware condemned by Snowden

The Pegasus Project is investigating the spyware. The project began when more than 50,000 phone numbers “believed to be… targets of NSO Group’s phone hacking software” were leaked to Amnesty International.

The project includes 80 journalists from “Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline”.

NSA whistleblower Edward Snowden warns that the spyware could target millions:

If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.


The Pegasus Project found that:

of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.

Read on...

Support us and go ad-free

Indeed, the Washington Post reports that:

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar

How Pegasus infects phones

The spyware is implanted into a phone via a malicious clickable link. Organized Crime and Corruption Reporting Project (OCCRP) explains how:

Once implanted on a user’s phone, the system can collect a stunning range of information, including photos, emails, contacts, and data transmitted over other apps, like Facebook and WhatsApp. It can even record live audio and video.

Former US intelligence cyber engineer Timothy Summers further explains that once it’s been implanted into a device Pegasus:

hooks into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population.

Other means of intrusion

As well as gaining access to all the data on a target’s phone, Pegasus also:

monitors the keystrokes on an infected device – all written communications and web searches, even passwords – and returns them to the client, while also providing access [to] the phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.

Further, for Pegasus to grab data it requires “only an unanswered phone call or a message to embed itself onto a device”.

OCCRP explains that Pegasus takes advantage of these ‘zero-click exploits’ (or zero-click attacks), which:

rely on bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message.

Claudio Guarnieri, from Amnesty International’s Security Lab, said “These zero-click exploits constitute the majority of cases we’ve seen since 2019”.

UK implicated

Meanwhile, Amnesty International published its peer reviewed forensic report on Pegasus on 18 July 2021. It states that:

Pegasus infrastructure primarily consists of servers hosted at datacentres located in European countries. The countries hosting the most infection domain DNS servers included Germany, the United Kingdom, Switzerland, France, and the United States (US). [Emphasis added]

Amnesty adds that there are 79 servers in the UK that are involved in the transmission of the spyware. According to a Citizen Lab investigation, ‘Operation Blackbird’ is responsible for targets in a number of countries, including the UK, with Middle East connections. It also identified British Telecom as being part of the ‘Operation Kingdom’ infection, which also targets the Middle East..

Another UK link

Around two-thirds of the shares of NSO’s holding company are owned by Novalpina Capital, based in the UK and Luxembourg. According to journalist Ian Cobain, NSO has retained Cherie Blair to “act as an external advisor on ethics”.

Altogether, Citizen Lab found:

suspected NSO Pegasus infections… we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.


A toolkit is now available to “technologists and investigators” to detect if a device has been compromised. The Verge has produced a guide on how to use it. Also, CNET has published a number of suggestions for improving security on smartphones, as well as improvements for browser settings.

Meanwhile, an NSO spokesperson told the Verge that the allegations made in the Amnesty report were “outrageous and far from reality”. It published a more detailed rebuttal here.

Featured image via Unsplash/ Justin Main

Support us and go ad-free

We need your help to keep speaking the truth

Every story that you have come to us with; each injustice you have asked us to investigate; every campaign we have fought; each of your unheard voices we amplified; we do this for you. We are making a difference on your behalf.

Our fight is your fight. You’ve supported our collective struggle every time you gave us a like; and every time you shared our work across social media. Now we need you to support us with a monthly donation.

We have published nearly 2,000 articles and over 50 films in 2021. And we want to do this and more in 2022 but we don’t have enough money to go on at this pace. So, if you value our work and want us to continue then please join us and be part of The Canary family.

In return, you get:

* Advert free reading experience
* Quarterly group video call with the Editor-in-Chief
* Behind the scenes monthly e-newsletter
* 20% discount in our shop

Almost all of our spending goes to the people who make The Canary’s content. So your contribution directly supports our writers and enables us to continue to do what we do: speaking truth, powered by you. We have weathered many attempts to shut us down and silence our vital opposition to an increasingly fascist government and right-wing mainstream media.

With your help we can continue:

* Holding political and state power to account
* Advocating for the people the system marginalises
* Being a media outlet that upholds the highest standards
* Campaigning on the issues others won’t
* Putting your lives central to everything we do

We are a drop of truth in an ocean of deceit. But we can’t do this without your support. So please, can you help us continue the fight?

The Canary Support us
  • Show Comments
    1. The Orwellian dystopia has definitely arrived!
      Not content with sneaky surveillance methods, the control freaks/creeps who control us tell us black is white and white is black – and 2+2=5 if they say it is and you’d better believe it!

    2. Of COURSE the UK has links to this!

      And it has been around for about 10 years. So you can increase that “50k” figure by a factor of AT LEAST 10.

      100-1, I bet that just like the “Phone-hacking scandal”, the disgusting Establishment entrenched corporate media refuse to release the list of ALL the victims, just choosing which ones they ‘warn’.

      Says everything.

    Leave a Reply

    Join the conversation

    Please read our comment moderation policy here.