Ultra-intrusive spyware targeting journalists and activists has UK links

Woman with face hidden holding out phone
Support us and go ad-free

Produced by Israeli company NSO, the ultra-intrusive Pegasus spyware targets journalists, dissidents, and human rights advocates. There’s now evidence that UK servers are implicated in the transmission of the spyware.

Spyware condemned by Snowden

The Pegasus Project is investigating the spyware. The project began when more than 50,000 phone numbers “believed to be… targets of NSO Group’s phone hacking software” were leaked to Amnesty International.

The project includes 80 journalists from “Forbidden Stories, The Washington Post, Le Monde, Süddeutsche Zeitung, Die Zeit, the Guardian, Daraj, Direkt36, Le Soir, Knack, Radio France, the Wire, Proceso, Aristegui Noticias, the Organized Crime and Corruption Reporting Project, Haaretz and PBS Frontline”.

NSA whistleblower Edward Snowden warns that the spyware could target millions:

If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.


The Pegasus Project found that:

of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.

Read on...

Indeed, the Washington Post reports that:

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar

How Pegasus infects phones

The spyware is implanted into a phone via a malicious clickable link. Organized Crime and Corruption Reporting Project (OCCRP) explains how:

Once implanted on a user’s phone, the system can collect a stunning range of information, including photos, emails, contacts, and data transmitted over other apps, like Facebook and WhatsApp. It can even record live audio and video.

Former US intelligence cyber engineer Timothy Summers further explains that once it’s been implanted into a device Pegasus:

hooks into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population.

Other means of intrusion

As well as gaining access to all the data on a target’s phone, Pegasus also:

monitors the keystrokes on an infected device – all written communications and web searches, even passwords – and returns them to the client, while also providing access [to] the phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.

Further, for Pegasus to grab data it requires “only an unanswered phone call or a message to embed itself onto a device”.

OCCRP explains that Pegasus takes advantage of these ‘zero-click exploits’ (or zero-click attacks), which:

rely on bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message.

Claudio Guarnieri, from Amnesty International’s Security Lab, said “These zero-click exploits constitute the majority of cases we’ve seen since 2019”.

UK implicated

Meanwhile, Amnesty International published its peer reviewed forensic report on Pegasus on 18 July 2021. It states that:

Pegasus infrastructure primarily consists of servers hosted at datacentres located in European countries. The countries hosting the most infection domain DNS servers included Germany, the United Kingdom, Switzerland, France, and the United States (US). [Emphasis added]

Amnesty adds that there are 79 servers in the UK that are involved in the transmission of the spyware. According to a Citizen Lab investigation, ‘Operation Blackbird’ is responsible for targets in a number of countries, including the UK, with Middle East connections. It also identified British Telecom as being part of the ‘Operation Kingdom’ infection, which also targets the Middle East..

Another UK link

Around two-thirds of the shares of NSO’s holding company are owned by Novalpina Capital, based in the UK and Luxembourg. According to journalist Ian Cobain, NSO has retained Cherie Blair to “act as an external advisor on ethics”.

Altogether, Citizen Lab found:

suspected NSO Pegasus infections… we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.


A toolkit is now available to “technologists and investigators” to detect if a device has been compromised. The Verge has produced a guide on how to use it. Also, CNET has published a number of suggestions for improving security on smartphones, as well as improvements for browser settings.

Meanwhile, an NSO spokesperson told the Verge that the allegations made in the Amnesty report were “outrageous and far from reality”. It published a more detailed rebuttal here.

Featured image via Unsplash/ Justin Main

We know everyone is suffering under the Tories - but the Canary is a vital weapon in our fight back, and we need your support

The Canary Workers’ Co-op knows life is hard. The Tories are waging a class war against us we’re all having to fight. But like trade unions and community organising, truly independent working-class media is a vital weapon in our armoury.

The Canary doesn’t have the budget of the corporate media. In fact, our income is over 1,000 times less than the Guardian’s. What we do have is a radical agenda that disrupts power and amplifies marginalised communities. But we can only do this with our readers’ support.

So please, help us continue to spread messages of resistance and hope. Even the smallest donation would mean the world to us.

Support us
  • Show Comments
    1. The Orwellian dystopia has definitely arrived!
      Not content with sneaky surveillance methods, the control freaks/creeps who control us tell us black is white and white is black – and 2+2=5 if they say it is and you’d better believe it!

    2. Of COURSE the UK has links to this!

      And it has been around for about 10 years. So you can increase that “50k” figure by a factor of AT LEAST 10.

      100-1, I bet that just like the “Phone-hacking scandal”, the disgusting Establishment entrenched corporate media refuse to release the list of ALL the victims, just choosing which ones they ‘warn’.

      Says everything.

    Leave a Reply

    Join the conversation

    Please read our comment moderation policy here.