BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Exclusive: Saudi Dissidents Hit With Stealth iPhone Spyware Before Khashoggi's Murder

Following
This article is more than 5 years old.

President Trump committed to standing with Saudi Arabia on Tuesday, amidst a global furor over the brutal murder of journalist Jamal Khashoggi. But the Saudi regime's campaign against dissidents living aboard was apparently more widespread than previously known, and included a spate of insidious digital attacks in the months leading up to Khashoggi's death.

One of those dissidents is the well-known YouTube comic and satirist Ghanem Almasarir, based in London. When we met two weeks ago, Almasarir is hunched over a latte in a central London cafe, muttering curses about the Saudi regime that he's spent his adult life mocking. For good reason: after I spend an hour with his iPhone X, it seems clear that he was targeted with a super-stealth spyware called Pegasus. The tool is able to silently hoover up private information on a target iPhone, from WhatsApp chats to emails, and can spy on people via their smartphone's camera and microphone. It's the creation of a highly secretive, $1 billion-valued Israeli surveillance dealer called NSO Group.

Almasarir would be the second confirmed Saudi target of Pegasus in the U.K., alongside political activist Yahya Assiri. Both are telling Forbes their stories of assaults on their digital lives for the first time. As previously reported, Pegasus has spread its wings further to attack opponents of the Saudi regime. Other attacks hit an employee working on Saudi-related issues for Amnesty International, a human rights NGO founded in London, and activist Omar Abdulaziz from Quebec, Canada. And Assiri reveals to Forbes that like Abdulaziz he was in frequent contact with the late writer Khashoggi, who was infamously killed at the Saudi Arabian embassy in Istanbul in October.

Human rights defenders are now raising the alarm over cross-border hacking of activists’ devices via NSO’s software. "We have example, after example, after example of this software being used to harass and threaten activists around the world," says Danna Ingleton, deputy program director for the technology division of Amnesty International. And of the companies supplying the surveillance tools, she warns: "They're using national security as an excuse for acting outside the law."

The Saudi Arabian embassy in London has not responded to calls and emails requesting comment. NSO Group acknowledged Forbes' request for comment but hadn’t supplied any at the time of publication. Francisco Partners, the American private equity firm that classes NSO as one of its portfolio companies, had not commented at the time of publication.

The Israeli spyware dealer has become a frequent target of criticism from human rights activists. In Mexico, it's come under heavy fire. Most notably, its surveillance tools were seen targeting lawyers representing the parents for the students who went missing in 2014 as part of an alleged mass kidnapping and murder perpetrated by corrupt police and a local gang. At the time, NSO neither confirmed nor denied whether it had clients in Mexico. But the company said it had an ethics committee that reviewed alleged abuse of its tools, which are supposed to only be used by law enforcement for criminal investigations.

Earlier this summer, researchers said NSO's malware had found its way into 45 countries, including the United States.

A malicious text arrives

The evidence Almasarir phone was a target came in the form of a June 23 message that appeared to have been sent by DHL. It looked like the kind of delivery message people across the world receive every day, telling him he had a package arriving on the 28th. It also contained a shortened link where he could manage his delivery. But clicking on that link would’ve led to the installation of the Pegasus tool, capable of hoovering up data within. That's according to two separate researchers who reviewed the message for Forbes; one was Bill Marczak, from Citizen Lab, a University of Toronto-based organization that’s built a name for itself tracking surveillance companies; the other was Claudio Guarnieri, a surveillance researcher at Amnesty International.

The Pegasus tool could've gobbled up the WhatsApp conversations we'd used to organize our meeting, not to mention other communications between Almasarir and his contacts. The realization dawned: his phone could've been eavesdropping on our conversation right then and there, or watching us through the iPhone's crystal clear camera. Hence Almasarir's furtive invectives, his visible distress. He's already blaming the Saudi regime. "They want to torture you emotionally, mentally," he says, shaking his head. "They are experts in doing that."

The text message on Almasarir's phone aroused suspicion as it looked almost identical to one received by another Saudi activist, Canada-based Omar Abdulaziz. In August, Abdulaziz learned via Citizen Lab that his phone had been infected by the Pegasus tool. In recent weeks, he’s raised an alarm that his conversations with Khashoggi were almost certainly snooped on in the lead up to his companion's death.

Looking at Almasarir's phone, it appears his communications could have suffered the same fate. But Almasarir is wary of such messages and says he never clicks on links from unknown senders. The initial panic subsides, as he talks about how he deals with an constant assault on his online life. He claims his YouTube account has repeatedly been the subject of removal requests; his Instagram hacked and deleted; alerts on his phone often warn him that someone, somewhere, is trying to access his Google and Twitter accounts. All persistent efforts, he says, of Saudi agents trying to scare him off lampooning his home nation's royalty.

The calm doesn't last. Asked what version of Apple’s mobile software, iOS, he's running, Almasarir confidently responds that it's the latest. A quick check shows he's mistaken. He's running iOS 11.2.6, released back in February. Apple has since put out multiple updates with security improvements, the latest version being 12.1. When he attempts to check for a software update, Almasarir is greeted with a perpetual "loading" message. It’s not a good sign. It's an indication that Pegasus could be hiding on the device, according to Marczak, who's been tracking NSO’s malware over recent years as part of the Citizen Lab nonprofit.

The researcher confirms that not only is the text message an attempted lure to ensnare Almasarir's phone with Pegasus, but the surreptitious software also prevents iOS updates once it has found a home on an iPhone.

In the coming days, further attempts to validate that Pegasus had successfully infiltrated his device are inconclusive. No additional evidence is found.  

But the attempt to infect his iPhone adds more weight to the belief that Saudi Arabia has built a small but powerful global surveillance machine that’s going after critics of the regime. And while there's no clear evidence Saudi Arabian regime hackers are behind the spate of Pegasus attacks, researchers are connecting the dots. "Since Yahya, Omar and Ghanem are all high-profile Saudi dissidents, it seems quite likely that the targeting is conducted for the benefit of Saudi Arabia," says Marczak.

He notes that of the 12 countries the so-called Kingdom hacker crew has targeted, there's "a clear Middle Eastern focus." Targeted countries include Saudi Arabia, Bahrain, Egypt, Jordan, Iraq, Qatar, Lebanon, Turkey, Morrocco, Canada, the U.K. and France.

"So we can't say for certain that it's somebody sitting in Riyadh pulling the trigger on these messages, but ultimately, we have high confidence that the operations are being conducted for the benefit of Saudi Arabia," Marczak added.

Appetite for data destruction

A very different kind of activist from Almasarir, the solemn, serious Yahya Assiri, founder of Saudi Arabian human rights organization ALQST, was targeted back in May.

Unlike Almasarir, Assiri had been in frequent contact with Khashoggi up to the slaying in Istanbul - and Saudi royalty was paying attention. Back in December 2017, Assiri organized ALQST's first conference in London. Taking part alongside attendees from the Human Rights Watch, Amnesty International and myriad other activist organizations was Khashoggi himself, dialing in over Skype and appearing on a big screen. Just days after the conference, Arabic daily newspaper Al-Hayat published a statement from its owner, Saudi Prince Khalid bin Sultan. The message said the newspaper had officially ended its relationship with Khashoggi, having already suspended him in September. As part of his reasoning, the Prince pointed to "participation in suspicious meetings seeking to undermine the Kingdom." Assiri thinks that "suspicious" event was his own.

It was half a year later, at the end of May, that the Pegasus spyware tried to find a new home on his iPhone. A strange message from a German number told Assiri he was due to appear in court. Fearing the link within was malicious, he opened it on an Apple Mac that he didn’t mind being infected. It led to what appeared to be the official website of the Saudi Arabian Minister for Justice, leading Assiri to believe it legitimate. He later opened the link on his iPhone.

Shortly after, strange things began happening to his Apple devices, he tells Forbes from his West London office where protest posters carrying Khashoggi’s face are sprawled across a table. First, his iPhone started heating up as it burned through the battery. When he tried to restart the phone, it wouldn’t come back on. Later, he attempted to retrieve a backup from his Mac, but the computer simply froze after that request.

"I don't think they hacked my mobile," he says. "But I think they tried and destroyed things [in the process]." He chose to wipe both the iPhone and the Mac, even though he never got confirmation his phone was infected.

Assiri continues to receive dubious messages every day. Some claim to contain links to slanderous or offensive comments about Assiri, sometimes allegedly made by his close friends and contacts, including Abdulaziz. They're obviously designed to trick him, but he isn’t falling for such attempts anymore, he adds.

Just a year ago, Assiri didn’t think there was much of a threat from Saudi surveillance at all. He’s now changed his mind. And, he warns, there’s been a chilling effect from the revelations around the Kingdom’s use of surveillance tools. Up until recently he would use Russian-founded messaging app Telegram to gather information from activists still living in the homeland. They would supply details, such as the health and well-being of prisoners, within minutes. Now it takes days or weeks to get the same information, if it arrives at all.

But there’s room for some optimism. Because of Khashoggi's death, the Saudi operation is now the focus of global scrutiny. At least one government is taking action. Investigators in Canada are looking into the hack of Abdulaziz's iPhone. Though the Royal Canadian Mounted Police declined to comment on any possible probe, Abdulaziz said RCMB are particularly interested in what happened to Khashoggi. "They believe it has something to do with me," Abdulaziz tells Forbes. "For sure they were listening to us through my phone."

Rather than be cowed by the Big Brother watching over them, Abdulaziz and fellow activists aren't going to cease voicing their dissent. "Their threats are going to make me stronger," adds Abdulaziz. "It shows me how weak they are."

Follow me on TwitterCheck out my websiteSend me a secure tip