Phones of nine Bahraini activists found to have been hacked with NSO spyware
The mobile phones of nine Bahraini activists, including two who were granted asylum protection and are now living in London, were hacked between June 2020 and February 2021 using NSO Group spyware, according to new findings by researchers at Citizen Lab at the University of Toronto.
A report due to be released on Tuesday will reveal that the hacked activists, some of whose phones were being monitored by Citizen Lab researchers at the time they were hacked, include three members of Waad, a secular leftwing political group that was suspended in 2017 amid a crackdown on peaceful dissent in Bahrain.
Of the nine activists who were “successfully hacked”, four were believed with a “high degree of confidence” by Citizen Lab to have been targeted by the government of Bahrain, which is believed to have acquired access to NSO spyware, called Pegasus, in 2017.
NSO is an Israeli surveillance company regulated by Israel’s ministry of defence, which approves sale of NSO’s spyware technology to government clients around the world. NSO says it sells only to military, law enforcement and intelligence agencies in 40 unnamed countries for the purpose of terrorism and crime investigations, and says it rigorously vets its customers’ human rights records before allowing them to use its spy tools. NSO says it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
Most of the activists in the report asked not to be named, though they were identified by Citizen Lab as bloggers, activists, members of Waad, members of the Bahrain Center for Human Rights, and in one case a member of al-Wefaq, a political party that has previously been ordered to be dissolved by the ruling Khalifa family.
The researchers said that some of the activists, including at least one in London, may have been hacked by another government using NSO spyware. While the client attribution of those attacks is not certain, Citizen Lab said that even if another foreign government was responsible for the attacks, it “does not preclude the possibility that the ultimate recipient of the hacked data was the Bahraini government”.
Previous government clients include Saudi Arabia and the United Arab Emirates, as well as Mexico and Hungary.
The findings come weeks after the Guardian and other media published the Pegasus project, an investigation that centred on a data leak of more than 50,000 phone numbers that, since 2016, were believed to have been selected as belonging to people of potential interest by government clients of NSO.
Citizen Lab said it confirmed with Forbidden Stories, which coordinated the Pegasus project investigation and had access to the data, that five of the hacked devices were contained on the Pegasus project’s list. This Pegasus Project data covers 2017-2019, suggesting that the individuals whose numbers appear on the list were considered possible targets for surveillance for a period of time before they were hacked, according to Citizen Lab’s research.
Inclusion on the list alone does not mean that a phone was definitely targeted by the NSO client or successfully hacked. But forensic analysis of a small number of phones on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
The government of Bahrain, which was contacted by the Guardian through its embassy in Washington, did not respond to a request for comment.
[Following publication of this article, a Bahrain government spokesperson said in a statement to the Guardian: “These claims are based on unfounded allegations and misguided conclusions. The government of Bahrain is committed to safeguarding the individuals’ rights and freedoms.”]
An NSO spokesperson said in a statement to the Guardian that it had not received any data from Citizen Lab and could therefore not respond to “rumours” of the group’s findings.
“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” the spokesperson said.
The new findings by Citizen Lab point to what activists have called a sharp deterioration in the government of Bahrain’s record on human rights in recent years. Activists, including Amnesty International, have called on the Biden administration in the US to address the “sustained attack” on Bahraini civil society by the Bahraini government and to put pressure on Bahrain to end the use of torture against dissidents and the ban on opposition parties and other civil society groups.
Two of the targets, Moosa Mohammed and Yusuf al-Jamri, are Bahrainis currently living in exile in London. The UK Home Office granted Jamri asylum in 2018 following allegations he had been tortured while in the custody of Bahrain’s intelligence agency, the National Security Apparatus. Jamri’s iPhone 7 appears to have been hacked prior to September 2019 but Citizen Lab said it could not pinpoint whether it was hacked while Jamri was in Bahrain or in the United Arab Emirates, another known NSO client.
Mohammed, a photojournalist who has claimed he was the victim of an attempted murder by Bahrain embassy officials in London in 2019, said in a statement to the Guardian that he was “shocked” by Citizen Lab’s findings, including that his phone had been infected as recently as late last year.
“When I fled torture and persecution in Bahrain, I thought I would find safety in London, but have continued to face surveillance and physical attacks by Gulf regimes. Instead of protecting me, the UK government has stayed silent,” he said.
NSO Group has said that its government clients are only permitted to use its spyware, which can essentially hack into any phone without the phone user’s knowledge, against suspected criminals, such as terrorists or paedophiles.
But that claim has been challenged following dozens of examples of the spyware being used by NSO clients against journalists, human rights activists and political figures.
Citizen Lab said in its report: “While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding and documented evidence of Bahrain’s serial misuse of surveillance products.”
In France, intelligence investigators recently confirmed that Pegasus spyware was found on the phones of three journalists, including a senior member of staff at the country’s international television station France 24. That was the first time an independent authority had corroborated the findings of the Pegasus project, which identified several cases in which French officials and journalists appeared to have been selected for potential surveillance by NSO clients.
In the latest cases revealed by Citizen Lab, researchers found that, beginning in February 2021, NSO clients began deploying a new so-called zeroclick iMessage exploit that circumvented an Apple security feature known as BlastDoor, which was designed to screen suspect messages before they delve too deeply into a phone. The same finding has also been reported by Amnesty Tech, which was a technical partner on the Pegasus project.
Apple, which makes the iPhone, has said it condemns cyber-attacks and that BlastDoor was not the end of its efforts to secure its iMessage feature, which has been described as vulnerable by security researchers.
Bahrain was a signatory in 2020 to the Abraham accords, which established formal relations between Israel and some Arab governments, including Bahrain and the UAE. While the agreement, signed under the Trump administration, formalised cooperation between the countries, Israel is believed to have established a cooperative agreement years earlier, including agreeing the sale of NSO technology to both Bahrain and UAE.
• This article was amended on 24 August 2021 to include the statement from the government of Bahrain, which was received after publication.