Editor’s note: Sevinj Vaqifqizi is an Azerbaijani journalist working for Meydan TV, an independent news organization based in Berlin. After her phone number was found on a list of targets selected by NSO Group’s customers, Amnesty International conducted a forensic on her phone. The analysis confirmed it had been infected by Pegasus. Here is an article by the Pegasus victim journalist Sevinj Vaqifqizi
Every night when I was a child, my father would come home with Azadliq newspaper. At the time, it was considered one of the best. When he finished reading it, I’d take it and read it too. I was so curious about how they covered events, described different situations.
When I got older, my parents thought I should become a journalist. My mom would flip through the television channels and say she could imagine seeing me presenting a program. When we applied to university in those days in Azerbaijan, we were given the chance to list our top 10 choices of places to study. I filled in eight of them, and in every slot I wrote the same thing: the School of Journalism at Baku State University. I simply couldn’t see myself doing anything else. My teachers told me it would be better to list another choice, in case my test scores weren’t good enough to get into the journalism school. But my decision was firm: journalism or nothing.
When I was a student, I started to have misgivings about what I saw on television in Azerbaijan. Sometimes, in order to advocate for the government, television programs would humiliate ordinary people or undermine their value. This was very irritating. I thought that people should be respected and their rights should be a priority. I came to understand that what was being said on TV was often a lie, and that all presenters were delivering messages under someone else’s dictate, as a tool of propaganda.
I realized I could never become a TV presenter like my mom wanted for me. But I could still become a journalist.
I started in 2010 and immediately began to write about human rights, political prisoners, property rights, and other social topics. I also published several investigations about corruption. Some of them had an impact and led to problems being solved for ordinary people. After we filmed or published about the problem, the executive branch or officials would come and fix it.
But being a journalist in Azerbaijan means that officials will react to your question in any way but actually answering it. They might threaten you, they might grab your camera and break it, they might leave your phone calls and requests unanswered or hang up on you.
Or it might be worse. It might be an intrusion into your privacy, publicizing your private life, threatening you or your relatives. It might be an arrest or finally, a killing. This is what being a journalist in Azerbaijan is. Generally, everyone who means to work as an independent journalist in Azerbaijan knows these risks, and is ready for them.
When I had just started working in independent media, this was very scary for me. I thought, “How come the government is able to do all this? How can they torture, harass, blackmail someone?” As the years passed, we got used to it. Fear faded out. Honestly, I don’t feel fear anymore. I know what they can do, and it does not stop me. It is more important to be useful to people.
We continue doing our work and try to do the best, because people need us. People in Azerbaijan don’t have much choice. There’s just a handful of media outlets that cover their problems objectively, telling the truth. We have no right to deprive them of this.
In 2015, I attended a training program in Ukraine and was stopped in the airport upon return. There were three of us there, all contributors to Meydan TV. We were stopped at border control and they told us we have to go with them to the airport police, because a travel ban had been imposed on us. We argued that we were not leaving the country, we were entering it. But they said it didn’t matter and we had to go with them. We were transferred to the Anti-Organized Crime Department in the Interior Ministry. They kept us there the whole night. They interrogated us and told us that there had been a criminal case opened into the activities of Meydan TV and they were investigating it. They told us that our activity in the country was illegal, we were foreign media, and we didn’t have a license to work in Azerbaijan.
But journalism is not a licensed activity, and it is everyone’s constitutional right to acquire and publish information — everyone but us. This travel ban stayed in force for four years. That whole time, I felt like a hostage. It was like being in a prison, with a little more room to walk around. They thought this would make us change our mind and stop working with Meydan TV, but we kept going. What motivates us is seeing that ordinary people appreciate independent media and can tell the difference between what we do and government propaganda. Sometimes I see this attitude even from the government employees. For example, once when I was crossing the border, a customs official asked me why my name was flagged in the system. I explained that I work for Meydan TV and I always face extra scrutiny for that. He handed me my passport and said he wished me all the luck. You can see that people appreciate us and wish us the best.
I don’t think it’s journalists as individuals that the government has a problem with. The government has a problem with the people. The government wants the people to remain unaware that government officials are stealing public wealth. It wants to continue committing crimes in the shadows so that no one will uncover those facts or ask questions about it. And journalists are the ones who spoil this plan.
Journalists uncover facts and make them public. This allows people to see how much is being stolen from them. This is what they are scared of, because it creates a risk of unrest that might lead to a change in government. That is why they harass, organize smear campaigns, arrest, and even kill journalists. But no harassment or killing can change reality or stop people from somehow learning the truth. Yes, you can reduce the number of people doing this job, but it is impossible to hide the truth from the people forever.
I assumed our security service tapped our phones and wanted to get our information. But when I learned about Pegasus, I was astonished. I never imagined they could follow everything I did on the internet and get my private photos or contact lists. It was appalling news for me. Above all, I worried about my sources and some of my colleagues who don’t want it known that they work for Meydan TV.
The government is not only attacking our work lives, but also our private lives. Using this spyware is an unlawful step. The government has an obligation to protect all its citizens, but instead it’s a threat to citizens.
Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones.
The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.
The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.
Forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware.
The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers.
The list also contains the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives.
The disclosures begin on Sunday, with the revelation that the numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.
The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected.
NSO said that even if Pineda’s phone had been targeted, it did not mean data collected from his phone contributed in any way to his death, stressing governments could have discovered his location by other means. He was among at least 25 Mexican journalists apparently selected as candidates for surveillance over a two-year period.
Without forensic examination of mobile devices, it is impossible to say whether phones were subjected to an attempted or successful hack using Pegasus.
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
In statement issued through its lawyer, NSO denied “false claims” made about the activities of its clients, but said it would “continue to investigate all credible claims of misuse and take appropriate action”. It said the list could not be a list of numbers “targeted by governments using Pegasus”, and described the 50,000 figure as “exaggerated”.
The company sells only to military, law enforcement and intelligence agencies in 40 unnamed countries, and says it rigorously vets its customers’ human rights records before allowing them to use its spy tools.
The Israeli minister of defence closely regulates NSO, granting individual export licences before its surveillance technology can be sold to a new country.
Last month, NSO released a transparency report in which it claimed to have an industry-leading approach to human rights and published excerpts from contracts with customers stipulating they must only use its products for criminal and national security investigations.
There is nothing to suggest NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the consortium also found numbers in the data belonging to suspected criminals.
However, the broad array of numbers in the list belonging to people who seemingly have no connection to criminality suggests some NSO clients are breaching their contracts with the company, spying on pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.
That thesis is supported by forensic analysis on the phones of a small sample of journalists, human rights activists and lawyers whose numbers appeared on the leaked list. The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined.
The analysis also uncovered some sequential correlations between the time and date a number was entered into the list and the onset of Pegasus activity on the device, which in some cases occurred just a few seconds later.
Amnesty shared its forensic work on four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed they showed signs of Pegasus infection. Citizen Lab also conducted a peer-review of Amnesty’s forensic methods, and found them to be sound.
The consortium’s analysis of the leaked data identified at least 10 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates (UAE).
Analysis of the data suggests the NSO client country that selected the most numbers – more than 15,000 – was Mexico, where multiple different government agencies are known to have bought Pegasus. Both Morocco and the UAE selected more than 10,000 numbers, the analysis suggested.
The phone numbers that were selected, possibly ahead of a surveillance attack, spanned more than 45 countries across four continents. There were more than 1,000 numbers in European countries that, the analysis indicated, were selected by NSO clients.
The presence of a number in the data does not mean there was an attempt to infect the phone. NSO says there were other possible purposes for numbers being recorded on the list.
Rwanda, Morocco, India and Hungary denied having used Pegasus to hack the phones of the individuals named in the list. The governments of Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, the UAE and Dubai did not respond to invitations to comment.
The Pegasus project is likely to spur debates over government surveillance in several countries suspected of using the technology. The investigation suggests the Hungarian government of Viktor Orbán appears to have deployed NSO’s technology as part of his so-called war on the media, targeting investigative journalists in the country as well as the close circle of one of Hungary’s few independent media executives.
The leaked data and forensic analyses also suggest NSO’s spy tool was used by Saudi Arabia and its close ally, the UAE, to target the phones of close associates of the murdered Washington Post journalist Jamal Khashoggi in the months after his death. The Turkish prosecutor investigating his death was also a candidate for targeting, the data leak suggests.
Claudio Guarnieri, who runs Amnesty International’s Security Lab, said once a phone was infected with Pegasus, a client of NSO could in effect take control of a phone, enabling them to extract a person’s messages, calls, photos and emails, secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Telegram and Signal.
By accessing GPS and hardware sensors in the phone, he added, NSO’s clients could also secure a log of a person’s past movements and track their location in real time with pinpoint accuracy, for example by establishing the direction and speed a car was travelling in.
The latest advances in NSO’s technology enable it to penetrate phones with “zero-click” attacks, meaning a user does not even need to click on a malicious link for their phone to be infected.
Guarnieri has identified evidence NSO has been exploiting vulnerabilities associated with iMessage, which comes installed on all iPhones, and has been able to penetrate even the most up-to-date iPhone running the latest version of iOS. His team’s forensic analysis discovered successful and attempted Pegasus infections of phones as recently as this month.
Apple said: “Security researchers agree iPhone is the safest, most secure consumer mobile device on the market.”
NSO declined to give specific details about its customers and the people they target.
However, a source familiar with the matter said the average number of annual targets per customer was 112. The source said the company had 45 customers for its Pegasus spyware.
Please follow Blitz on Google News channel