Season 01: Episode 02

More than four years after journalist Jamal Khashoggi was murdered in the Saudi consulate in Istanbul, Turkey, Khashoggi’s phones are still with Turkish authorities. We learned how Khashoggi’s wife, Hanan Elatr discovered she had been targeted, tracked and spied on by Pegasus, the military-grade spyware on her phone. She was not the only one. His colleague, Omar Abdulaziz, and fellow activist, Ahmed Monsour, were also targeted.

Listen here:

Share:

ROSE REID: More than four years have passed since journalist Jamal Khashoggi was murdered in the Saudi consulate in Istanbul, Turkey in October of 2018.

Khashoggi’s phones are still with Turkish authorities.1

In our last episode, we learned how Khashoggi’s wife, Hanan Elatr discovered she had been targeted, tracked and spied on by military grade spyware on her phone. She was not the only one:

[MONTAGE]

CNN PRESENTER: We start with the CNN exclusive. New insight now into the murder of journalist Jamal Khashoggi and one of the unanswered questions: why was he killed?2

OMAR: The hacking of my phone played a major role in what happened to Jamal. I’m really sorry to say that.3

NANDO VILA: Omar Abdulaziz was a close friend of Jamal Khashoggi’s. Omar is a vocal critic of Saudi Arabia’s human rights abuses and now lives in Canada, where he was granted asylum. More than 400 messages between Omar and Jamal Khashoggi were compromised:

DANA PRIEST: We all carry our cell phones everywhere. And our cell phones carry our digital exhaust with them. And having that turned on you—it’s so much more powerful than the tools that law enforcement and spies have used before.

ROSE: Dana Priest covers national security for the Washington Post, the same newspaper where Khashoggi worked before he was killed. Dana Priest is part of the Pegasus Project, a coalition of journalists working together to identify targets who have been hacked by Pegasus spyware.4

The Pegasus Project obtained a list of thousands phone numbers that were targeted with Pegasus spyware. Dana went through this database of phone numbers to find if anyone was connected to her colleague, Jamal Khashoggi. She discovered a number that belonged to Hanan Eltar: who married Khashoggi in an unrecorded religious ceremony outside of DC, and wasn’t previously known to many of his colleagues.

DANA: And then who I discovered had been detained and mistreated, harassed, intimidated by the Emiratis —so she reveals this big story that nobody knew at the time, which was that the Emiratis, it seemed, were tracking her to track him. We got her phones. It showed that she had been targeted.

It was an Android. And it was rather old. So it was hard to find any traces of Pegasus on that particular type of phone. In the beginning, they didn’t know who had, who had used Pegasus to target her. And it was very eerie, because here’s this woman that has potentially so much evidence to share in her devices about Jamal’s travels and who might have been tracking him, and who might have been complicit with the Saudis. So, I took her devices to a second group that does a lot of forensics, Citizen Lab.

BILL MARCZAK: A lot of the stuff that I do in this research is trying to understand, given one instance or given one example of an attack, can we trace that further to other instances, to other examples and, uh, other countries as well?

NANDO: Bill Marczak is a senior research fellow at Citizen Lab, a leading organization that investigates digital espionage against civil society,. Bill confirmed that Pegasus was on Hanan’s phone.

HANAN ELATR: I have a big feeling there is something also in my husband phone. If I have the evidence this happened to me, what about him?

ROSE: Now that Hanan had been identified, Bill and Citizen Lab – together with reporters from the Pegasus Project like Dana Priest, could find others whose phones have been infected with Pegasus.

DANA: Yeah, I got kind of obsessed with this, because we know the Saudis did it. So, what else do you need to know? And I just thought, we need to know everything, because we know the Saudis did it, but who helped them do it? The question about, you know, whether he could’ve been murdered without Pegasus is, is one way to ask the question. But the other way is, who are these people making decisions that lead to the murder and hacking to death of this very gentle, sensitive man who was trying to bring more freedom of expression to his country?

[MONTAGE FROM LAST EPISODE]

DANA: And I just kept saying, what in the hell could have happened in there?

CARLOTTA: We pieced together what happened almost like a whodunit.

BILL: Given one instance of an attack, can we trace that further to other countries as well?

HANAN: Regarding the spying and Pegasus, we did not know.They did track him through me – because they know i’m the one closest to him.

ROSE: This is Shoot the Messenger. I’m Rose Reid.

NANDO: I’m Nando Vila. Every season we investigate one international news story. You may have heard the headlines — this is the deep dive.

This first season we examine the murder of journalist Jamal Khashoggi, and his inner circle that has the world’s most sophisticated military-grade spyware confirmed on their phones. It’s called Pegasus.

How did this spyware come to be, how does it work, and how vulnerable are you?

ROSE: Over the course of ten episodes, we’re doing a special partnership with the Committee to Protect Journalists on “Espionage, Murder & Pegasus Spyware.”

In our last episode we examined the life, death and betrayal of Jamal Khashoggi. Khashoggi’s wife, Hanan Elatr, discovered she had Pegasus on her phone for three years, including the last five months of Khashoggi’s life. She was just one person in Jamal Khashoggi’s inner circle to have Pegasus confirmed on their phones:

[MONTAGE]

DANA: Hanan is the smoking gun.
HANAN: They did track him through me, because they know I’m the closest one to him.
BILL: It was full access to the phone.
NICOLE: This was the most sophisticated mobile spyware on the market.
RON: You have to go back to getting a copy of Pegasus, reverse engineering it.
HANAN: Thank you for looking for the truth.

ROSE: This is Episode 2 – Discovering Pegasus, a story told in two entangled chapters – Omar Abdulaziz and Ahmed Mansour.

Chapter 1: Jamal Khashoggi’s Inner Circle: Omar Abdulaziz

NANDO: After Hanan Elatr was told that she had Pegasus on her phone the last five months of Jamal Khashoggi’s life, she started to think back on those months with a different lens.

She examined the questions asked of her by the UAE intelligence officers who detained her, and questioned her overnight. She thought back on their questions about Jamal Khashoggi – asking who he worked with and what he was working on?

HANAN: They was accusing him, he have a strong network. Jamal, he really have a network. They are active. They outspoken. And they very well-educate. But majority of them is not from Gulf, actually. Majority of them is Egyptian. But he did not have a network from Gulf dissident to change the rules. He was against this. He hate to be categorized as a dissident. The way they behave and the way they believe, it make me believe they was using this technology, the Pegasus to go through everybody who was – on same platform like Jamal. This what I believe.

ROSE: After Khashoggi was murdered, Saudi officials questioned, and even detained some of those who seemed to have a connection – even if loosely – with Jamal Khashoggi:

DANA: It looks like the Saudis picked up, and in this case, detained for months and months, people who were in contact with some of the people that Jamal was in contact with. So you’re seeing this kind of ripple effect. Jamal’s in the middle, and then there’s people who followed people who followed Jamal. They took the phones and they looked at the phones, and they looked at who else is communicating with the friends around Jamal, and they considered them suspicious as well.

RON: A lot of this industry really took off after the Arab Spring. So with the Arab Spring, we all looked at this and say, oh, there’s a Twitter revolution, Facebook revolution. Everybody’s using mobile phones to organize. Well, the dictators and despots around the world were like, “how do we prevent this from ever happening”? And waiting in the wings was a very eager private sector complex waiting to service them. So I’m Ron Deibert. I’m a professor of political science. I’m also the founder and director of theCitizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy in Canada.

NANDO: Ron Deibert, the founder of Citizen Lab, is an expert in cyber espionage and digital surveillance – he has been reverse engineering espionage efforts targeting dissidents for more than two decades:

RON: So the idea is that we are like a digital watchdog. We’re like a CSI of human rights. The typical approach I think most people take to that is they see it all as something happening out there, like a world that they’re observing, almost like in a test tube environment. It’s like we’ve crossed through that curtain and really exposed government surveillance.

ROSE: After the Arab Spring, Saudi Arabia cracked down on Twitter and Twitter users. A large part of Saudi’s population is active on Twitter. But Twiter in Saudi Arabia is heavily surveilled. Because you have to have a phone number linked to your Twitter account, many Saudis who live inside the Kingdom are careful with what they post. Posting criticism on Twitter of the Saudi government can be punishable with jail time: 5

RON: Governments, especially ones like Saudi Arabia, don’t always see other governments as the main threat; they see exiled opposition or dissidents abroad as their main threat.

OMAR ABDULAZIZ: Salaam Aleikum.6

NANDO: That’s Omar Abdulaziz, opening his youtube show he regularly hosts commenting on Saudi politics. Omar Abdulaziz moved from Saudi Arabia to Canada in 2009 to study English at McGill University in Montreal.

Omar was far away from home when the Arab Spring protests erupted across North Africa and the gulf, and he started tweeting and posting videos commenting on the uprisings, the backlash, and the fallout.

Omar developed a large following across social media, on Instagram, Snapchat7, Youtube,8 and now has more than a half a million Twitter followers.9

ROSE: As Omar’s following grew, and with the new crown prince in power in Saudi Arabia, he became a target of intimidation. In 2016, Two Saudi officials arrived in Montreal with Omar’s younger brother. They took Omar to restaurants and were friendly. They made many appeals to Omar to come home: They offered him money. They implied that if he didn’t return with them to the kingdom, there would be consequences. They insisted he at least go with them to the Saudi consulate, where a new passport would be waiting.10

CNN PRESENTER: He made these secret recordings of their meetings and shared them with CNN. [speaking Arabic] Translator: “We have come to you with a message from Mohammed Bin Salman, I want you to be reassured…11

ROSE: Omar texted a friend – a fellow Saudi living in exile, should he go?

“I wouldn’t trust them,” the friend replied.

That friend was Jamal Khashoggi. Omar did not go to the Saudi consulate.

NANDO: Khashoggi had initiated a friendship with Omar after he left Saudi Arabia. Omar was in a similar situation to Khashoggi – living in the west, speaking out on Saudi politics. Their friendship grew, they started to communicate regularly and then, they decided to collaborate.

OMAR: I was working with Jamal in some different projects. We were working on other short documentaries, and also we were working to do some things for the activists that were imprisoned in Saudi Arabia.12

ROSE: Shortly after Khashoggi moved to the United States, the new Saudi crown prince made a  bold move to assert his control over Saudi media – he rounded up Saudi media tycoons – placing hundreds of people under ‘hotel arrest’ at the Riyadh Four Seasons. The choice was simple – pledge allegiance or force over assets. In some cases, both.13 Here’s Jamal Khashoggi commenting on the crown prince’s dual effort to consolidate media and purge corruption:

JAMAL KHASHOGGI14: In my career as a journalist and editor I called for everything Mohammed Bin Salman is doing right now, not only me, every Saudi writer, commentator, we all wanted us to be free from radicalism, we all wanted women to be allowed to have their rights, to drive. We all wanted purge on corruption because corruption was killing us in Saudi Arabia and [–] and corruption is no secret in Saudi Arabia, we feel it, we see it everyday. But we just simply cannot not report about it. So he’s doing what we demanded of him to do. So why am I being critical? Simply because he’s doing the right things the wrong way. Very wrong way.

OMAR: We were talking about some projects aiming the trolls in Twitter.

NANDO: Khashoggi pledged $30,000 to invest in an operation he and Omar called “the bees.” An organized group of dissenters brave enough to post to Twitter and across other social media. Omar would use the money to buy sim cards so people could tweet without being easily traced.

Over WhatsApp, Khashoggi admitted to Omar his personal opinions about the crown prince:

CNN PRESENTER: He’s like a beast, like “Pac Man”: the more victims he eats, the more he wants

ROSE: Khashoggi’s criticisms of the crown prince in private had a very different tone than that of his diplomatic columns in the Washington Post. Khashoggi and Omar went to great lengths to keep their on-going conversation secret.15 Around the same time, Bill Marczak and Ron Deibert at Citizen Lab noticed unusual activity.

ROSE: Do you remember when you first heard of Omar Abdulaziz?

RON: Absolutely.

NANDO: Citizen Lab could see there was an active Pegasus target in Canada.16

RON: We couldn’t say whose devices were hacked, but we were able to isolate the Saudi client, Saudi Arabia, as a customer and all of the countries within which it was undertaking espionage. Within that finding, there was one infected device in Canada. We didn’t know whose it was. Obviously being based in Canada, this was a great interest to us. We were aware that at this time, exactly at this time, the Canadian government was in a dispute with Saudi Arabia. So this was pretty interesting to us. Wow. Okay. We’ve discovered Saudi Arabia is spying on somebody in Canada. Who might it be? What we did at that point was develop a short list of likely Saudi targets in Canada as best we could. And Bill literally went door to door. I’m not kidding you.

BILL: If we see a device in Montreal that it looks like the Saudi client is targeting, youknow, well, we don’t look up our list of criminals and terrorists because we don’t have that list. But I think their main concern is threats to the power of the government or threats to the monarchy.

RON: And Omar was definitely on that list because he was very high profile. He had a YouTube show that was viewed by many hundreds of thousands of people, and a very popular Twitter account. When we reached out to him, we were able to verify very easily that he was the target because A, we looked through his text messages and saw that he received an SMS message in June that was embedded with a link to NSO’s command and control infrastructure. But, even more so, his movements, his pattern of life matched exactly what we could see in our network scanning. So, recall that I said we had this visibility of infected devices. We could see that there was this device that was hacked was in the Quebec area, in a suburb of Montreal called Sherbrooke, and would follow a pattern pretty consistently. In the daytime, it would check in from one ISP; in the evening, from a completely different one.

When we asked Omar about his daily routine, he was a student at a university in Sherbrooke. It was summertime. Classes weren’t in session. He would log in from his home in the daytime, but then every evening, go to the gym and log into this obscure ISP for this small university. Based on that together, we could confidently say that Omar was the target.

OMAR: I had no idea about it till I got a phone call from Bill Marczak. So he was telling me that your phone might be hacked. He told me basically that we believe that the Saudi government has targeted someone in Quebec. So I directly told him, you know, if they’re going to target someone, it’s going to be me. He said, “no, no, that’s not gonna– we have to confirm that.”17

RON: So we discovered this in August and published a report October 1st. What we didn’t know was that Omar and Jamal were friends. We had no idea about that. Um, until the next day, after our report on Omar is published, October 1st, the very next day, Jamal goes missing. Omar says, “I’m freaking out. Jamal has gone missing.” And we’re like, “Jamal who?” You know, of course we see the news and put two and two together, learned that Omar and Jamal had been in regular close communications. So, um, that turned it into a whole other thing, you know, uh, became something much different than what we thought it would be.

NANDO: You were in contact with Omar. He was friends with Khashoggi. After he figured out what happened, what was his reaction?

RON: Well, first and foremost, we were concerned with Omar’s well being. We have that responsibility and with the spotlight on him around this, there was a lot of attention. I would say that was a primary concern. But then also figuring out, oh, my goodness, you know, he’s, he’s connected to this person. Learning about some of the details there as the weeks went by was really quite something. Because I learned that prior to us warning Omar and alerting him to the fact that his phone was hacked, they had exchanged on a daily basis all of these very provocative WhatsApp messages between them organizing resistance, collective resistance against Mohammad bin Salman. They also asked Omar to come to the Saudi embassy in Canada, in Ottawa. And Omar asked Jamal, “Do you think I should do this?” And Jamal Khashoggi said, “I wouldn’t trust them.” So Omar didn’t go to the Saudi embassy in Ottawa. But for some reason, Jamal thought he wouldn’t be threatened if he went to the consulate in Istanbul. So we learned a lot of details like that about their interactions.

NANDO: Here’s Omar in an interview with CNN:

OMAR: It’s really difficult to explain what happened to Jamal. And here’s the thing, you know they did that to Jamal, they tried do to the same thing to me. Nothing is going to happen in Saudi Arabia without the green light from MBS. That’s why we have to tell the whole world what really happened to Jamal Khashoggi.18

RON: It’s not uncommon for victims of this type of espionage to be both traumatized and to feel guilt. There have been some studies done by colleagues of ours who have actually gone out, psychologists, clinical psychologists, who have interviewed people who have been targets of surveillance and discovered, you know, that things like people who had experienced torture and then fled abroad but had their device hacked, would have PTSD re-triggered, or they would feel very guilt ridden about learning that the fact that their phone was hacked, exposed their entire inner circle who maybe were either arrested or murdered. And I would say the same with Omar. He definitely has experienced feelings of guilt and trauma. And and that’s why he has been so outspoken, as I understand it.

OMAR: Maybe they were listening to every single call that we had. They were listening, they were reading our chats.19

ROSE: After Omar realized that his phone was hacked, he thought of the thousands of people from all over the world – and within Saudi Arabia – who reach out to him, either throughencrypted means, or via direct message, thinking what they’re writing him is private – and protected:

OMAR: In every single minute, so many people are contacting me – via my Instagram, my Snapchat, my Twitter account. So now, they are in real danger because of that.20

ROSE: And do we know if Jamal Khashoggi’s phone was also hacked by Pegasus?

RON: Unfortunately, we can’t say one way or another because he passed his phones to his fiancé, and then she handed them over to Turkish authorities. I would be shocked if he weren’t. Given his high profile and the methods of Saudi intelligence, I would be shocked if they didn’t try to target his device or successfully hacked it. We just don’t know, though.

ROSE: We can only guess as to why Turkey has never released Jamal Khashoggi’s phones.

But what we do know is how Ron and Bill at Citizen Lab discovered Pegasus.

RON: You have to go back to, I would say all the way back to Ahmed Mansour and us getting a copy of Pegasus.

ROSE: That’s after the break.

ROSE: Chapter 2: Discovering Pegasus – Ahmed Mansour.

Often referred to as “the last human rights defender of the United Arab Emirates,” Ahmed Mansour has led a decade-long21 fight calling out human rights abuses of his government.

Ahmed Mansour has been intimidated by the Emirati government in various ways. He has been detained; he’s been beaten, his bank accounts have been frozen and emptied; he has been stripped of his right to work as an engineer, his passport has been taken away and he wasn’t allowed to leave the country.

And he has been targeted with spyware on his computer and even his baby monitor.

So when he got a suspicious text – he knew to reach out to Bill at Citizen Lab.

BILL: This was actually in the summer of 2016. And it was right before I was going to sleep here in Berkeley, I got a text from Ahmed Mansour, a UAE activist.

NICOLE: Ahmed Mansour in the UAE, who’d been pretty vocal about expanding voting rights.

NANDO: Nicole Perlroth has written a book about the cyber industry called This Is How They Tell Me The World Ends22. She has been covering cyber security for the New York Times for the past decade23 –

NICOLE: I’d worked closely with people like Bill Marczak at Citizen Lab covering some of the spyware that was turning up on the phones of people like Ahmed Mansour.

RON: He had been previously targeted with spyware, and we had done a report on him a few years earlier to try to get inside his computers.

BILL: What was interesting about this text in 2016 is that it appeared to be a link that was sent to his mobile phone promising new secrets about torture of detainees in UAE prisons. It was kind of odd because it was from an unknown number.

So I had this burner phone set up, and I was monitoring the phone’s Internet traffic. So I was seeing everything that came into the phone and that left the phone. And when I tapped on the link in, uh, in Safari on the iPhone, the phone sort of just like started spinning for a while, you know, looked like it was loading something. And then the really interesting thing, Safari just closed and that was kind of unusual. And then I saw when I was monitoring the Internet traffic, a bunch of weird traffic going to the spiral website like it was downloading stuff, it was uploading stuff. And that was sort of the first key that, oh, wow, safari is closed. But this this connectivity is still happening and it’s sending information back.

ROSE: Bill was seeing something that is referred to as the “beauty of Pegasus” – it identifies a vulnerability in the operating system, and then overwhelms the system to worm its way in. Think of your smartphone as a protected castle – Pegasus will overwhelm Safari, or let’s say, call WhatsApp several times in a row – it does something that distracts your phone’s defenses for just a moment while it tricks it to lowering the castle’s drawbridge to get inside:

BILL: It wasn’t just, oh, well, you can see what’s going on in Safari because you click on the link in Safari. No, it was you can access everything on the phone. You can turn on the microphone to snoop in on conversations happening around the device. You can take pictures through the webcam, you can get passwords, you can get WhatsApp messages you can get Signal messages, you can record calls, you can track GPS, you can do other things with the phone sensors. It was full access to the phone. I’d never seen that before on a phone, it was quite, quite surprising.

NANDO: Full. access. to. the. phone.

And more than that, Pegasus allows a hacker to use your phone in ways that you can’t even use it. It can search, explore, store, save and copy information the way we use a computer.

It’s like the ultimate James Bond toy – being able to turn on the microphone and eavesdrop on your conversations, or turn on your camera and watch you – wherever you are.

It can track all your movements, observe all your keystrokes, learn all your passwords.

…But how is it possible someone can break into your phone in such an invasive way?

BILL: Zero day is a exploit. And what that means is it’s some code that takes advantage of a flaw in your phone or your computer or another device. So in other words, this is a flaw, for instance, in your iPhone that Apple doesn’t know about, but some hacker knows about.

ROSE: Pegasus hacks your phone with a new kind of exploit technology.

BILL: This, I think, was the first ever example talked about in public of a what’s called a zero day of remote jailbreak. So not only was it a zero day, in other words, it could infect the latest iPhone, but it was a remote jailbreak, meaning it gave full access to the phone.

ROSE: Once Pegasus worms its way through your phone it can disable the Apple or android automatic system updates. Yeah, those “annoying system updates” are usually full of new code that patches or fixes any of the vulnerabilities the makers discover. And Pegasus works hard to stay on your phone – without you ever knowing it.24

BILL: One of the interesting developments in recent years has been the professionalization of the exploit industry. In other words, the people who are finding these these bugs are no longer, you know, necessarily in their in their mother’s basement. But they are making six figure salaries, perhaps former employees of intelligence services going into the private sector.

ROSE: The business model of this cyber spyware company is based entirely in mining ways to break into iPhones and Androids. That is the backbone of their technology, it’s what supports their business, and it’s what their clients are paying top dollar to have.

NICOLE: So yeah, we’re in this cat, cat and mouse race that we’ve always been in, in security. You know, the good guys come up with the defense and then the bad guys come up with a way to exploit that defense.

ROSE: Pegasus is constantly evolving. The engineers who make it are always finding new vulnerabilities to hack into Apple and Android software. And Pegasus also has a kind of self-destruct mode if certain conditions are present.25

NANDO: Now that Bill Marczak had access to Pegasus infrastructure – he started to dig around:

BILL: There were a bunch of references in the spyware’s code to Pegasus. So that was our first clue. The second clue was the server that was used to distribute the spyware. So obviously you tap on the link. Your web browser navigates to that server in the link. So basically we fingerprinted the behavior of that server. So we found out which ones behaved in exactly the same way as the one in the link that was sent to Ahmed Mansour that we got the spyware from. And we were ultimately able to find 150, I think more than 150 of these servers. And some of them were connected back to NSO Group. They had been registered by NSOGroup.com.

ROSE: In 2016, there were only a couple of big name firms like Hacking Team, based in Italy26 or FinFisher27 (based in Germany) publicly advertising this kind of sophisticated spyware to government entities.

Both received scrutiny as private companies selling military grade spyware to the highest bidder. But, the NSO Group….?

NICOLE: And then one day. I had a source come to my house. And then he opened up his screen and said, Take pictures of my screen, print these out. Delete any evidence of it from your phone. And take a look at what this is. And it became very clear that all these documents that were sitting on my kitchen counter were marketing materials belonging to NSO group.

NANDO: Nicole started to research the NSO Group. Back at Citizen Lab, Bill was learning more about the Pegasus digital infrastructure.

One thing that Bill noticed about the domains Pegasus used was that they were eerily similar to legitimate institutions – like, one was a few letters different from the domains used by the Red Cross or from Al Jazeera News.28 By finding these domains, Bill and Ron were able to get some more insight into the company making Pegasus.

RON: So all spyware has to send data over the Internet. If I hack into your devices, I need to grab the data and send it somewhere. NSO has a infrastructure of command and control servers, some of which are on customer’s premises, some of which are in the cloud. But it all, all of that infrastructure has a certain, you know, signature, if you will, or signatures in the way that the spyware were communicating. Once we reverse engineered it, we started to get a good sense of how it all looks. So you’re kind of scanning the Internet, looking at how computers respond to certain queries, like knocking on doors.

ROSE: Citizen Lab discovered that the IP addresses matched the fingerprint to 237 servers linking Pegasus to the NSO Group. Now that Citizen Lab had NSO’s number (literally), they could watch them. And they did. In this process of reverse engineering Pegasus, Bill also had a front row seat to observing how NSO clients were using Pegasus.29

That’s after the break.

ROSE: At Citizen Lab, Bill Marczak was investigating the Pegasus infrastructure. He learned he could filter by individual clients. And as NSO clients are countries – Bill could isolate a single country’s list of targets.

BILL: And I think by volume, the biggest sources of activity we see are some of these Middle Eastern governments, maybe there’s some terrorists they’re going after. But I think their main concern is threats to the power of the government or threats to the monarchy.

NANDO: Back at the New York Times, Nicole Perlroth had to decide if she would write about the NSO group – but she had been burned before – exposing cyberwar companies didn’t hurt them – it often helped their business –

NICOLE: Basically, I was helping them advertise their product to a number of governments, so I didn’t want to do the same with NSO. So I waited until there was a clear cut case of abuse.

NICOLE: In the meantime I started asking around about NSO group and I was in the middle of that process when I got the call from Lookout and Citizen Lab that once again Ahmed Mansour’s phones had been basically tapped with a new form of spyware that they had traced back to NSO Group. So here I was with all these documents still littered across my kitchen counter, and I knew that was the moment to start putting it all together.

ROSE: A year after Bill discovered Pegasus on Ahmed Mansour’s phone, Ahmed was arrested by UAE officials.

A group of ten uniformed police officers raided the Mansour family home in the middle of the night. All of the family phones and laptops, even devices belonging to their children, were confiscated. Ahmed Mansour was taken to an undisclosed location.

[NEWS MONTAGE]

MALE: He is hard to see among the commotion, Ahmed Mansour–30
MALE: UN rights experts, the European Parliament, US Congress members, Nobel Prize winners, well-known authors, all condemned the imprisonment and treatment of Mansour by the UAE31
MALE: I was with Ahmed Mansour…he was not allowed to read…32

NANDO: For a year, Ahmed’s family did not know where he was and he was not allowed to see a lawyer.

In May 2018, Ahmed Mansour was sentenced to 10 years in prison for “defaming” the UAE on social media.

NICOLE: The stress is very real. And sometimes you forget it because the mission feels so important. There is not a day that goes by I don’t think about Ahmed Mansour and don’t want to scream. You know, he is sitting in solitary confinement, sitting in a digital prison for a very long time.

NANDO: Around the world, Ahmed Mansour is considered an inspiring activist. But his government considers him an enemy of the state.

ROSE: A year after Citizen Lab published their report and Nicole published her article in the New York Times, she started getting weird messages –

NICOLE: So it was actually pretty scary because I started covering NSO Group in the Times and then we started getting calls. I started getting calls and our Mexico bureau chief, Azam Ahmed, started getting calls from a series of people in Mexico who seemed like very random targets.

RON: Yeah. So Mexican government agencies appear to be one of the top clients for NSO in terms of government clients. Even on the basis of targeting, we could say that it was really quite shocking.

NICOLE: They said, I’ve been reading your stories about NSO, and I believe that I might have NSO’s spyware on my phone. And it turns out that, yes, all of these people had Pegasus on their phone and what they had in common. These were really random. Some of them were nutritionists, some of them were consumer rights activists, some were doctors.

RON: Health scientists and researchers who are working on putting a tax on sugary beverages to reduce consumption, they were targeted.

NICOLE: So by this point I knew Mexico was an NSO client. It’s one of Coca Cola’s biggest customer bases. They have large market share in Mexico. So clearly someone in government was getting kickbacks from the soda industry or didn’t want to see this soda tax passed. And Azem and I put that story together and that led to more stories.

And we broke that story in The Times. And I would have to say that of anything I’ve covered, that generated the biggest response. People in Mexico took to the streets. They took to Twitter, here in the United States, even. But for days, uh, I was getting a lot of incoming text messages. Mine were “Check out this article” with a link. Okay. Check out. You’re going to want to see this with a link. But they were all from unknown numbers and by then I knew better than to click on any links, even if they were my husband. I got very paranoid about clicking on any links or attachments.

RON: So really quite a, a kind of epidemic of targeting in Mexico. But, you know when you add it all up, it’s like probably the most extreme, the best example of abuse using commercial spyware from our research.

NANDO: NSO Group, the Israeli tech company that makes this spyware – says that they only deal with vetted government actors who use this technology to target criminals and terrorists.

But our investigation shows that this technology is often misused.

DANA: Cyber weapons are being used to wage a war against individuals now. Not just against banking systems, or hospital systems, or a country’s power grid, or, you know, a country’s computer system…. But now, it’s me and you, because we all have these damn cell phones that are vulnerable, and because our laws have not caught up in any way to the weapons themselves. It’s Big Brother sitting on top of all these societies that are in an active battle for their political future. Even if you’re not surveilled, but you think everyone is, that changes your behavior. The circle of people that we now know were infected by Pegasus is five times greater than the one that we absolutely knew when we wrote the stories. NSO’s market is larger than we thought in the beginning.

ROSE: Who is the NSO Group, and how did they come to make Pegasus?

[MONTAGE FORESHADOWING NEXT EPISODE]

ALBERTO: NSO was selling for tens of millions.
OMRI: I was wondering if if you guys can get into a device without asking for permission
AMITAI: It’s not NSO, it’s the clients of NSO.
IAN AMIT: You have to target the wife of, the widow of, the daughter, the secretary…
ALBERTO: We knew that something was happening that was extremely bad.
AMITAI: But from the first customer, we know that there was abuse in the system.

ROSE: That’s on the next episode of Shoot the Messenger.

NANDO: Shoot the Messenger is a production of Exile Content Studio.

We are distributed by PRX.

Hosted by me, Nando Vila and Rose Reid. Produced by Rose Reid, Sabine Jansen, Nora Kipnis, and Ana Isabel Octavio.

Written by Rose Reid. With story editing by myself, Nando Vila and Gail Reid.

Production assistance by Alvaro Cespedes and Andrea Zevallos.

Daniel Batista oversees audio at Exile Content Studios.

Sound design and mixing by Pachi Quinones.

Executive producers are myself, Nando Vila, along with Rose Reid, Carmen Graterol, and Isaac Lee.

For more information on the status of journalists and freedom of the press – visit the Committee to Protect Journalists at cpj.org.

To learn more about EXILE, our other podcasts and films, visit exilecontent.com.