Season 01: Episode 04

The Day Pegasus Breached Whatsapp

exile-shoot-the-messenger-01
View all

Shoot the Messenger: Espionage, Murder and Pegasus Spyware continues with its fourth episode, exposing what really happened at WhatsApp when it was breached by Pegasus in 2019.

The WhatsApp breach is a critical moment because it has put everything the NSO Group has built at risk – calling into question their valuation of $2B, making a public enemy of Silicon Valley, and initiating several major lawsuits leading all the way to the Supreme Court. In many ways, this exploit changed the trajectory of the NSO Group and its Pegasus spyware. The continuous fallout – and potential legal precedents – could affect everyone with a smartphone.

Engineers Claudiu Dan Gheorghe and Otto Ebeling take us behind the scenes of what it was like to be working at WhatsApp that fateful day where Pegasus used an exploit on the WhatsApp software. Across the globe, we’ll see how the hacking of WhatsApp affected real people – like those fighting for independence in Catalonia, Spain.

Guests: Financial Times journalist Mehul Srivastava, Security Advisor Ian Amit, and former WhatsApp engineers who witnessed the Pegasus breach, Otto Ebeling and Claudiu Dan Gheorghe

Listen here:

Spotify Apple Podcast Wondery Audible

Share:

ROSE REID: The Northeastern region of Spain – Catalonia – is known for its beaches, its mountains, wine, and gastronomy.1

One of Spain’s wealthiest regions, Catalonia is also the country’s #1 tourist destination,23 the famous home of Gaudi architecture4 and the FC Barcelona soccer club.

Catalonia has its own language. It has its own flag.5 It has its own national anthem. It self governs in health, education, and security.

It also has a strong independence movement, which is the source of an incredible amount of controversy in Spain.

In 2017, there was an unsanctioned referendum to vote on independence.6

This became a huge flashpoint that dominated headlines for months. The events of the day were dramatic. While turnout was low – less than half of registered voters participated – more than 90% of those who did cast a ballot voted to separate from Spain and form the independent country of Catalonia. And televisions around the world were filled with images of Police beating voters as they entered the polls:

MEDIA CLIP: Outside the crowds are cheering, fireworks are being let off. Catalonia has gone its own way from Spain. The first time this has happened in Europe.7
MEDIA CLIP: The Spanish Lion bit back against the Catalan demands that their independence will happen.8
MEDIA CLIP: As you can see here, police walking in – this is guerra civil – into this gymnasium…to try and make sure that no one casts their votes.9
MEDIA CLIP: Spain’s top court has sentenced nine Catalan separatist leaders to prison. The Supreme Court delivered sentences of between nine and thirteen years.10
MEDIA CLIP: Spain’s worst political crisis in decades.11

ROSE: The Spanish government declared the independence movement “unconstitutional,” and reacted quickly and aggressively. Hundreds of civilians were injured and 12 separatist politicians were arrested.12

Human Rights Watch reported Spanish police used excessive force during peaceful demonstrations. The UN High Commissioner for Human Rights called for an investigation into the violence.13

Prominent Catalan politicians had two options – flee their homes and live in self-exile, or stay in Spain, and face sedition charges with possible prison sentences.14

Many leaders of the independence movement fled. They continued to meet and organize in private across Europe. They communicated through encrypted messaging platforms like WhatsApp, Signal or Telegram – under the assumption that their communications were private and secure.

MEDIA CLIP: WhatsApp is accusing an Israeli based spyware company called NSO of selling technology to hack into the phones of 1400 WhatsApp users.15
MEDIA CLIP: It is believed that Pegasus used a bug in WhatsApp to penetrate smartphones.16
MEDIA CLIP: This is going to be really tough for WhatsApp They’re known for their end-to-end encryption. They’re used by people who are very security minded.17

ROSE: This cluster of at least 65 phones18 that belong to Catalan politicians, lawyers and activists19 spanning five political parties -is the largest Pegasus cluster discovered to date.

This group is two times larger than any other cluster previously identified.20

Citizen Lab has confirmed that almost all the incidents of Pegasus infections took place between 2017 and 2020 – often occurring at key political moments.21

  • When the Catalan leadership initially met in the spring of 2017 to schedule the referendum
  • The day of the referendum in October of 2017
  • There’s evidence that infections correspond to the week of a politician’s arrest, trial, or even their weekend leave from jail.22

What we now know is that several members of the Catalan group were hacked with Pegasus through an exploit using WhatsApp.

OMRI LAVIE: I was wondering if if you guys can get into a device without asking for permission
AMITAI: It’s not NSO, it’s the clients of NSO.
IAN: You have to target the wife of, the widow of, the daughter, the secretary…
ALBERTO: We knew that something was happening that was extremely bad. But from the first customer, we know that there was abuse in the system

ROSE: This is Shoot the Messenger, a new biweekly investigative reporting podcast from EXILE Content Studio.

Every season, we investigate one international news story. You may have heard the headlines; this is the deep dive. I’m Rose Reid.

NANDO VILA: And I’m Nando Vila. When Rose and I started reporting on this project we had one question: what is the biggest threat to journalists today?

When we put up a bulletin board and stuck a pin for every journalist threatened or assassinated in the past 5 years, we found one repeating link over and over. From Mexico, to DC, to the United Arab Emirates: Pegasus.

Over the course of ten episodes, we’re doing a special partnership with the Committee to Protect Journalists for our first season, “Espionage, Murder, and Pegasus Spyware.”

MEHUL SRIVASTAVA: The NSO group had figured out that if you sent a specific kind of file to somebody’s WhatsApp number, it would allow them to take over control of the entire phone.
IAN AMIT: The more crafty the exploit is, the more subtle it will be.
CLAUDIU DAN GHEORGHE: It didn’t really seem like something very serious.
OTTO EBELING: I would describe this as like a jigsaw puzzle.

NANDO: Pegasus spyware takes advantage of a software flaw to overwhelm a smartphone and infiltrate its way in. The NSO Group, the company that makes Pegasus spyware, has said that when their engineers look for vulnerabilities – they’re looking for a “silver bullet” – to use one flaw to break into as many phones as possible.23

In the spring of 2019, the NSO Group used an exploit on WhatsApp to target 1400 phones.

Breaking into WhatsApp – and getting caught – marked a pivotal shift for the NSO Group.

ROSE: In the previous episode, we covered The NSO Group’s origins and rise to success over the past decade within an industry that is mostly unregulated.24

The WhatsApp breach is a critical moment because it has put everything the NSO Group has built at risk. The breach started a chain reaction of negative events for the NSO Group, calling into question their valuation of $2B, making a public enemy of Silicon Valley, causing them to be blacklisted in the US, and initiating several major lawsuits leading all the way to the Supreme Court.

In many ways, the exploit changed the trajectory of the NSO Group and its Pegasus spyware. The continuous fallout – and potential legal precedents – could affect everyone with a smartphone.

This is Episode 4: The Day Pegasus Breached WhatsApp.

NANDO: WhatsApp is the world’s most popular messaging app. More than 100 billion WhatsApp texts are sent a day. WhatsApp currently has more than two billion monthly users.25 That’s a quarter of the world’s entire population26 reflecting more than 60 languages across 180 countries.2728

Meta, formerly known as Facebook, acquired WhatsApp in 2014 for nineteen billion dollars.29 With the new acquisition, Facebook invested in end-to-end encryption – and made a commitment to privacy:

MEHUL: All around the world, people who were using WhatsApp, were convinced that it was secure. WhatsApp has always been ahead of other messaging apps and having end-to-end encryption — they were trying their best to make sure that people were using WhatsApp in the most secure way possible.

ROSE: This is Mehul Shrivastava, a reporter for the Financial Times.

MEHUL: My name is Mehul Srivastava. I’m the cyber security correspondent for the Financial Times,30 and I’m based in London right now. But for the last five years before this, I was based in Israel, and that’s where I covered the surveillance industry, including the spyware maker NSO.

NANDO: Mehul first started reporting on Pegasus when he covered the story of Omar Abdulaziz.

MEDIA CLIP: We start with the CNN exclusive. New insight now into the murder of journalist Jamal Khashoggi and one of the unanswered questions: why was he killed?31
OMAR: The hacking of my phone played a major role in what happened to Jamal. I’m really sorry to say that.32

ROSE: You may recall from a previous episode, Omar Abdulaziz is a Saudi dissident living in Canada, who was in frequent communication with Jamal Khashoggi.

Omar’s phone was hacked with Pegasus months before Khashoggi’s murder. Hundreds of text messages between them were compromised by the Saudi government.33 Citizen Lab discovered that Omar was a target by reverse engineering a copy of Pegasus.

In 2019, Omar Abdulaziz brought a lawsuit against the NSO Group in Israel. However, lawyers were not allowed to speak to the press about the case – and this caught Mehul’s attention:

MEHUL: So in Omar’s case, because the lawsuit was taking place in Israel, we were able to speak to the lawyers who were suing NSO on behalf of Omar Abdulaziz. The court case in Israel had been off and on under a gag order, which means that the lawyers involved are not allowed to say anything to journalists until after the point of the gag order being issued. The fact that a court case is being held in secret is incredibly compelling news to a journalist like me.

ROSE: The secrecy surrounding the case prompted Mehul to look deeper at the NSO Group.

MEHUL: To me, that meant that if I can’t report on the court case because an Israeli court is holding the case behind closed doors, I’m going to go report on the company instead. By pure chance, some of the people that I spoke to described to me a sales presentation. In the process, they let loose a very simple fact that the easiest way into somebody’s phone at that point in time, in spring of 2019, was a vulnerability in the secure messaging app WhatsApp.

ROSE: Privacy has been a hallmark for WhatsApp. The CEO of Meta, Mark Zuckerberg claimed that with the rollout of end-to-end encryption in 2016,34 that this would be “the first global messaging service at this scale to offer end-to-end encrypted messaging and backups” and that getting there was “a really hard technical challenge.”35

There are WhatsApp billboards that read: “Text like no one’s watching.” The app promises a new era of personal privacy.36

MEHUL: It’s ubiquitous all around the world. Everybody’s phone has it. I have it. Every source that I speak to has it. And at some point between 2018 to 2019, the NSO group had figured out that if you sent a specific kind of file to somebody’s WhatsApp number, it would allow them to break out of the WhatsApp “sandbox,” is what technical experts call it, and take over control of the entire phone. It would download Pegasus. It would delete all evidence of ever having been hacked. And you would then be able to take over a phone completely in the background.

NANDO: The NSO Group has sales people around the world. They will visit an expo, or set up a private meeting with a government agency. They have marketing materials showcasing exactly how Pegasus works and what it can do. Sometimes they leave these documents, or PDFs, behind with potential clients:

MEHUL: Now, those PDFs I have seen. And then in other cases, you can’t really see the document. But, you have somebody describe what the sales demonstration is like. So, for instance, we know that the CEO Shalev Hulio flew there and he met with representatives of Saudi government, they discussed how the tech works, how impressed the Saudis were that you can go out to a store, buy an iPhone, bring it to this conference room, and representatives of NSO can type something on on a keyboard. And within 20 minutes, the camera on the phone’s been turned on the microphone on the phone, the recording, everything that happened in the room and the way it was described to me and people who were in the room and what other people had heard of that demonstration is that it was it’s quite an eye popping presentation.

ROSE: At the same time the NSO Group was sharing this presentation with potential customers, trials began for the Catalan leaders who participated in the UNSANCTIONED REFERENDUM. 500 witnesses were called to testify, broadcasted live on television.37

MEDIA CLIP: Catalan President Carles Puigdemont he’s been living in exile, along with other members of the Catalan government, those who haven’t been jailed.38
MEDIA CLIP: The former leader of Spain’s Catalonian region has gone on trial.39
MEDIA CLIP: The rebellion charges facing some of the leaders will only stick if it’s proved they incited the violence seen when the referendum took place in 2017.40

ROSE: At the same time these trials of political prisoners were taking place in Spain – six thousand miles away… in northern California,41 a few engineers at WhatsApp noticed something… unusual…

CLAUDIU: It was an engineer in my team who discovered a really suspicious message as part of a security related project that he was working on. The engineer alerted other team members.

ROSE: Claudiu Gheorghe was working on the Meta campus in May of 2019. Claudiu managed a team of seven people responsible for WhatsApp’s voice – and video- calling infrastructure.42

CLAUDIU: I’m Claudiu Gheorghe. I am a software engineer. I live in San Francisco Bay Area. I joined Facebook now called Meta in 2012 as a full time engineer. I worked in various teams, but I worked also on WhatsApp. While I was at WhatsApp working on the voice and video calling infrastructure, I had a chance to discover an ongoing attack, using WhatsApp vulnerability related to voice and video calling, using a zero click exploit. And it’s something that the industry has not seen before. And initially as the breach was being investigated, it didn’t really seem like something very serious, because with the scale that we operate on at WhatsApp, you almost always find suspicious and weird things.

OTTO: My name is Otto Ebeling. I worked at the Meta for slightly over eight years. One day I came to the office and there was a lot of like messaging, chat threads and everything going on about some suspicious activity related to WhatsApp signaling messages. Weird things happening is not unusual since these systems are so huge that if you go looking for something weird or something that you don’t understand, that happens all the time, given that there’s like billions of users and lots of servers. But in this case, there was also this, like, very suspicious element that warranted further research.

CLAUDIU: So the most important aspect was, is this like a real issue? And it really took a while until we were all convinced that what we discovered was an actual attack and not just, a random phone on the Internet misbehaving.

ROSE: Anomalies observed in day to day software functions are routine. And there are reasons for strange or unfamiliar code to appear – it could be from an older version of software – or it could be a simulated test by management. In 2019, Otto and Claudiu were two of the 35,000 Facebook and WhatsApp employees focused on safety and security – a big initiative for the company.43 A part of the job is looking for vulnerabilities in the software – like checking suspicious phone calls that go through the app – sometimes referred to as signaling messages.

There were calls going through WhatsApp that had something strange in the code for the ringtone…

OTTO: Basically we’ve seen elsewhere how some attacks work. And this seemed like it’s consistent with the attack pattern. So we see that this is kind of the payload. But how it will run that we don’t know or in general what is happening that we don’t understand. So this just kind of kickstarted an investigation. And the job of the team, like the part I was more involved in, our task was just to figure out, how did they get in? Like, how did this attack actually work from like, a variability point of view? What’s the underlying bug in the code that would need to be fixed?

ROSE: Working under the clock, Claudiu’s team began to find the answers to these questions. Claudiu explains.

CLAUDIU: They used this fake client that would essentially exploit this gap in our WhatsApp client. And that gap allowed the attacker to pretty much gain a remote control of the application. It was based on video calling. So you would see the phone ringing. And if it was successful, it would actually remove the call log. So you wouldn’t be able to see that you had a call.

NANDO: The WhatsApp engineers identified 1400 targets – they didn’t know who the targets were – but they understood one thing. If there are billions of people using WhatsApp, and 1400 are being targeted with a spyware like this that has never been witnessed before – these WhatsApp users were very specific targets.

CLAUDIU: I think the scale was clearly something that was making everyone nervous. The scale was actually really low for this, which confirmed the sophistication of the attack. So typically, if you have a capability that is so advanced and sophisticated, as an attacker, you don’t want to overuse it because the more you use it, the more you expose yourself. So it’s very common for these kind of attacks to be low key. So they don’t attract attention. We were seeing targeted attacks, very low number of attempts compared with the overall traffic that we had, which made sense like it was basically more of a confirmation of the fact that this was a really sophisticated and rare attack that we were witnessing.

ROSE: Claudiu and Otto had the unique opportunity of witnessing the Pegasus attack in real time. The features that the NSO sales team were selling in their eye popping presentations were actually being used right in front of the WhatsApp engineers. The NSO Group had found a flaw in WhatsApp ringtones – and NSO clients were now able to infiltrate targeted phones that had WhatsApp on them.

Security practitioner Ian Amit explains how the this kind of exploit works: –

IAN AMIT: If I manage to get the operating system or the target system to a state where it is a little more vulnerable, it is a little more fragile, where, you know, all I need to do is just add a little more stress, add a little more data, overwhelm it just just a little beyond what it was designed or thought it could do. It’s in those moments where the original developers of the system just didn’t think about handling such a huge volume of data.

OTTO: From a technical point of view, the attackers had studied WhatsApp very carefully and they repurposed various features in quite creative ways. To make the attack work and also work in different phones and also specific attention paid to make it somehow less visible.

NANDO: Engineers who have watched Pegasus work in real time marvel at how stealthy, and even ‘brilliant’ the code is.

In fact, it’s more difficult to trace Pegasus on android phones because androids have more malleable operating systems – and partly – because Citizen Lab forensics are more developed within Apple’s iOS.

This made Citizen Lab’s Catalan investigation harder – Spain has a high rate of androids – in 2021 it was reported around 80%. Therefore, Citizen Lab believes that its report of the 65 phones targeted with Pegasus in the Catalan cluster is heavily undercounted.44

For the WhatsApp engineers who were witnessing 1400 phones being attacked in real time – they knew that behind every target – behind every infected ringtone – was a real person.

OTTO: People send all kinds of confidential communications over various products. So if those get exposed that is one of the biggest consequences we can think of. And with the case of a phone, like if someone’s phone gets compromised, it might kind of become a listening device.

CLAUDIU: We never built WhatsApp and the voice and video calling thinking that it could be used for spying. Like we literally never thought about that before we discovered this attack.

ROSE: This was the most sophisticated, calculated attack in WhatsApp history. Mark Zuckerberg was alerted. It’s reported that he called the attack “horrific.”45

It was an all-hands on deck issue at the company. Both engineers and leadership at WhatsApp were filled with questions – who was behind this attack? And who were the targets? WhatsApp engineers needed to allow the attack to continue long enough to learn as much as possible about how this malware worked, so they could prevent more attacks in the future. But if they let it go on too long they ran the risk of even more WhatsApp users being targeted.46

OTTO: That’s the exciting but also the scary part that you’re kind of under this clock that, you know, it was also during the investigation, the attackers were still using this attack. So it was kind of ongoing while we were investigating it.

ROSE: WhatsApp had to be very careful about their next move.

Should WhatsApp notify the authorities? Top executives worried about the chances that authorities could also be a client of this very same spyware…47

This – it turns out- was a valid concern – just a month after the breach the New York Times reported that the FBI was testing a version of Pegasus it purchased from the NSO Group.

WhatsApp’s top executive met with Facebook’s head of security. They decided not to notify law enforcement immediately. They would investigate the attack on their own.48

Leadership instructed engineers find out more about the attacker – without tipping them off…

OTTO: Would you just put some sort of measure in place to just block the current attack without understanding it fully? It could be that we only saw one part of the attack and the rest we weren’t able to see. And if the attackers then stopped, we might never see those other parts. And then maybe they would come back later when we’re not watching. Maybe they would put extra effort to try to evade us. Now that they know which part we saw.

ROSE: Otto and Claudiu – along with dozens of other engineers – were given instructions to find out as much as they could in 48 hours.

Teams worked across the globe to find the perpetrators behind the breach –

CLAUDIU: It was a large team effort. It was at least a dozen people trying to reverse engineer – that’s what we call when we try to look at what’s happening and trying to understand and make sense of the attack and of the steps that we’re taking and really just gain understanding of the attack. So this was a really important step in the investigation. And it was happening for many days involving dozens of people all over the globe, who were part of the team trying to help out.

NANDO: Claudiu and Otto worked in tandem – sitting at their computers from 6 in the morning until they couldn’t keep their eyes open anymore. They would message a fellow engineer, and sleep in shifts:

CLAUDIU: It was a really intense week. It was really intense just because of the volume of, of the work and of the pressure. Everyone wanted updates. So I would come home and then get a few hours of sleep — just enough to get me started to the next day.

ROSE: Facebook’s security team made a decision – they would simulate an infected device – if they were able to successfully do that, they could get a copy of Pegasus. But Claudiu says it didn’t work – they couldn’t trick Pegasus that way. WhatsApp was never able to get their hands on a copy of Pegasus.

However, WhatsApp engineers were able to trace data from the breach to identify IP addresses used by the NSO Group.

CLAUDIU: Personally, I haven’t seen such a sophisticated attack on a production system ever. Obviously, I did know theoretically and practically, like how some parts of the attacks work, like how a buffer overflow, for instance, which is one of the part of the attack. Like I knew how that works, but I’ve never witnessed that live being used against the production system ever before. We all knew that we’re, we’re working on something extremely important, extremely rare. And we knew that this is very important not just to WhatsApp, but to really the whole world. And it was definitely a combination of pressure and excitement and fear in the same time.

ROSE: The engineers were able to gather more data and found something surprising –

OTTO: Rickrolling is this – maybe you can call it trolling technique – so it’s just as a joke you send to your friend some sort of link that say, like, Hey, here’s the results of the football game or some sort of link that they would click expecting one thing, and then they would be greeted with this eighties music video by Rick Astley where they where he sings this “Never going to give you up” song.

CLAUDIU: They’ll look at the view count. So if it’s a bot, they’ll always ignore it. But if it’s a human, they’ll be like, Oh, wow, there’s a YouTube link. I’m curious. So typically a human would go check out the link and see what it is, so they would see it in the view count of YouTube.

ROSE: WhatsApp engineers who found the malware packets with the YouTube link theorized that the engineers on the other side – likely sitting behind a monitor at the NSO headquarters, were watching the YouTube view count.49

WhatsApp engineers believed they were successful staying undetected by the NSO Group – and were now able to compile a list of the targets.

There were a lot of countries, and a lot of agencies.

NANDO: WhatsApp executives felt the mission was completed – they had gathered enough materials on the perpetrators, and it was time to shut down the vector that made it possible for Pegasus to breach WhatsApp.50

ROSE: Engineers created an update that closed the loophole, effectively kicking out anyone on the other side using Pegasus. WhatsApp then issued a software update to all their users worldwide.51

And then, WhatsApp leadership made a public announcement – saying they had been breached by a malicious spyware, and that 1400 WhatsApp users were targeted:

CLAUDIU: The Monday when we made the public announcement, I think it was extremely stressful for me. It was this incredible fear that we’re going to go public about this and everyone is going to make fun of us. Everyone is going to say “WhatsApp is so bad at security. They have no idea what they’re doing.” So I was really afraid of the public perception on what happened. It was up to the world to kind of judge and decide.

ROSE: After WhatsApp made a public announcement about the breach, Mehul published the story in the Financial Times – the response was immediate and overwhelming.

MEHUL: So it’s a very interesting thing. So our story on the vulnerability in WhatsApp that NSO was exploiting in order to deliver Pegasus, it went viral in a way that nothing that I’ve written in the past had gone. It was fascinating because I think all around the world, people were using WhatsApp, were convinced that it was secure. WhatsApp has always been ahead of other messaging apps and having end-to-end encryption — they were trying their best to make sure that people were using WhatsApp in the most secure way possible. And in my dealings with WhatsApp, they were incredibly responsive to the possibility that their system was being abused to deliver Pegasus. They responded as quickly as they could. They sent an update out as quickly as possible. They monitored for as long as they could before they could fix it. Now, the minute WhatsApp closed that vector, they fixed the loophole, it’s not like the company went under. They had what they call backup vectors, other ways to get on to people’s phones. You saw immediately after that that they were using Apple. When they sued them, they found two different vectors that they used, including forced entry and a couple of other ones. So one closes, another stays open, and what they promise to their clients is zero click entry. So after that, my understanding is that there was an instruction that whatever the vector is will never be mentioned. It will remain within a very closely held group at the company and sales people don’t need to know what the vector is right now.

ROSE: WhatsApp worked with Citizen Lab to reach out to the 1400 people who were targeted by the hack. It would take a year to notify all the targeted users:

MEHUL: The number of people whose phones were being hacked, they worked with Citizen Lab and others to identify people who had been hacked, who were members of civil society. They informed them, they helped them how to help them keep themselves safer. And I thought that was exactly the right way that a tech company should respond.

ROSE: A senior fellow at Citizen Lab observed that many people he reached out to were upset or sad, but “in a deep way not surprised, almost relieved, as if they were getting a diagnosis for a mystery ailment they had suffered for many years.”

Citizen Lab was then able to determine that at least five people within the Catalan cluster were hacked with the WhatsApp exploit.5253

The NSO Group has declined to confirm if Spain is a client. However, Spain does have a complicated history with surveillance dating back to the Franco era – and they even had a contract with Hacking Team.

In his reporting for The New Yorker, journalist Ronan Farrow received confirmation from a former NSO employee that Spain had a Pegasus account – and analysis by Citizen Lab suggests that the Spanish government has used Pegasus.54

And it’s important to note, that as Spain ruled the vote was unconstitutional – therefore the referendum itself was “illegal” – if Spain had used Pegasus to target the Catalan officials – it would qualify as targeting actors conducting illegal activity in the state.

NANDO: Many activists fear what kind of materials or communications can be compromised if obtained from their phone, but security practitioner Ian Amit explains there’s much more to worry about than just the access itself.

IAN: Getting that system into an unpredictable state. What happens after that is you essentially take over the system in a way that you have absolute, full control over that target system, over that iPhone. And at that point, you can do whatever you want with it. And customers, by the way, some of the features that they want is the ability to manipulate data, to implant data on the phone, you know, to put. You know, child pornography on your phone so that the next time you go through TSA or you, you know, you fly to some European state or whatever it is, someone can say, hey, can you step aside? I want to look at your phone. And lo and behold, now you’ve got some explaining to do.

ROSE: For the WhatsApp engineers – they fully understand the stakes:

CLAUDIU: We all operate with the high level of duty. We all feel extremely responsible for the systems that we create. Writing software is a really personal experience to me. If I write a system or a component of the system and I know is misbehaving or is not designed properly, I feel really bad about it. I feel very responsible and I’m always really excited to learn how it’s being misused or learn how is ineffective and make it better.

ROSE: It was a year after the breach that WhatsApp and Citizen Lab confirmed the largest Pegasus cluster and notified the Catalan politicians and activists.

The list of Pegasus targets included almost every high ranking Catalan politician from the past decade.

MEDIA CLIP: We had four presidents of the Catalan government, two presidents of the Catalan Parliament, two other cabinet members of the Catalan government, 31 MP’s of the Catalan Parliament, our Spanish Parliament or leaders of political parties. Three members of the European Parliament. Three lawyers of the political prisoners or the exiles.55
MEDIA CLIP: The newspapers said Roger Torrent and two other separatist politicians were warned by researchers working with WhatsApp that their phones were broken into using a spyware called Pegasus made by Israel’s NSO Group.56
MEDIA CLIP: Bueno, buenas tardes. Pero resulta que tiene Pegasus.57

NANDO: The acting president of Catalonia’s Parliament- Roger Torrent had been infected with Pegasus.58

Many of the Catalan politicians who stood trial and were sentenced to prison had Pegasus on their phones.

ROSE: Citizen Lab has found that the timing of Pegasus infections coincided with major political moments – including the planning and holding of the referendum but it was also pervasive throughout the entire trial of the Catalan politicians facing sedition charges, and activated again and again when the imprisoned politicians had weekend leave from jail.

Many family members and spouses were impacted within the Catalan cluster. A Citizen Lab researcher based in Spain — Elies Campo — was working to identify those targeted with Pegasus in this cluster. He himself was targeted – even when he was traveling within the United States.

And his parents were targeted. His parents are physicians and had access to ‘medical records’ and other confidential information on their phones. His father was even infected through his hospital-issued phone. His mother’s phone was infected with an exploit that had never been seen before59 – this speaks to the continuous evolution of Pegasus spyware.60

ELIES CAMPO: Si Pegasus funciona, és un semàfor que…

NANDO: The European Parliament has formed a committee to look into the use of Pegasus in Europe. Reuters has reported that senior officials on the European Commission have been targeted by NSO spyware.61

ROSE: Last year, the nine Catalan politicians who were sentenced to prison have since been pardoned.62

But the aftershocks of the WhatsApp Breach are still reverberating through the NSO Group – now they have made such powerful enemies — On our next episode – the NSO Group faces lawsuits from WhatsApp and Apple – and they find new adversaries in the world’s tech giants like Microsoft, Google, Cisco, Dell, and even… the US supreme court.63

MEDIA CLIP: Apple has actually taken the step of suing Israel’s NSO Group to curb the abuse of state sponsored spyware.64
MEDIA CLIP: Now, WhatsApp, part of the Facebook empire, with a billion and a half users around the world is taking one of the biggest players to court.65
MEHUL: This response from WhatsApp to identify victims and then to sue both on its behalf and on their behalf, this weapons manufacturer all the way in Israel.
KYLE MCLORG: One of the things that we really looked at when we were getting ready to write this brief was the importance. What does it mean if NSO gets its way here?. I mean, the whole business model is dependent on secrecy and lack of transparency.

ROSE: That’s on the next episode of Shoot the Messenger.

We’d like to say special thanks to the reporting from Citizen Lab, The Guardian, and Ronan Farrow and the New Yorker for the reporting showcased in this episode.

We’d also like to note that this episode has been updated with changes two days after initial publishing.

NANDO: Shoot the Messenger is a production of Exile Content Studio.

We are distributed by PRX.

Hosted by me, Nando Vila and Rose Reid. Produced by Rose Reid, Sabine Jansen, Nora Kipnis, and Ana Isabel Octavio.

Written by Rose Reid. With story editing by myself, Rose Reid and Gail Reid.

Production assistance by Alvaro Cespedes, Andrea Zevallos, and Stella Emmett.

Daniel Batista oversees audio at Exile Content Studios.

Sound design and mixing by Pachi Quinones.

Executive producers are myself, Nando Vila, along with Rose Reid, Carmen Graterol, and Isaac Lee.

For more information on the status of journalists and freedom of the press – visit the Committee to Protect Journalists at cpj.org.

To learn more about EXILE, our other podcasts and films, visit exilecontent.com.

And we want to hear from you – find us on Twitter and Instagram @exilecontent.

Or, send us a voice memo with your questions about Pegasus to stm@exilecontent.com.