A senior Human Rights Watch official reportedly had her cellphones repeatedly hacked by an NSO Group client while investigating the August 2020 catastrophic explosion that killed more than 200 people in Beirut.
The alleged hacking of Lama Fakih, a US-Lebanese national and HRW’s Director of Crisis and Conflict, is the latest example of NSO’s powerful surveillance tool, Pegasus, being used by the company’s clients to target activists and journalists.
HRW said Fakih was warned by Apple on November 24, 2021 that her personal iPhone could be subject to a government-sponsored attack. An investigation by HRW’s security team, reviewed by Amnesty International’s Security Lab, found that Fakih’s iPhones appeared to be infected with Pegasus through a so-called “zero-click” exploit that allows spyware operators to use a phone without the cellphone to infect user who does anything e.g. B. Clicks on a link.
The news comes as NSO has been hit with a string of bad news both at home and abroad. In November, the company was placed on a US blacklist by the Biden administration, which said it had evidence the Israeli company was enabling foreign governments to carry out “transnational repression.”
NSO has also been embroiled in a domestic political crisis in Israel after a report by Calcalist alleged that the Israeli police used Pegasus to gather information for investigative purposes without legal oversight. The report prompted Israeli Attorney General Avichai Mendelblit to announce an investigation into police use of the spyware against Israelis. NSO said in a statement in response to the report that it has no control over how its customers use the spyware.
On Tuesday, NSO chairman Asher Levy said he was stepping down as chairman of the company but denied the move had any connection to recent developments. Levy said he was appointed to the role by NSO’s previous private equity owners, but management of the fund that owns the company has been transferred to a new company.
“Any attempt to portray this move as the result of an NSO-related disclosure as today’s resignation is completely wrong,” Levy said. “I am full of appreciation for NSO, the life-saving technology it is developing, the company’s management and employees, and the unparalleled ethical policies the company has implemented.”
In a statement Tuesday, NSO said it was a “profitable business” and believed an international regulatory structure should be put in place to ensure responsible use of cyber intelligence tools.
“However, any call to suspend these life-saving technologies until such a structure is in place is naïve and would only benefit the terrorists, pedophiles and criminals who evade surveillance and arrest,” the spokesman said.
NSO declined to respond to the Guardian’s questions about Fakih’s case, but the company told HRW that it “is now aware that an active customer is using [its] Technology Against Human Rights Watch Staffer” and that it would open an initial assessment of claims that Fakih had been hacked.
If used successfully, a user of the Pegasus spyware can intercept phone calls, see a target’s photos, read their messages, and turn the phone into a remote-controlled listening device. NSO has stated that its customers should only use the spyware to target serious suspected criminals.
HRW claimed its analysis revealed that Fakih’s two devices were hacked between April 6, 2021 and August 23, 2021. The human rights group could not identify the client who may have been responsible for the alleged hacking, but said Fakih oversees the crisis response of countries including Israel/Palestine, Kazakhstan, Ethiopia, Syria, Myanmar, Lebanon, Afghanistan and the US.
In an interview with the Guardian, Fakih said she was most intensively working on an investigation into the “Beirut blast” at the time she was allegedly hacked. She was also involved in projects with Gaza and Ethiopia during this period.
“I worked 24/7,” she said, adding that on April 5, a day before the alleged attacks began, she created a “Beirut blast” folder on her shared drive.
“I’ve always been very careful about my physical security … but nothing has ever happened to me that made me think I was compromised in any way, that my data was hacked, or that things were leaked,” she said.
“So when I got this notification from Apple, there was a certain disbelief that this had happened to me,” she added.
Fakih, a Michigan native, said she has always endeavored to keep her personal life private and to protect the privacy of the people she communicated with in her work.
“And then suddenly I infected my phone. So I have thousands of photos of my little kids or photos of my wedding and all these deeply personal and meaningful memories that suddenly weren’t mine anymore. And that made me very insecure,” she said.
“My entire career has been about protecting people’s rights. And suddenly they were trying to use that work to undermine them.”