Investigation Finds NSO Malware Being Used By The Bahrain Government To Target Activists And Dissidents

from the truly-unsurprising-development dept

More bad news for Israeli malware purveyor NSO Group. Despite its contradictory and simultaneous claims that it does not allow its customers to abuse its products and that it has no way of monitoring use of its products, more evidence continues to surface that shows the company's customers are deploying NSO's malware to target journalists, activists, prominent politicians, and religious leaders.

Citizen Lab -- which has uncovered plenty of abusive use of NSO malware previously -- has released another report showing an abusive government abusing NSO spyware to spy on activists opposed to the country's current leadership. The investigation also confirms something NSO has repeatedly denied: that the list of numbers leaked to journalists and investigators is actually a list of potential targets of NSO's customers. That list included plenty of journalists, activists, politicians, and religious leaders.

Perhaps the most worrying thing about this report is the use of an exploit that bypasses security measures activists would logically adopt: refusing to click on links sent by unknown senders.

We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.

The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).

And here's at least partial confirmation that the leaked list of potential targets has something to do with NSO Group and its customers:

We shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers associated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to several years ago.

If NSO Group is serious about preventing abuse of its products, the first step it could take is refusing to sell exploits to abusive governments. As Citizen Lab points out, Bahrain's government has a long history of human rights abuses. While things improved slightly and briefly around the turn of the century, everything reverted back to the abusive mean a decade later, when reforms were rolled back and the government went back to imprisoning and torturing dissidents, critics, and anti-government activists.

And you can't find people to jail and torture without domestic spying, which the Bahraini government enthusiastically engages in. That apparently includes spying on activists and dissidents who have left the country. The report says two Bahrain citizens who now live in London were hit with NSO malware. But this may have been a proxy hack on behalf of the Bahrain government. Citizen Lab notes it has only seen the Bahrain government deploy malware in its own country or in neighboring Qatar. So, these hacks may have been performed on its behalf by a friendly government with its own set of NSO malware.

In conclusion, NSO Group is complicit in the surveillance, imprisonment, torture, and silencing of activists around the world. The company claims it is selective about who it sells to and that it takes action when there are reports of abuse, but neither of these statements can possibly be true.

While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group.

Once again, if NSO's statements about preventing abuse are going to be taken seriously, the company needs to dump customers with proven track records of human rights abuses. That's the bare minimum it can do to prevent its exploits from being used to target people governments just don't like. If these tools have been developed to fight dangerous crime and terrorism, the worst thing to do is place them in the hands of governments whose actions are criminal and often indistinguishable from terrorism.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: activists, bahrain, dissidents, malware, pegasus, spyware, surveillance
Companies: citizen lab, nso group