Earlier this year, Faustin Rukundo’s phone started to ring at odd times. The calls were always on Whatsapp — sometimes from a Scandinavian number, sometimes a video call — but the caller would hang-up before he could answer. When he rang back no one would pick up.
Mr Rukundo, a British citizen who lives in Leeds, had reason to be suspicious. As a member of a Rwandan opposition group in exile, he has lived for several years in fear of the security services of the central African nation where he was born.
In 2017, his wife, also a British national, was arrested and held for two months in Rwanda when she returned for her father’s funeral. Unidentified men in black suits have previously queried her co-workers about her route to the childcare centre where she works, he says. His own name has shown up in a widely circulated list of enemies of the government of Rwanda titled “Those who must be killed immediately”.
In the two decades since Paul Kagame became president of Rwanda, dozens of dissidents have disappeared or died in unexplained circumstances around the world. In response, those willing to criticise the regime or organise against it, such as Mr Rukundo, say they have learnt to be cautious, masking their presence on the internet and using encrypted messaging services such as Whatsapp.
But the missed Whatsapp calls were more ominous. Powered by a technology built not in Rwanda but in Israel, the calls were a harbinger of Pegasus, an all-seeing spyware so powerful that the Israeli government classifies it as a weapon. Developed and sold by the Herzlia-based NSO Group, which is part-owned by a Uk-based private equity group called Novalpina Capital, Pegasus was designed to worm its way into phones such as Mr Rukundo’s and start transmitting the owner’s location, their encrypted chats, travel plans — and even the voices of people the owners met — to servers around the world.
Since 2012, NSO has devised various ways to deliver Pegasus to targeted phones — sometimes as a malicious link in a text message, or a redirected website that infected the device. But by May this year, the FT reported, NSO had developed a new method by weaponising a vulnerability in Whatsapp, used by 1.5bn people globally, to deliver Pegasus completely surreptitiously. The user did not even have to answer the phone but once delivered, the software instantly used flaws in the device’s operating system to turn it into a secret eavesdropping tool.
Whatsapp quickly closed the vulnerability and launched a six-month investigation into the abuse of its platforms. The probe, carried out in secrecy, makes apparent for the first time the extent — and nature — of the surveillance operations that NSO has enabled.
Read also: WhatsApp hack led to targeting of 100 journalists and dissidents
In recent days, the University of Toronto’s Citizen Lab, which studies digital surveillance around the world and is working in partnership with Whatsapp, started to notify journalists, human rights activists and other members of civil society — like Mr Rukundo — whose phones had been targeted using the spyware. It also provided help to defend themselves in the future.
NSO — which was valued at $1bn in a leveraged buyout backed by Novalpina in February — says its technology is sold only to carefully vetted customers and used to prevent terrorism and crime. NSO has said it respects human rights unequivocally, and it conducts a thorough evaluation of the potential for misuse of its products by clients, which includes a review of a country’s past human rights record and governance standards. The company believes the allegations of misuse of its products are based on “erroneous information”.
The NSO Group said in a statement: “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists.”
But Whatsapp’s internal investigation undercuts the efficacy of such vetting. In the roughly two weeks before Whatsapp closed the vulnerability, at least 1,400 people around the world were targeted through missed calls on the platform, including 100 members of “civil society”, the company said in a statement on Tuesday.
This is “an unmistakable pattern of abuse”, the Facebook-owned business said. “There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they live. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”
The two-week snapshot provides a rare glimpse of how some of NSO’S clients use its spyware — with greater frequency than previously known, and often to monitor people unrelated to terrorism or criminal activity.
Those targeted include people from at least 20 countries, across four continents, with many showing clear evidence that the attempted intrusions had nothing to do with preventing terrorism, says John Scott-railton, a senior researcher at Citizen Lab. The targets include several prominent women who have had intimate material released; opposition politicians; prominent religious figures of multiple faiths; journalists, lawyers and officials at humanitarian organisations fighting corruption and human rights abuses. Some have previously been the subject of assassination attempts and face continuous threats of violence. It appears that the surveillance originates from multiple customers of NSO’S technology, he adds.
“This is in stark contrast to NSO’S claim that there is not a systematic pattern of abuse — rather, it indicates that there is a global pattern of abuse,” says Mr Scott-railton. “The window that this represents shows us that anyone looking systematically at how this technology is used will find a similar pattern.”
