At least nine Bahraini nationals were targeted and had their phones remotely hacked using the Israeli-made Pegasus spyware, Citizen Lab claimed in a new report published Tuesday.
The NSO Group blasted the report’s findings as technically “impossible” and called its publication “irresponsible.”
A spokesperson of the Bahraini government called the findings "based on unfounded allegations and misguided conclusions."
Toronto-based Citizen Lab has long researched and investigated alleged abuses by the NSO Group’s spyware. According to the probe by the digital rights group’s forensics lab, the iPhones of all nine Bahrainis were “successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021.”
Haaretz previously revealed that Bahrain is a client of NSO.
The findings seem to confirm some of the details revealed by Project Pegasus, Citizen Lab said, referring to the leaked database of potential targets selected by NSO’s clients and obtained by Forbidden Stories as part of a recent global investigation in which Haaretz also participated. Citizen Lab added that the phone numbers of those targeted in Bahrain were also based on the same database.
The report said the victims’ phones were broken into using what is known as a “zero-click” exploit, taking advantage of the iPhone’s iMessage to compromise the devices. A zero-click exploit does not require the victim to click on any link for the nefarious spyware to be installed on their phone. Once Pegasus is installed, it gives the hacker full access to a phone’s files, messages, and even its camera and microphone.
- Why Israelis don't care about the NSO scandal
- After spyware scandal, Israeli NSO touts 'proud family of workers saving lives'
- Where Netanyahu went, NSO followed: How Israel pushed cyberweapon sales
Seven of the hacked Bahrainis were from secular, opposition and pro-democracy organizations active in the Gulf state. Bahrain, a constitutional monarchy, does not allow political parties. Activists from three opposition democratic organizations were reportedly among those targeted.
One of the Bahrainis whose phone was hacked was a member of Al Wefaq, Bahrain’s largest political opposition organization. Another three belonged to Waad – a center-left, secular political society that was outlawed by the government in 2017. A further three were from the Bahrain Center for Human Rights.
Citizen Lab even identified who was doing the actual spying and said it was “highly confident” that the operator behind the hack of at least four of the seven targets was the Bahraini government. It added that the hackings coincided both with what it termed a post-September 2020 surge in spyware use and a deterioration in human rights in Bahrain.
Alongside the seven activists targeted in Bahrain, the phones of two dissident Bahrainis living in London were also targeted. The dissidents are Moosa Abd Ali and Yusuf al-Jamri, who were the only targets who agreed for their identities to be revealed in the report.
The two men – one a blogger, the other an activist – have asylum status in Britain. According to Citizen Lab, it is very possible that though they were targeted by the same NSO spyware, it may have been another client doing the snooping.
“We have only ever seen the Bahrain government spying in Bahrain and Qatar; never in Europe,” Citizen Lab stated. “Thus, the Bahraini activist in London may have been hacked by a Pegasus operator associated with a different government.”
Among the key confirmed findings of Project Pegasus was the existence of the first Pegasus targets in Britain. Among them was the phone of a prominent British human rights lawyer and close associate of Princess Latifa of Dubai.
In response to the Citizen Lab report, a Bahraini government spokesperson said: “These claims are based on unfounded allegations and misguided conclusions. The government of Bahrain is committed to safeguarding the individuals’ rights and freedoms.”
An NSO representative said: “The fact Citizen Lab once again chose to brief the media rather than constructively engage NSO on alleged misuse demonstrates that they are more concerned with scoring PR points than genuinely attempting to improve public safety.
“We did not receive any data from Citizen Lab, despite past efforts to engage with them. It is, therefore, almost impossible, and certainly irresponsible, to respond based on rumors from a third party.
“However, from the bits of information made available by media inquiries, it seems that once again Citizen Lab has recycled information that does not make technological sense, and cannot be related to NSO or to the clients that operate our life-saving technology. The date range supposedly given, in a report we have not seen, is 2020-2021. The date range for the Forbidden Stories list, which has never been produced or verified, is 2017-2018 – a clear signal that this is nothing more than another unfounded claim.
“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” it added.