'Especially Remarkable': Jordanian Activists Hacked With Israeli Pegasus Spyware

Jordanian human rights lawyers and journalists were likely targeted by the Kingdom's authorities and perhaps another Arab state, even after Apple sued Israeli NSO, the spyware's creator. NSO refused to comment

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
A smartphone next to an NSO Group logo. The Israeli cyberoffense firm's Pegasus spyware has been found on the iPhones of Jordanian human rights activists.
A smartphone next to an NSO Group logo. The Israeli cyberoffense firm's Pegasus spyware has been found on the iPhones of Jordanian human rights activists. Credit: Ohad Zwigenberg
Omer Benjakob
Omer Benjakob

At least four Jordanians had their phones hacked in the past few years with the now-infamous Pegasus spyware created by Israeli firm NSO, according to a joint investigation published Tuesday.

The investigation by Front Line Defenders and Citizen Lab said that at least two of the four had their phones hacked through a known security breach in iPhones that was previously exploited by clients of the NSO Group. The breach has since been fixed by Apple.

The two digital rights groups said the hacks, which took place between August 2019 and December 2021, were likely the work of Jordanian authorities and perhaps another Arab state. NSO refused to comment for this report.

Pegasus allows NSO’s clients – usually state intelligence or law enforcement agencies – to remotely hack into smartphones, providing them with access to encrypted communications, data, and even the camera and microphone of any phone successfully infected with the spyware.

To hack into the devices, Pegasus and similar spyware makes use of so-called exploits in iPhones and Androids. Based on past cases, digital forensic analysis of phones can reveal the traces of such exploits and even identify specific operators.

In September 2021, Citizen Lab found an iPhone exploit utilized by Pegasus that they dubbed “FORCEDENTRY.” This led Apple to patch the breach, rendering it useless to those who updated their iPhone’s operating system. In November 2021, Apple sued NSO and notified dozens of people across the world that they may have been targeted by a state-sponsored hack.

The Dublin-based Front Line Defenders found that at least one of the four Jordanians was hacked last December, after the exploit had been published and Apple filed its lawsuit against NSO. The victim had not updated their device and it is unclear if they received any warning from Apple.

Furthermore, one of the victims hacked earlier last year, in January 2021, was likely hacked using the FORCEDENTRY zero-click infection and is the earliest use of the exploit ever found. The University of Toronto-based Citizen Lab had found the first usage of the exploit taking place in February 2021; however, it seems it was first utilized at least a month earlier.

Unlike other firms providing hacker-for-hire services, NSO’s Pegasus has long been considered the high-end of spyware services because of its ability to hack into phones without the victim needing to click on a single link (hence these exploits being termed “zero-click” infections). In fact, only one other firm is said to be able to provide the same service for iPhones: NSO’s Israeli competitor Paragon.

According to Front Line Defenders, two of the four Jordanian victims received messages with nefarious links that likely infected their phones. However, at least one of the other two was likely hacked using the zero-click exploit. Citizen Lab peer reviewed their analysis and confirmed their findings. 

SMS messages containing Pegasus links sent to a Jordanian activist.Credit: Screenshot

Two operators

At the start of this year, Front Line Defenders found Pegasus on the phone of a Jordanian rights activist, in a report that underscored the unique threat the spyware poses for women. In wake of the publication of their findings, the group and Citizen Lab received dozens of requests from activists in Jordan to have their phones checked for the spyware.

The resulting examination led to the confirmation of the four victims, three of whom agreed to be identified. The victims are Malik Abu Orab, a rights lawyer who was arrested by the state in the past for his efforts; Suhair Jaradat, a rights activist and journalist; and Ahmed al-Neimat, a rights activist focused on corruption and workers rights. He works with a reform group called Hirak and has been targeted in the past, facing arrest and a travel ban.

The fourth victim is a female journalist, like Jaradat, who asked to remain anonymous.

While the first two victims were targeted using SMS messages – some dating back to as early as 2018 – Jaradat was targeted last December after Apple had patched the FORCEDENTRY breach and taken NSO to court. Neimat was likely targeted using the zero-click exploit.

Mohammed al-Maskati from Front Line Defenders told Haaretz that “the fact the targeting we uncovered happened after the widespread publicity around Apple’s lawsuit and notifications to victims is especially remarkable.”

The analysis also led the digital investigators to what they believe are two distinct operators: one is most likely the Jordanian government or an agency activating on its behalf. They dubbed this operator “BLACKIRIS” and noted that it focused exclusively on targets in Jordan and has been active since December 2020.

It is unknown if Jordan is a client of NSO, but an April 2021 report by Barak Ravid in Axios said negotiations between the kingdom and Israeli spyware firms had been taking place “in recent months” – and one source even said a deal was sealed. In 2015, Citizen Lab suggested that Jordan was already a client of a German-made spyware known as FinFisher (or FinSpy), whose creators filed for bankruptcy last month.,

Referring to NSO, Maskati said that “a firm that truly respected [Apple’s and rights groups’] concerns would have at least paused operations for government clients like Jordan, which has a widely publicized track record of human rights concerns and has enacted emergency powers giving authorities widespread latitude to infringe on civil liberties.”

The second operator, dubbed “MANSAF,” was focused on Jordan but also had additional targets in Iraq, Lebanon and Saudi Arabia.

NSO refused to comment on this report, but a spokesperson said in the past that the cyberoffense firm “cannot directly comment on a report we haven’t seen, nor investigate based on names received in a press inquiry.”

NSO’s spokesperson said at that time: “NSO’s firm stance on these issues is that the use of cybertools in order to monitor dissidents, activists and journalists, regardless of their gender, is a severe misuse of any technology and goes against the desired use of such critical tools. The international community should have a zero tolerance policy toward such acts, therefore global regulation is needed. NSO has proven in the past it has zero tolerance for these types of misuse by terminating multiple contracts.”

Click the alert icon to follow topics:

Comments