The phone of one of Hungarian Prime Minister Viktor Orbán’s most vocal critics was infected with the Pegasus spyware built by the Israeli cyberespionage firm NSO Group, a digital forensics investigation led by Direkt36 revealed Thursday.
The news comes after a report revealed earlier this week that Germany’s federal police also purchased the software, though it is unclear what if any use they made of it, and amid changes in European Union regulations on spyware that come into effect Thursday.
Direkt36 was the Hungarian media partner in Project Pegasus, a global investigation into a leaked list of potential targets selected for possible surveillance by clients of the NSO Group. The probe was led by Forbidden Stories together with Amnesty International and a consortium of news outlets, including Haaretz.
Together with Citizen Lab, a Toronto-based digital forensics lab and rights group, Direkt36 revealed that the phone of Zoltán Páva – a former politician with the Hungarian opposition and now the publisher of a news website considered critical of Orbán’s regime – was infected with Pegasus.
If infected, the Pegasus spyware gives its operator full remote access to the compromised smartphone, including access to its data and even the ability to operate the phone’s camera and microphone, all unbeknown to the target.
Citing sources within Hungary’s defense establishment, the report by Direkt36’s Petho Andras said the client that ordered the surveillance of Páva was likely a body of the state, which is known to have done business with NSO. In fact, Haaretz’s contribution to the Project Pegaus was highlighting the role of Pegasus sales in Israel’s diplomatic efforts.
As Amitai Ziv reported for Haaretz, the first case of a Hungarian phone number appearing in the leaked database of potential selected targets came the same day as then-Prime Minister Benjamin Netanyahu first visited Hungary in 2016. However, it was a non-operational number, not a real one; the first operational number selected for potential snooping was in February 2018 – just as Netanyahu met with József Czukor, Hungary’s security policy and foreign policy adviser.
- Why Israelis don't care about the NSO scandal
- These Twitter accounts act like NSO groupies. Are they real?
- Germany’s ‘FBI’ bought Israeli NSO’s spyware despite knowledge of rights abuses, report says
According to the Direkt36 report, Hungary’s security services started using Pegasus in 2018, and a former NSO employee had previously confirmed that the Eastern European country had purchased the software.
Páva’s number was not on the database of potential numbers at the center of the global investigation earlier this year. However, following the publication of Project Pegasus – which revealed that over 180 journalists worldwide were selected as potential targets, as well as world leaders – and a number of strange phone calls he received, prompted the publisher to have his phone examined. The examination, conducted by Citizen Lab and confirmed by Amnesty International, found traces of the Pegasus spyware on his phone.
The spyware was found to have been active as recently as March and May this year.
“During those ranges, the phone was infected. It is really hard to say what data is pulled out in these cases, but we can say that Pegasus had access to anything that Zoltán had access to,” John Scott-Railton of Citizen Lab told Direkt36.
At the time of the Project Pegasus probe, the NSO Group denied the reports and called them an orchestrated attempt to smear the company. It also said the list at the core of the investigation was arbitrary and had no connection to them or their clients. Since the investigation was published, digital forensics in France and Britain have confirmed that a small handful of those phone numbers selected as potential targets actually did have their phones infected.
The Hungarian government did not respond to specific question by Direkt36 about Páva.
On Monday, it was revealed by German daily Die Zeit that Germany’s federal investigative police force held talks with NSO and even purchased Pegasus spyware, despite concerns over its legality in Germany.
Citing sources within the local defense establishment, Die Zeit’s Holger Stark said the Federal Criminal Police Office first held talks with NSO in 2017. At the time, the report said, a delegation from NSO even traveled to Wiesbaden, where the police group is headquartered, to showcase Pegasus’ capabilities. Despite initial legal concerns from within the police about the spyware, a deal was reportedly struck with NSO in 2019.
At the time of the Project Pegasus publications, after it was revealed that a phone number associated with French President Emmanuel Macron was also selected for potential targeting (most likely by the Moroccan intelligence service), other European leaders voiced their concerns over NSO and its cyberware.
When asked about the Pegasus spyware case at the time, German Chancellor Angela Merkel was quoted by Reuters as saying it was important that hacking software does not get into the wrong hands. She also told reporters that countries without any judicial oversight over how spying software is used should not have access to it.
This week, the EU changed its policy regarding so-called dual-use technologies – technologies that can be used for both civilian and military ends. The new regulations focus on cybertechnologies like those sold by NSO, as well as other Israeli firms, specifically “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analyzing data from information and telecommunication systems.”
The new regulations will see the EU publish annual reports about requests for surveillance and the possible purchase of such tech by member states. However, rights groups urged the EU to take matters further.
In a letter signed by Amnesty, Access Now, Human Rights Watch, Reporters Without Border and the Committee to Protect Journalists, they called on the EU to investigate claims of misuse of such technologies by states such as Hungary. They also called on the EU to more clearly define what firms and technologies constitute cybersurveillance, to ensure oversight and an end to human rights abuses facilitated by such spyware.