Mohammed al-Tajer was caught off guard when his iPhone pinged last November with a warning that said his phone had been targeted by a nation state.
The 55-year-old lawyer from Bahrain had been known among dissidents for his “fearless” defence of opposition leaders and protesters after the 2011 pro-democracy uprising in the tiny Gulf state, when a series of demonstrations and protests were violently suppressed by authorities with the help of Saudi forces.
Tajer had not been involved in human rights issues for five years, however – the last time he’d been rounded up and threatened with arrest by Bahraini authorities.
But a forensic examination of Tajer’s phone by researchers at Citizen Lab at the University of Toronto has found that the lawyer’s phone was hacked on multiple occasions in September 2021 by a government client of NSO Group, the Israeli spyware maker.
“I used to be head of Bahrain Human Rights Observatory, used to have human rights activities inside Bahrain or with the UN. But now I don’t have any ongoing human rights activities,” Tajer, who is still in Bahrain, told Red Line for Gulf (RL4G), a non-profit collection of journalists and activists who are focused on digital security and freedom of expression in gulf states and worked with Citizen Lab on the recent investigation.
“The worst and most harmful thing is you feel you are not secure. That instead of your phone being your friend, it is now your enemy. You don’t know what information is private, and what is already exposed to the state, this is painful.”
A separate investigation by the Pegasus Project – a media consortium investigating NSO Group which includes the Guardian and is coordinated by the French non-profit Forbidden Stories – has also identified 20 Bahraini officials who are close to the government and may have been targeted for surveillance. Their phone numbers were identified with the help of Ali Abdulemam of RL4G.
The mobile numbers – including those of loyalists close to Bahrain’s ruling family – appeared on a leaked database that the Pegasus Project believes contains the phone numbers of individuals who were selected as possible surveillance targets by clients of NSO.
The mobile phone of a US state department official who was stationed in Bahrain at the time of her selection also appears on the leaked database. A state department spokesperson said the US condemns the harassment and arbitrary or unlawful surveillance of journalists, human rights activists, or other perceived regime critics.
“While we do not discuss security protocols, procedures, or capabilities, we can say that we are deeply concerned about the counterintelligence and security risks these types of commercial spyware pose to US government personnel,” the spokesperson said.
The Biden administration added NSO to a commerce department blacklist last year, citing evidence that the technology has been used by foreign governments to “maliciously target” embassy workers, journalists and activists, among others.
While the appearance of a person’s mobile number is not evidence that the person was hacked, the Pegasus Project has previously published stories about dozens of individuals – including journalists and human rights activists – whose numbers appear on the list and whose phones were targeted or hacked by clients of NSO, according to security researchers at Amnesty International who forensically examined the devices.
The individuals who were selected as possible candidates for surveillance include 20 members of the Bahrain council of representatives, speaker Fawzia Zainal, who was appointed by the king and selected between January and March 2019, and Ahmed Sabah al-Salloum, an MP and member of the National Institution of Human Rights, an organisation that is funded by the government of Bahrain.
The Pegasus Project also identified two members of the royal family who were listed in the leaked database, including Khalid Bin Ahmed Khalifa, the former minister of foreign affairs. The individuals declined to comment on their appearance on the list.
An NSO spokesperson said: “The misuse of cyber intelligence tools is a serious matter and all credible allegations must be investigated, if and when the relevant information would be provided. The continued reporting of unsubstantiated allegations by uninformed sources is unfortunate and wrong.”
The series of revelations, security experts said, paint a picture of a state that appears poised to use surveillance technology against its perceived enemies and friends alike.
When successfully deployed against a target, Pegasus can infiltrate a mobile phone, giving the user of the spyware full access to phone calls, text messages, encrypted messages and photographs. It can track a mobile phone user’s location and turn the phone into a remote listening device.
“The situation in Bahrain is still pretty repressive,” said Bill Marczak, a senior researcher at Citizen Lab. “Since 2011 Bahrain has really made it a point to try and remove institutions that help people to organise.
“There is no space for dissent or activism, and spyware helps preserve this status quo. Because what they can do is keep an eye on what is going on in private, they can make sure there is nothing bubbling over in private.”
NSO has said its government clients are only meant to use Pegasus spyware to target serious criminals and terrorists. The company has strongly denied that the leaked database has any connection to the Israeli firm and said the phone numbers on the list are not targets of NSO customers.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Bahrain’s embassy in Washington did not respond to a request for comment.
Citizen Lab’s analysis found that Tajer, the lawyer, was hacked with Pegasus spyware just one week after a previous report by the Toronto-based lab detailed nine other cases of Bahrain activists who were targeted with spyware. The researchers have also identified a journalist, who they have not named, who was also targeted with NSO spyware.
Sayed Ahmed Alwadaei, the director of advocacy at the UK-based Bahrain Institute for Rights and Democracy, said Bahrain had witnessed a decade of “systematic repression” since the events of 2011.
Intent on ensuring there would not be any other uprisings, Alwadaei said the government was seeking to keep all activists and political actors “within their control”.
“I guess this is really the new reality, that they want to ensure that this is not going to happen again,” Alwadaei said.
