NSO Group: more than 50.000 phone numbers leaked with Pegasus spyware

by | July 22, 2021 | Cybersecurity News

NSO Group, an Israeli surveillance company, sold hacking software to authoritarian governments that target human rights activists, journalists, and lawyers across the world, including Jamal Khashoggi’s family, according to an investigation into a massive data leak.

Security researchers found proof of attempted (or successful) installation of Pegasus, software designed by the Israeli company, on 37 phones of journalists, activists, and business people. They seem to have been the victims of potentially intense secret surveillance with software intended to track criminals and terrorists. The phones were on a list of more than 50.000 phone numbers for politicians, judges, teachers, lawyers, and others.

The spyware, made by NSO Group, shows us how vulnerable and quickly we can become victims. Our top personal information, like photos, messages, and emails, is stored on our phones. Spyware can avoid the encryption that protects data sent over the internet.

Info-background about NSO Group

  • An Israel-based company that designs surveillance software to government agencies
  • The company was co-founded in 2010 by chief executive Shalev Hulio
  • Its Pegasus software provides a valuable service give that encryption technology means terrorists and criminals have disappeared. The software runs secretly on smartphones, showing what the owner is doing
  • They also offer other tools that locate where a phone is being used, defend against drones and mine law
  • NSO Group has been involved in other hacks, according to previous reports and lawsuits, including a reported hack on Jeff Bezos. the Amazon founder, in 2018.

What is Pegasus and how does it work?

  • According to the “Washington Post” report, it can be installed remotely, without a surveillance target opening documents or website links. Pegasus displays everything to the NSO customers who control it (text messages, photos, emails, videos, contact lists) and can record phone calls. According to the Washington Post, it can also secretly turn on the phone’s microphone and camera to create a new recording.
  • Has the ability to compromise Android and iOS devices easily (the malware was recently discovered on a fully patched iPhone 12, the newest model running the most current update-iOS14.6)
  • The software isn’t supposed to track activists, journalists and politicians; the company says on its website: “NSO Group licenses its products only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime. Our vetting process goes beyond legal and regulatory requirements to ensure the lawful use of our technology as designed.”

What did the data leak contain

The data leak was a list of more than 50.000 phones that is believed to have been selected since 2016 by government clients of NSO Group so that they can spy on their citizens. The data also contains the time and date that numbers were selected or entered the system. Amnesty International, together with Forbidden Stories, a nonprofit journalism organization, initially had access to the list and shared access with other 16 media organizations. More than 80 journalists have worked together over several months for the Pegasus project.


Amnesty examined 67 smartphones that were suspected to be attacked. Of those, 23 were successfully infected, and 14 showed signs of attempted infiltration. For the other 30 phones left, the tests were inconclusive in several cases because the handsets had been changed. Fifteen of the examined smartphones were Android devices, and none of them showed proof of successful infection. However, unlike iPhones, smartphones with Android do not log the kinds of information needed for Amnesty’s investigation. Therefore, three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

How do the NSO Group reacted to accusations?

The company denied and said it does not have access to the data of its customers’ targets. NSO Groups said through its lawyers that the 50.000 number was “exaggerated” and that the list “is not a list of numbers targeted by governments using Pegasus, but instead, might be part of a larger list of numbers that NSO Group customers might have used for other purposes.” They stated it was a list of numbers that anyone could search on an open-source system. However, NSO acknowledges its software can be misused. Shalev Hulio said in a report that:

“Every allegation about the misuse of the system concerns me. It violates the trust that we give customers. We are investigating every allegation.”

NSO Group denied in a statement the “false claims” about Pegasus that it said were “based on a misleading interpretation of leaked data.” The company also said that the software “cannot be used to conduct cyber surveillance within the United States.”

Who has been targeted by Pegasus?

Arab royal family members

64 business executives

85 human rights activists

Over 600 politicians and government officials

189 journalists

50.000 private phone numbers leaked

How can you check if your phone is infected too?

If you’re worried your phone might also be infected with the Pegasus spyware, TechCrunch hopefully pointed out that you can use a tool to check if your phone has been infected. The Mobile Verification Toolkit was designed to assist with the “consensual forensic analysis of Android and iOS devices, to identify traces of compromise,” stated TechCrunch. Therefore, it’s built to tell if you’ve been hacked or not.

The program allows you to scan all of the files on a backup of your device. You’ll first need to make a new copy of that data, also known as a “full system dump.” The tool must be designed with IOCs (indicators of compromise) related to NSO’s malware delivery system, as provided by Amnesty International. The program will then filter your data and scan these indicators. After the analysis, the program will then spit out some files, which will mention whether the MVT has found any signs of infiltration or not. TechCrunch reports that the entire process takes about 10 minutes to get up and run if you know what you are doing.

Previous Headlines of NSO Group

  • October 2019: WhatsApp sued NSO Group for creating tools allegedly used by its clients for reading WhatsApp’s protected messages of journalists and human rights workers.

However, after all the accusations, NSO Group claims that its spy tools help law enforcement fight against crime and terror. Moreover, it has often affirmed it is not complicit in any government’s misuse of their provided technology!


by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.