Report: Bahrain used NSO’s Pegasus spyware against regime opponents
The report from Citizen Lab maintains that the spyware was found on the smartphones of nine activists, five of which appeared on a list of 50,000 numbers of interest to NSO clients
Pegasus spyware from Israeli company NSO was used to spy on nine human rights activists and opponents of the Bahrain leadership, who live in Bahrain and London, according to Tuesday’s report by the Citizen Lab institute at the University of Toronto. The attacks took place between September 2019 and February 2021, after NSO had already claimed to set extensive mechanisms to prevent human rights violations, which puts in doubt the effectiveness of these mechanisms or the company's commitment to them.
The current study was conducted by Dr. Bill Marczak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, John Scott-Railton, and Ron Deibert of Citizen Lab and Ali Abdulemam of the Red Line for Gulf organization. It sees light as NSO is under unprecedented public scrutiny following the Pegasus Project, an extensive investigation Amnesty and the Forbidden Stories press consortium conducted, centered on a leaked list of 50,000 phone numbers of interest to NSO clients.
Five phone numbers of the nine attacked were on the list of 50,000 numbers exposed on Project Pegasus, which strengthens the credibility of the list, and its correlation to victims of Pegasus. Citizen Lab was also able to identify the perpetrator in some of the cases, and estimate with high probability that he is operating from Bahrain.
"What stands out about Bahrain is not only it is known to be an oppressive state which is ranked low in human rights and freedom of the press indexes, Bahrain is also responsible for the first ever known case of misuse of spyware," Marczak, a senior research fellow at Citizen Lab and a researcher at the University of California at Berkeley who led the study told Calcalist. “Even before our first report on NSO came out, in 2016, it was known that this was a country that exploits spyware to spy on opposition figures, human rights activists and lawyers. So it is shocking that they approved a sale to Bahrain in 2017, but also that they continue to work with it after their human rights policy was launched. This is the first country you want to cut off."
Although Bahrain is officially defined as a constitutional monarchy, in practice all governmental power in the country is concentrated in the hands of the King of Bahrain, Hamad bin Isa Al Khalifa, and the royal family. The members of the upper house of the Bahraini parliament are directly appointed by the king and members of the lower house are elected in a way that ensures that the opposition to the royal house will always be in the minority.
In 1999, when he came to power, the king began to introduce reforms that improved human rights in the country, and allowed, among other things, the establishment of civil society organizations, including human rights organizations, independent newspapers, and political parties. However, these reforms were gradually repealed and in 2010 Bahrain returned to a familiar pattern of arrests, torture, and silencing of regime opponents. Today, Bahrain censors internet traffic using western technologies, and during local protests disrupts local network activity. Citizens who posted content online criticizing the administration were persecuted and arrested.
According to a variety of reports, since 2010 Bahrain has been acquiring spyware from companies such as NSO to spy on human rights activists, dissidents, and opposition figures. In fact, a 2012 Citizen Lab report revealed how Bahrain used spyware from FinFisher in what is considered the first exposure of spyware abuse by a state.
The first contact between NSO and Bahrain was exposed in 2018 in another Citizen Lab report which mapped the global activity of Pegasus and identified Bahrain as one of the 45 countries
where smartphones have been infected with the Israeli spyware.
The current investigation began in July 2020, when Citizen Lab researchers, who regularly monitor servers identified as Pegasus' control and operation servers, identified a significant increase in activity in several countries, including Bahrain. "It was related to the Zero-Click attacks (An attack that enables a device to be infected without any action on the part of its owner) which were used at the time. Bahrain seemed like a good case to investigate because they had already abused spyware in the past. So we thought it was likely that they were breaking into activists and dissidents again. We decided to contact activists and do two things: check their phone records, and route their traffic through a VPN so we can monitor
it," Marczak said.
That first action makes it possible, through careful analysis, to detect the presence of Pegasus on the phone, past and present. The second action can detect the presence of Pegasus only if the spyware is active during the time of monitoring, but allows to locate the server with which Pegasus is communicating and thus identify the operator. These actions allowed Citizen Lab to identify nine devices infected with Pegasus. Two of them belong to opponents of the Bahraini regime who live in London - Moosa Abd Ali and Yusuf al-Jamri. The remaining seven activists are living in Bahrain and asked to remain anonymous. The earliest reported case occurred in September 2019 and the latest in February 2021, with most attacks occurring between July and September of 2020. That means almost all of the attacks occurred after NSO announced its comprehensive human rights reform in September 2019.
The reform, which included examining the company's sales processes to identify possible human rights violations and periodic control procedures by outside experts, was designed to prevent the misuse of Pegasus by not selling or ceasing operations in countries with problematic human rights records. However, the widespread use by Bahrian identified by Citizen Lab calls into question the effectiveness of this policy or NSO's commitment to it.
The report describes the victims’ political and social activities within groups such as Waad, a center-left political movement banned in the Gulf state since 2017, and BCHR - Bahrain Center for Human Rights, which has been banned since 2004. The two London-based victims suffered persecution by the authorities in the past. Al-Jamri was granted political asylum in Britain in 2018 after testifying he was tortured by Bahrain's intelligence agency. According to the report, his phone was infected with Pegasus before September 2019. Abd Ali’s phone was infected before Septemebr 2020.
All the compromised smartphones were iPhones. Those hacked between July 2020 and September 2020 took advantage of a zero-click weakness in Version 13 of iOS, Apple’s operating system. In September 2020, shortly after the iOS upgrade to Version 14, one of the victims in Bahrain received an SMS with a link to a malicious site, which if clicked on, Pegasus would be installed on the device.
Citizen Lab estimates that NSO was forced to switch to a breach method that requires active action on the part of the victim in light of a new feature called BlastDoor that Apple has integrated into iOS, and which is designed to make it harder to run zero-click attacks. This protection did not last long. The report reads that “we understand that as of February 2021 NSO is using a new zero-click weakness that bypasses the BlastDoor feature."
NSO said in response to the report: “The fact that Citizen Lab chooses again to brief the media instead of acting constructively with NSO regarding alleged abuse demonstrates that they are more interested in public relations than in a real attempt to improve public safety. We did not receive information from Citizen Lab, despite past efforts to work with them. Therefore, it is impossible, and certainly not responsible, to respond to third-party rumors. However, from the pieces of information we received through inquiries from the media, it seems that Citizen Lab has once again recycled information lacking technological logic, and that could not be related to NSO or our customers running life-saving technology. The date range provided in the report, which we did not see, is 2020-2021. The date range for the Forbidden Stories list, which has never been issued or verified, is 2017-2018 - a clear sign that this is no more than an unfounded claim. As always, if NSO receives reliable information related to system abuse, the company will vigorously investigate the claim and act accordingly on the basis of the findings."