This May, three top OCCRP editors flew to Ankara to meet a woman they hadn’t seen in years.
Khadija Ismayilova is Azerbaijan’s most renowned investigative journalist, a longtime colleague, and a close old friend: practically family. For her pioneering work, she had spent 18 months in prison and five more years under a travel ban. But now she was finally free.
The celebration went late into the night. It was a true feast, the table laden with salads, baked fish, and Turkish appetizers. Ismayilova had made traditional dolma — grape leaves stuffed with beef — and brought them from Azerbaijan just for the occasion.
She told stories about her imprisonment: How she refused to take painkillers from her jailers after a prison doctor pulled her tooth. How she won over the other women — including professional criminals — by sharing food and advice. (She was their “psychiatrist,” she said.) There were sadder, more recent stories too: Her 20-year-old nephew had been killed in last year’s war with Armenia.
But behind the smiles and tears, there was a tension in the air. For months, the OCCRP editors had kept some devastating information from Ismayilova, and now it was time to tell her why they were really there.
For more than two years, Ismayilova’s iPhone had been infected by Pegasus, a sophisticated piece of spyware with frightening capabilities. It can record phone calls and read text messages, access photographs and passwords, track GPS data, and secretly make audio and video recordings. Without the tiniest signal to indicate that anything is amiss, Pegasus can transmit all of this to its secret operators.
The tool was developed by NSO Group, an Israeli cyber-surveillance company, which appears to have supplied it to Azerbaijan, one of the most autocratic governments in the world.
Ismayilova is not the only one. Hundreds of other journalists and activists around the world may have been targeted with Pegasus, as well. Their names were identified from a leak of more than 50,000 phone numbers that appear to have been selected for targeting by NSO Group clients. This list was obtained by Forbidden Stories and Amnesty International and shared with OCCRP and 15 other media outlets.About the ProjectThe Pegasus Project is a global investigation published by more than 80 journalists from 17 media organizations in 10 countries, coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab.Read more
But for Ismayilova, in the immediate moment, the main concern was whether she had compromised anyone else. She thought about it all night, trying to remember what she had sent and to whom.
“It’s devastating,” she said the next day. “You make everyone a target.”
As she scrolled through the list of more than 1,000 Azerbaijani numbers in the leak, she recognized number after number: A niece. A friend. Her taxi driver.
“Him too,” she cried again and again. “Her too.”
This realization — that government surveillance affects not only the target, but a whole network of friends, loved ones, and colleagues who surround them — is one of the key revelations of The Pegasus Project.
But there are others. NSO Group is so secretive that — though it has long been suspected — there has never been any forensic evidence, until now, that the government is likely one of the company’s clients. The Azerbaijani numbers found in the leaked list show, in chilling specificity, the use to which it may have been put.
Reporters spent months establishing the identity of the people behind the numbers, and succeeded in verifying nearly a quarter. While NSO Group describes itself as a company that helps governments detect and prevent terrorism and crime, the list of Azerbaijanis selected for targeting shows how the tool was systematically abused. All but a few of the numbers identified by reporters belonged to journalists, activists, lawyers, and members of the country’s beleaguered opposition.
?
There is no definitive proof that the Azerbaijani government is a client of NSO Group or that the leaked list of numbers represent people selected for targeting. However, a preponderance of evidence suggests that this is the case. Forensic analysis confirms that two numbers on the list were infected with Pegasus software. The other numbers on the list include many dissidents, independent journalists, and regime opponents. Moreover, in several cases, people on the list were subjected to public leaks of personal information from their phones. For more information about the data behind this project and how these conclusions were reached, read the “About the Project” page.
NSO Group did not respond to specific questions about Azerbaijan, but generally claimed that the data used by reporters was misinterpreted and that it does not allow its clients to abuse its software, which, it reiterated, is meant only to surveil criminals and terrorists. (Read more about NSO Group’s response here).
Source: OCCCRP