Human Rights Watch (HRW) says one of its senior staff members was targeted five times last year with Pegasus, a spyware made by the Israeli company NSO Group.
The software was used against Lama Fakih, director of the New York-based group’s Beirut office who also oversees its crisis response in countries including Afghanistan, Ethiopia, Israel, Myanmar, the occupied Palestinian territory, Syria and the United States, HRW said on Wednesday.
Fakih’s phone was breached five times between April and August of 2021, but the organisation said it did not know who targeted her.
The NSO Group, which does not disclose its client list, has been mired in controversy in recent years following investigations by researchers at the University of Toronto’s Citizen Lab, along with several rights groups and media outlets, that found that the technology has been used by governments across the world to access the smartphones of political opponents, activists and journalists.
Recounting being notified by Apple in November 2021 that she had been a victim of a “state-sponsored” attack on her iPhone, Fakih said she “felt dread and disbelief”.
“You have a million thoughts going through your head. Why would I be targeted in this way and how? What government did this?” Fakih said in a Q&A published by HRW on Wednesday.
“What does this mean for my security and for the security of everyone whose data may have been compromised as a result of the attack?”
She said HRW later determined that her phone had been hacked using Pegasus. The conclusion was peer-reviewed and confirmed by Amnesty International’s Security Lab.
“After all this, we decided to make this state-sponsored attack public, in order to raise awareness of this risk to civil society partners and contacts more broadly,” Fakih said. “Speaking out about these attacks is critical to stopping the unchecked use of surveillance technology.”
The NSO Group’s software has proven particularly difficult to protect against because it uses so-called “zero-click” technology, meaning a user does not have to click on a malicious link for hackers to access their device.
Facebook and Apple have both filed lawsuits against the Israeli company over hacks against their products. The US, meanwhile, has blacklisted the company, saying its tools have been used by repressive governments, and barred it from using US-developed technology.
The company maintains it has safeguards in place to ensure its products are only used to target suspected criminals and “terrorists”.
In a January 24 letter made public by HRW, NSO Group said it was “not aware of any active customer” using the technology against a staff member of the rights watchdog.
The company said it was conducting an initial assessment to determine if an investigation would be launched, noting that the targeting of a rights group staffer would be a “serious misuse” of its technology if the individual was not suspected of committing a crime.
The firm has also expressed support for an “international regulatory structure” to constrain the use of spyware technology, but has shrugged off calls to suspend the use of Pegasus until one is created.
For her part, Fakih said “it is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices”.
“They seem to believe that by doing so, they can consolidate power, muzzle dissent, and protect their manipulation of facts,” she said.