The consortium did not disclose how it got the list, and it was not clear whether the list was ambitious or whether people had actually been targeted by NSO’s spyware.
Among those listed were Azam Ahmed, who had been the Mexico bureau chief for the Times and who had reported extensively on corruption, violence and surveillance in Latin America, including on NSO itself; and Ben Hubbard, Times bureau chief in Beirut, Lebanon, who has investigated rights violations and corruption in Saudi Arabia and has written a recent biography of Saudi Crown Prince Mohammed bin Salman.
It also included 14 heads of state, including French President Emmanuel Macron, South African President Cyril Ramaphosa, Egyptian Prime Minister Mostafa Madbouly, Pakistani Prime Minister Imran Khan, Saad-Eddine El Othmani, who was until recently Prime Minister of Morocco, and Charles Michel, President of the European Council.
Shalev Hulio, co-founder of NSO Group, vehemently denied the list’s accuracy, telling The Times: “It’s like opening the blank pages, picking 50,000 issues and drawing conclusions.
This year marks a record for the discovery of so-called zero days, secret software flaws like the one used by NSO to install its spyware. This year, Chinese hackers were caught using zero days in Microsoft Exchange to steal email and install ransomware. In July, ransomware criminals used a zero day in software sold by tech company Kaseya to bring down the networks of some 1,000 companies.
For years, the spyware industry has been a black box. Spyware sales are blocked in nondisclosure agreements and are frequently embedded in classified programs, with little or no oversight.
NSO clients previously infected their targets using text messages that tricked victims into clicking links. These links have enabled journalists and researchers from organizations like Citizen Lab to investigate the possible presence of spyware. But NSO’s new zero-click method makes it much harder for journalists and cybersecurity researchers to find spyware.