UAE linked to listing of hundreds of UK phones in Pegasus project leak | Surveillance



A member of the House of Lords is among more than 400 people whose UK mobile phone numbers appear in a leaked list of numbers identified by NSO Group’s client governments between 2017 and 2019, the Guardian can reveal.

The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone.

Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client.

Quick Guide

What is in the Pegasus project data?


What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a “target” to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent “targets” of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus. 

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.

Thank you for your feedback.

The phones of Sheikh Mohammed’s daughter Princess Latifa, who launched a failed bid to escape Dubai in 2018, and his ex-wife Princess Haya, who fled the country and came to the UK in 2019, both appear in the data.

So too do the phones of several associates of both women – including, in the case of Haya, mostly UK-based numbers.

In multiple statements, NSO said that the fact that a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO group in any way.”

But the Guardian and other media partners that had access to the data as part of the Pegasus project, a media consortium, believe the list indicates persons of interest selected by government clients of NSO. It includes people across the world whose phones showed traces of NSO’s spyware, Pegasus, according to forensic analysis of their devices.

Those with UK numbers appearing on the list include:

  • Lady Uddin, an independent member of the House of Lords, whose number appeared on the data in both 2017 and 2018. She said if there was spying on members of parliament it would amount to “a great breach of trust” which “contravenes our sovereignty”.
  • A lawyer working for a London law firm advising Princess Haya. Haya is embroiled in a bitter custody battle with Sheikh Mohammed in the family division of the high court of justice.
  • John Gosden, a leading horse trainer based in Newmarket, who is also friend of Princess Haya, herself an international equestrian rider. Numbers for other people working for Haya’s security and PR team also appear in the data.
  • John Chipman, the chief executive of the defence thinktank the International Institute for Strategic Studies, which runs an annual conference in Bahrain, one of the UAE’s allies.
  • Matthew Hedges, a Briton detained without trial in the UAE for five months in 2018, whose number first appears in the data while he was in the UK, before embarking on his trip. “I want to know what the British government is doing about it,” he said.

Other high-profile UK names who appear on the list have already been named, such as Roula Khalaf, the editor of the Financial Times, who was deputy editor when her number appeared in the data in 2018. NSO later said there were no attempted or successful Pegasus infections of Khalaf’s phone.

Earlier this week, the Guardian also revealed the listing of the number of the human rights lawyer Rodney Dixon QC, who has acted for both Hedges and the fiancee of the murdered Saudi journalist Jamal Khashoggi, Hatice Cengiz. Analysis of the data suggests his number was among a small group of UK numbers that appear to have been selected by Saudi Arabia.

Lawyers for NSO suggested it was “technically impossible” for Dixon’s phone to be targeted by Saudi Arabia. Forensic analysis of Dixon’s device conducted by Amnesty International’s Security Lab showed Pegasus-related activity but no successful infection.


What is the Pegasus project?


The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.

Thank you for your feedback.

Amnesty examined two other UK phones in the data. One showed the same kind of Pegasus activity discovered on Dixon’s iPhone. The second, an Android phone, showed no evidence of an attempted or successful infection.

Neither the United Arab Emirates, Dubai nor Saudi Arabia responded to requests for comment. Till Dunckel, a German lawyer representing Sheikh Mohammed, told the newspaper Süddeutsche Zeitung: “Our client emphatically denies having attempted to ‘hack’ the phones of the persons named in your request, or having instructed others to do so.” Representatives of the sheikh have also previously said he feared Latifa was a victim of a kidnapping and that he had conducted “a rescue mission”.

NSO Group has always said it does not have access to the data of its customers. In statements issued through its lawyers, NSO said the Pegasus project reporting consortium had made “incorrect assumptions” about which clients used the company’s technology.

Exiled dissidents and supportive activists in the UK also appeared on the leaked list, which is bound to raise questions about the UAE, which is traditionally considered a British ally, and whose leading family, the rulers of Abu Dhabi, own the Premier League champions, Manchester City.

The UAE has become a fast-emerging cyber power, whose powerful surveillance capability is controlled by the family of its ruler, Sheikh Mohamed bin Zayed, and in particular his brother, the national security adviser, Sheikh Tahnoon bin Zayed.

Three sources familiar with NSO’s operations confirmed that within the past year the company had stripped Dubai of its Pegasus licence. They said the decision had been informed primarily by human rights concerns, but did not dispute that the possibility Sheikh Mohammed was wielding the software against his own family members had also been a factor.

It is unclear whether MI5 was aware of any UAE spying activity. Generally if the spy agency becomes aware a Briton is subject to foreign surveillance, it only takes action to alert the victim if it believes there is a threat to life or other serious danger in the UK.

But the British government issued a coded rebuke to the country this week following the revelations of the Pegasus project.

A government spokesperson said: “It is vital all cyber actors use capabilities in a way that is legal, responsible and proportionate to ensure cyberspace remains a safe and prosperous place for all.”

Why certain people may have been listed is hard to determine. Uddin was the first Muslim woman to serve in the upper house, but is not considered a foreign policy specialist. “If espionage is taking place against the highest of sovereign British institutions, questions arise regarding whether our government was aware,” she said.

Matthew Hedges, a Durham University PhD student specialising in security, was first listed on the database in March 2018, two months before he was detained and tortured without trial for five months, accused of spying for MI6. The initial listing of his number in the data took place before Hedges had travelled to the UAE for his research.

MI6 denies he was acting as an agent, in a high-profile case that strained relations between London and Abu Dhabi. Hedges was subject to repeated interrogations that lasted hours and was injected with a cocktail of drugs on which he is partly dependent today, but was only charged after being held for five months.

It was not possible to conduct forensic analysis of Hedges’ UK phone from the time because UAE authorities confiscated his device.

Mohammed Kozbar Photograph: Helen William/PA

Mohammed Kozbar, the chair of the Finsbury Park mosque, arguably the best-known mosque in Britain, also appeared on the leaked list. His number appeared in the data in 2018, apparently because of the UAE. The mosque was comprehensively reformed in 2015 under his leadership, and is considered a model of community relations, acting recently as a public vaccination centre.

Kozbar said he was baffled as to why he might have been of interest to the Gulf state, saying he had “never been in the UAE” nor had any involvement with the country. He said he feared that “British citizens will be open to abuse from every country in the world” unless the UK spoke out against apparent abuses of NSO spyware worldwide.

Dissidents – some of whom focused on Saudi Arabia or Bahrain – and at least one British activist have also appeared in the list. They include the Emirati-born Alaa al-Siddiq, 33, the executive director of the Saudi campaign group ALQST, who was killed in a car crash in Oxfordshire last month. After talking to the police her organisation said there was “no suggestion of foul play”.

Another person who appears in the data in 2018 was the leading Bahraini dissident and human rights campaigner Saeed Alwadei, who has political asylum in the UK. He was also selected by a customer understood to be the UAE, although he campaigns for democracy and rights in Bahrain, particularly around the time of the grand prix, held that year in April.

He called on the UK government to “speak out and stop defending these abusive governments”.

A number belonging to Rori Donaghy was selected by UAE throughout 2017 and 2018, according to analysis. He was previously reported to have been a target of a UAE hacking campaign unrelated to NSO.

He worked for three years until 2016 for Middle East Eye, a UK-based news organisation that regularly criticised the UAE regime. But at the time his number appeared in the data he was working for a specialist Middle East consultancy, writing reports about Syria and the refugee crisis.

The number of the president of the Muslim Association of Britain, Raghad Altikriti, the first female head of the organisation, also appears on the list. She was previously a vice-president and head of media, and her brother Anas Altikriti, who runs the Cordoba Foundation thinktank, which promotes intercultural dialogue, was listed between 2017 and 2019.

The numbers of several employees of three London corporate intelligence firms also appeared on the list. In one case, it appears the head of the firm was selected by the UAE along with two numbers belonging to his wife. All three firms work for Gulf state clients.



Leave A Reply