Women allege that NSO spyware was used to steal and leak their private photos

·11 min read

Ghada Oueiss, a Lebanese broadcast journalist at Al-Jazeera, was eating dinner at home with her husband last June when she received a message from a colleague telling her to check Twitter. Oueiss opened up the account and was horrified: A private photo taken when she was wearing a bikini in a jacuzzi was being circulated by a network of accounts, accompanied by false claims that the photos were taken at her boss’s house.

Over the next few days she was barraged with thousands of tweets and direct messages attacking her credibility as a journalist, describing her as a prostitute or telling her she was ugly and old. Many of the messages came from accounts that appeared to support Saudi Crown Prince Mohammed bin Salman Al Saud, known as MBS, including some verified accounts belonging to government officials.

“I immediately knew that my phone had been hacked,” said Oueiss, who believes she was targeted in an effort to silence her critical reporting on the Saudi regime. “Those photos were not published anywhere. They were only on my phone.”

“I am used to being harassed online. But this was different,” she added. “It was as if someone had entered my home, my bedroom, my bathroom. I felt so unsafe and traumatized.”

Image: Ghada Oueiss (Courtesy Ghada Oueiss)
Image: Ghada Oueiss (Courtesy Ghada Oueiss)

Oueiss is one of several high-profile female journalists and activists who have allegedly been targeted and harassed by authoritarian regimes in the Middle East through hack-and-leak attacks using the Pegasus spyware, created by Israeli surveillance technology company NSO Group. The spyware transforms a phone into a surveillance device, activating microphones and cameras and exporting files without a user knowing.

For Oueiss and several other women whose phones were allegedly targeted, a key part of the harassment and intimidation is the use of private photos. While these photos may seem tame by Western standards, they are considered scandalous in conservative societies like Saudi Arabia and were seemingly used to publicly shame these women and smear their reputations.

“I am an independent, liberal woman and that provokes a misogynistic regime,” Oueiss said.

In recent days, Oueiss has been reliving the trauma of the hack in light of an investigation into the leak of 50,000 phone numbers of potential surveillance targets identified by many of NSO Group’s government agency clients. The investigation — coordinated by Paris-based nonprofit organization Forbidden Stories and Amnesty International in collaboration with 16 media partners — appears to show how Pegasus spyware is linked to human rights violations around the world. The targets include heads of state, activists and journalists, including the family of Jamal Khashoggi, a Washington Post columnist who was assassinated by Saudi agents in the kingdom’s consulate in Turkey.

Oueiss said she was bombarded by another wave of online harassment when she shared some of the stories about the Amnesty International investigation on Twitter.

“I lived again and again the pictures and the harassment, the comments, the talking about my body, accusing me of prostitution,” she said. “But at least now the world knows how ugly those programs are and how vicious and evil it is when the tools that were supposed to protect people from terrorists or criminals are used against good people.”

“I am happy that the people who didn’t take me seriously when I said I was being spied on are now taking it seriously. I’m happy I am not alone,” she added.

Public shaming

Until the jacuzzi photos were posted online, Oueiss said she had worked hard to maintain a professional public image as a serious journalist. She would only post photos of herself wearing a jacket and avoided doing interviews about her personal life.

“They wanted to destroy the image of Ghada, the serious journalist who is not afraid to ask tough questions,” she said. “They wanted to say, 'She’s trying to be professional and serious, but she’s just a prostitute and you shouldn’t believe her anymore.' I know they want to silence me, but I will not be silenced.”

In December, Ouiess filed a lawsuit against the crown prince, along with other defendants including the United Arab Emirates ruler Mohamed bin Zayed and two Florida-based Twitter users who Oueiss said shared her photos online, alleging that she was targeted for her reporting on the Saudi regime as part of a broader campaign to silence her and other critics. According to the complaint, filed in the United States District Court for the Southern District of Florida, Oueiss’ phone was examined by a digital forensic expert who determined that Pegasus spyware had been used to gain access to her photos.

The defendants have filed motions to dismiss the case.

Human rights experts said repressive governments commonly try to shame women into silence.

“Pegasus is a spyware tool and a weapon used against freedom of the press, freedom of expression, human rights activism and journalism,” said Rasha Abdul Rahim, director of Amnesty Tech, a division of Amnesty International focused on technology and surveillance tools. “Women’s freedom of expression is abused and targeted in a very specific way both online and offline.”

“The focus is on silencing them, putting the attention on their bodies or what they should be wearing or saying,” she added.

Moratorium requests

Amnesty International is calling on governments to issue a moratorium on the export, sale and use of surveillance technology like Pegasus until there is a human-rights-compliant regulatory framework in place.

“There are certainly legitimate uses to this technology,” Abdul Rahim said, referring to law enforcement using the technology with judicial oversight. “The problem is there hasn’t been any meaningful accountability for abuse and there’s a lack of transparency about which governments have access to these tools.”

NSO Group licenses the military-grade spyware to governments for tracking terrorists and criminals who use encrypted devices to evade detection, the company says on its website.

NSO Group spokesperson Louis Rynsard told NBC News that “owing to contractual and national security considerations” the company “cannot confirm or deny the identity of our government customers.”

Rynsard added that although the company does not have sight of the targets selected for surveillance by its government clients, it carries out “vigorous pre-sale human rights and legal compliance checks” to minimize the potential for misuse.

“We take very seriously any allegation of misuse, including and especially the targeting of journalists, and do everything in our power to prevent that from happening,” Rynsard added, noting that if misuse is found, NSO Group can shut down that customer’s account to prevent further use of the spyware technology.

NSO Group has shut down multiple government accounts for misuse of Pegasus, Rynsard said.

The United Arab Emirates’ government press office did not respond to repeated requests for comment. But the Ministry of Foreign Affairs and International Cooperation issued a statement denying that it surveilled journalists.

“The allegations ... have no evidentiary basis and are categorically false,” the statement said, in part.

Saudi Arabia’s Ministry of Foreign Affairs also did not respond to repeated requests for comment, but it denied the allegations that “an entity in [the Kingdom of Saudi Arabia] used software to monitor phone calls” last month via the nation’s official news agency. It said the kingdom’s “policies do not condone such practices.”

‘I became the enemy’

Alya Alhwaiti, an activist and former professional equestrian from Saudi Arabia who now lives in London, said she believes she was also targeted in a hack-and-leak attack using NSO Group’s Pegasus spyware.

In 2018, her phone started behaving strangely: The device often froze. She received calls from strange numbers and occasionally messages appeared on screen indicating that files were being transferred, she said. At the same time, she was receiving threats and intimidating messages online that she said she believes were from individuals connected to the Saudi government.

Alhwaiti was Saudi Arabia’s first female professional equestrian and represented the kingdom in competitions between 2004 and 2011.

Image: Alya Alhwaiti (Courtesy Alya Alhwaiti)
Image: Alya Alhwaiti (Courtesy Alya Alhwaiti)

“I was playing nice. But then when I started speaking my mind about what’s going on in Saudi Arabia, I became the enemy,” she said, referring to her activism over the assassination of Khashogghi in 2018 and more recently her campaign to stop the forced displacement of the al-Huwaitat tribe to make way for the Saudi government’s futuristic NEOM megacity project.

Alhwaiti said she went to Scotland Yard, and police there said her phone had been hacked. But they couldn’t figure out by whom: The IP addresses traced back to public places such as branches of McDonald’s and Costa Coffee shops. She replaced her phone, and Scotland Yard gave her a panic alarm to keep in her flat. But she was always looking over her shoulder; she moved between 16 different homes in two years, she said.

“It’s hard to live with fear. What stops them from repeating what they did to Khashoggi everywhere?” she said. “They would get away with it.”

In summer 2020, about the same time as Oueiss’ jacuzzi photo was leaked on Twitter, pictures that Alhwaiti said had only been stored on her phone started appearing online. In one photo, she is at a friend’s wedding, wearing a short dress with a bruise on her leg from horse-riding. In another, she’s sunbathing in shorts and a T-shirt. The pictures were posted to Twitter with fabricated stories accusing her of being drunk, promiscuous and allowing someone to bite her thigh. Hundreds of people on social media called her a slut. Others sent her death threats. Like with Oueiss, many of the accounts disparaging her appeared to be pro-government, with Saudi flags or pictures of the crown prince as their profile pictures.

Alhwaiti said she contacted digital forensic firm Citizen Lab, home to some of the world’s experts in Pegasus spyware, and asked them to check her phone. She said they told her they found traces of Pegasus and advised her to change her device again.

“I don’t feel safe in any way. I feel like I am being watched and I always have to watch behind my shoulder,” she said.

Citizen Lab declined to comment.

Intimidation pushback

Another alleged victim of this kind of attack was Alaa al-Siddiq, 33, an Emirati activist and executive director of human rights group ALQST.

Al-Siddiq’s phone started acting up in 2020 and she became concerned that she had been hacked like other prominent female activists, according to her co-worker Josh Cooper, deputy director of ALQST. She told friends and colleagues that she was scared her private photos would be leaked, said Cooper and an activist friend who did not wish to be identified over concerns for his safety.

Image: Alaa Al-Siddiq (Courtesy ALQST)
Image: Alaa Al-Siddiq (Courtesy ALQST)

Citizen Lab examined al-Siddiq’s phone and found signs of a Pegasus infection, Cooper said. Her number also appeared on the list of targets leaked to Amnesty International.

Citizen Lab declined to comment.

Al-Siddiq continued to fear her photos would be leaked until she died in a car accident in Oxfordshire, England, in June. Cooper said that after talking to police, there was “no evidence of foul play.” Thames Valley Police said no arrests had been made.

“It is shocking, of course, but we knew there was a cybersecurity problem for years and nobody did anything about it,” said Lina al-Hathloul, an activist whose sister Loujain, a leading campaigner for the right for women to drive in Saudi Arabia before a change in the law in late 2017, was jailed for more than 1,000 days and released in February.

Image: Loujain al-Hathloul. (Rania Sanjar / AFP - Getty Images)
Image: Loujain al-Hathloul. (Rania Sanjar / AFP - Getty Images)

Lina al-Hathloul said she submitted her phone to be checked by Amnesty International for traces of Pegasus spyware about a month ago. But she said digital forensic analysts didn’t find anything.

Loujain al-Hathloul, whose number was on a list of potential targets for Pegasus spyware allegedly maintained by the United Arab Emirates, a close ally of Saudi Arabia, couldn’t check her phone to confirm a spyware infection, as her devices were confiscated by Saudi authorities when she was jailed, Lina al-Hathloul said. However, a digital protection expert who now works at human rights group Front Line Defenders checked Loujain al-Hathloul’s devices at a cybersecurity conference in 2017 and discovered that her emails were being read by a third party located in the United Arab Emirates, Lina al-Hathloul said. Front Line Defenders confirmed this but was not able to confirm if the unauthorized access had any connection to Pegasus.

“If a woman tries to express their opinion about unjust laws or says something that doesn’t please the government, they will leak your private pictures to intimidate you,” Lina al-Hathloul said. “It’s effective in the short term, but in the long term it won’t work. Women will realize they are being shamed and oppressed, and they will gather to unite against it.”

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting