A16 EZ SU THE WASHINGTON POST.WEDNESDAY, DECEMBER 22 , 2021
unnecessary and make no sense”
that a human would type the
address of a Pegasus-linked web-
site into a target’s phone.
That capability is described in
NSO’s own marketing materials,
first published in an unauthor-
ized leak in 2014. The documents
were filed as an exhibit in an
ongoing lawsuit WhatsApp
brought against NSO in 2019,
alleging that Pegasus used the
WhatsApp messaging service to
infect phones. The materials
state, “When physical access to
the device is an option, the Pe-
gasus agent can be manually
injected and installed in less than
five minutes.”
Clare acknowledged that the
spyware uses SMS texts to send
website links that deliver Pegasus
attacks. But he said that “techno-
logical safeguards prevent” this
method from being used six
times in an 18-day period. The
NSO marketing materials say
that “the system operator can
choose to send a regular text
message (SMS) or an email, lur-
ing the target to open it ... al-
though the target clicked the link
they will not be aware that soft-
ware is being installed on their
device.”
Clare said the marketing ma-
terials “are outdated and do not
necessarily provide accurate de-
scriptions of the software’s capa-
bilities and limitations as of
2018.”
The Israeli Ministry of Defense
requires NSO to get its approval
before selling Pegasus to a for-
eign country to ensure the sale is
in Israel’s national interest. NSO
says it has sold Pegasus to 60
government agencies in 40 coun-
tries.
NSO said it has no visibility
into the real-time targeting of
individuals by its clients after it
licenses its software to them. But
the firm can demand access to
customer records to investigate
allegations of abuse. The compa-
ny has said it has shut down five
clients in the past several years
and forgone millions of dollars in
revenue because of its concern
for human rights. It also said itsinvolvement, and some of his
underlings have been convicted
and sentenced for the crime.
Cengiz, whom Le Monde later
dubbed the “unofficial heiress of
Jamal Khashoggi,” became an
effective spokeswoman in front
of the crowd of television camer-
as that gathered outside the con-
sulate.
Elatr, meanwhile, has strug-
gled for attention. She was
Khashoggi’s fourth wife, after his
three divorces. Many of Khashog-
gi’s friends in Washington did not
know about his marriage to her
in Virginia in June 2018.
“Nobody knew her. Jamal had
kept it a secret,” said Sarah Leah
Whitson, a longtime human
rights advocate and the executive
director of Democracy for the
Arab World Now (DAWN), a Mid-
east-focused organization found-
ed by Khashoggi. “I don’t know
what was going on in his head.”
Amnesty International’s initial
steps to help Elatr as far back as
May are still tangled in bureau-
cracy and miscommunication
seven months later, according to
correspondence between the or-
ganization and Elatr’s attorney.
The organization said it has been
overwhelmed by surges in refu-
gees and said that “unfortunately
there were unexpected delays” in
handling Elatr’s case, but it in-
tends to reconnect with her to
complete a review of the matter.
In Turkey, Cengiz’s life has
been demolished, too, she told
The Post in an interview in Istan-
bul this summer. Turkey has as-
signed her constant bodyguards,
and safety considerations pre-
vent her from traveling in the
region and remaining in her aca-
demic position.
“In the case of both Hanan and
Hatice, their lives have been com-
pletely upended. Both have paid
a tremendous price,” said Whit-
son. “Hanan has been interrogat-
ed and harassed by the UAE and
is in dire financial straits and
Hatice,” too, is suffering.Death threats, interrogations
and house arrest
On the evening of April 21,
2018, Elatr had finished a 15-hour
flight from Toronto to the UAE,
weary and ready for bed, when
she entered immigration as usual
at Dubai International Airport.
She immediately noticed a clus-
ter of official-looking men staring
at her. She knew that Khashoggi
was a target because of his hu-
man rights advocacy. She rushed
to the bathroom to call her sister.
“Something is not right,” she
remembers telling her in the
toilet stall. She quickly deleted
WhatsApp, which she and
Khashoggi used to communicate.
When she came out of the rest-
room, a large man trapped her on
one side and the sole woman in
the group on the other. “Walk
with us quietly and behave,” the
man whispered.
She felt sick and began shak-
ing uncontrollably, she said. The
agents drove her to her home,
blindfolded and in handcuffs, to
search for documents and com-
puters, according to her swornfor her life.
“Every day when I see the
daylight, I don’t know why I’m
still alive, because I’m the second
victim after Jamal in this trag-
edy,” she said in a recent inter-
view, tearing up. “I lost my life ... I
used to provide for my family and
now I can’t even find my own
food.”
She has spent most of her
savings and for a time was sleep-
ing on an air mattress in an
empty apartment. At age 53, she
recently moved into a basement
bedroom of a stranger while
waiting for her political asylum
case to work its way through the
system.
With the help of Rep. Jamie
Raskin (D-Md.), she recently re-
ceived a temporary work visa. In
addition to organizing her new
life, she dresses in her finest
clothes and high heels, does her
makeup and hair and then takes
the Metro or buses to job inter-
views at local hotels and restau-
rants. Last week she landed a job
as a waitress for $2.70 an hour
plus tips.
Elatr said she feels forgotten in
the wake of Khashoggi’s murder.
She found out he had disap-
peared via Twitter after waking
up from a long flight, alone in her
apartment in Dubai. While she
was dealing with the likelihood
he had been murdered, she was
also learning that he was plan-
ning to marry another woman,
an accepted practice among Mus-
lims in some countries.
His new fiancee, Hatice Cen-
giz, was waiting for him outside
the Saudi consulate in Istanbul.
He had gone there to obtain a
document necessary to marry
her. Instead, he was murdered
with the approval of Saudi leader
Mohammed bin Salman, U.S. in-
telligence agencies later conclud-
ed. Mohammed has denied anyginning to understand that the
lack of regulation can lead to
deadly consequences,” said Ran-
da Fahmy, Elatr’s Washington-
based pro bono attorney.
The UAE, a federation of mon-
archies in the Persian Gulf, has
been one of NSO’s most notorious
clients. It has used Pegasus
against anti-regime activists,
journalists and even a royal prin-
cess attempting to escape her
father, the international media
investigation and others have
found. In October, a British court
revealed that NSO Group ended
its contract with the UAE because
Dubai’s ruler had used it to hack
the phones of his ex-wife and her
lawyer, a member of Britain’s
House of Lords.
The UAE continues to deny all
allegations against it. The UAE
Embassy in Washington did not
respond to multiple requests for
comment. In the past, the UAE
has denied allegations that it
used Pegasus against human
rights activists and other civil
society figures.
The UAE is a longtime ally of
Saudi Arabia. In 2013, the two
countries signed a mutual secu-
rity agreement promising coop-
eration on intelligence and law
enforcement matters. The UAE
has spied on Saudi dissidents
abroad and sent them to Riyadh,
according to human rights
groups and a recent lawsuit filed
in federal court in Portland, Ore.,
on behalf of an imprisoned Saudi
human rights activist.The human consequences of
Pegasus abuse
Three years ago, Hanan Elatr
was a globe-trotting supervisor
for the Emirates airlines. She was
married to a pro-democracy icon
and earning a salary that allowed
her to support her mother and
siblings. Today, she said, she fearstechnology has saved many lives
by enabling law enforcement
agencies to catch terrorists and
criminals.
“There is one thing I want to
say: We built this company to
save life. Period,” Hulio told The
Post in July.
He said of the reports of the
attacks on journalists and other
abuse: “It’s horrible. I am not
minimizing it. But this is the
price of doing business. ... This
technology was used to handle
literally the worst this planet has
to offer. Somebody has to do the
dirty work.”
The international investiga-
tion found that authoritarian
governments have used Pegasus
against journalists, human rights
defenders, diplomats, lawyers
and pro-democracy opposition
leaders. New revelations contin-
ue to roll out. France found traces
of the spyware on the phones of
five ministers. The U.S. State
Department announced that in-
dications of Pegasus were found
on the phones of 11 employees in
Uganda. After initial denials,
Hungary admitted it used the
spyware.
Countries have responded
forcefully. The United States,
Britain and France each spoke
with high-level Israel officials to
express their consternation. The
Biden administration blacklisted
NSO Group from receiving access
to certain U.S. technologies last
month, adding it to an “entities
list” reserved for companies
whose activities are “contrary to
the national security or foreign
policy interests of the United
States.” NSO said it was “dis-
mayed” by the move and is seek-
ing its reversal. Apple is suing
NSO to prevent it from targeting
iPhones with Pegasus in the fu-
ture.
“I’m glad governments are be-The website sent the phone a
powerful spyware package,
known as Pegasus, according to
the new analysis.
Over the next 40 seconds, the
phone sent 27 status reports from
its web browser to the website’s
server, updating the progress it
was making installing the spy-
ware.
The spyware had been devel-
oped by an Israeli firm, NSO
Group, for what it says is use
against terrorists and criminals.
The website was configured by
NSO for a United Arab Emirates
customer, said Marczak, whose
research group is based at the
University of Toronto and devot-
ed to uncovering cyberespionage.
The new analysis provides the
first indication that a UAE gov-
ernment agency placed the mili-
tary-grade spyware on a phone
used by someone in Khashoggi’s
inner circle in the months before
his murder.
“We found the smoking gun on
her phone,” said Marczak, who
examined Elatr’s two Androids at
The Washington Post’s and her
request. Emirati authorities re-
turned them to her several days
after her release.
Marczak said he could see the
Android trying to install Pegasus,
but he could not determine
whether the spyware had suc-
cessfully infected the phone,
which would enable Pegasus to
steal its contents and turn on its
microphone. But he said the UAE
operator did not type the website
address in a second time, which
would ordinarily be expected in
the event of a failed first attempt.
Elatr’s phone was confiscated
just after she and Khashoggi had
gotten engaged and were in a
long-distance relationship. Be-
cause both traveled frequently,
with Elatr based in Dubai and
Khashoggi in Washington, they
often discussed travel and meet-
ing plans in the United States and
abroad using apps on their
phones, according to Elatr and
her phone records.
Marczak discovered the https:/
/myfiles[.]photos address in 2017
while researching the presence of
Pegasus spyware on global net-
works. By scanning the Internet,
Citizen Lab was able to identify a
network of computers and more
than a thousand Web addresses
used to deliver Pegasus spyware
to the phones of targets in 45
countries, according to the
group’s landmark “Hide and
Seek” report. The methodology
has been used by other research-
ers to identify Pegasus hacks
worldwide.
The researchers found a par-
ticular set of web addresses, in-
cluding https://myfiles[.]photos,
associated with Pegasus targets
primarily in the UAE.
Working with an international
journalism consortium led by the
Paris-based nonprofit Forbidden
Stories, The Post reported in July
that an unknown operator em-
ploying Pegasus sent five SMS
text messages over an 18-day
period in November 2017 and a
sixth one on April 15, 2018, ac-
cording to an analysis by Amnes-
ty International’s Security Lab of
Elatr’s Androids. The research
could not determine if the texts
resulted in Pegasus being in-
stalled inside the phone.
Marczak’s research advances
the understanding of what hap-
pened to Elatr’s phone by identi-
fying a UAE agency operator in
the process of trying to install
Pegasus on the device while she
was in UAE custody. He also
found forensic data indicating
her Android was also trying to
install Pegasus.
Following The Post’s report in
July, NSO Group chief executive
Shalev Hulio said a thorough
check of the firm’s client records
showed none had used Pegasus to
attack the phones of Khashoggi
or Elatr before a Saudi hit team
murdered him in Istanbul on Oct.
2, 2018.
“Regarding the wife of Saudi
journalist Jamal Khashoggi ... We
checked and she was not a tar-
get,” Hulio told an Israeli technol-
ogy publication in July. “There
are no traces of Pegasus on her
phone because she was not a
target.”
After The Post’s most recent
reporting, NSO’s attorney, Thom-
as Clare, said, “NSO Group con-
ducted a review which deter-
mined that Pegasus was not used
to listen to, monitor, track, or
collect information about Ms.
Elatr. The Post’s continued ef-
forts to falsely connect NSO
Group to the heinous murder of
Mr. Khashoggi are baffling.”
Clare said the premise was
“deeply flawed” and the details
“make no sense from a technical
standpoint.” He said Pegasus is
installed remotely and that it
would therefore be “completely
PEGASUS FROM A
UAE agency placed spyware on Khashoggi fiancee’s phone
CAROLYN FONG FOR THE WASHINGTON POST
“We found the smoking gun on her phone,” cybersecurity expert Bill Marczak said of the NSO Group spyware discovered in his forensic analysis of Hanan Elatr’s phone.COURTESY OF B ILL MARCZAK HANAN ELATR
At left, images of the last WhatsApp messages between Hanan Elatr and Jamal Khashoggi before he was killed by a Saudi hit team on Oct. 2,- They discussed her birthday and plans for a visit. A t right, the couple at a Virginia flower shop on their way to get married in June 2018.
the pegasus project