The leaked database at the heart of the Pegasus project includes the mobile phone numbers of the French president, Emmanuel Macron, and 13 other heads of state and heads of government, the Guardian can reveal.
The South African president, Cyril Ramaphosa, and the Pakistani prime minister, Imran Khan, are also listed in the data, which includes diplomats, military chiefs and senior politicians from 34 countries.
The appearance of a number on the leaked list – which includes numbers selected by governments that are clients of NSO Group, the Israeli spyware firm – does not mean it was subject to an attempted or successful hack. NSO insists the database has “no relevance” to the company.
NSO said Macron was not a “target” of any of its customers, meaning the company denies he was selected for surveillance using Pegasus, its spyware. The company added that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
But the list is believed to be indicative of individuals identified as persons of interest by government clients of NSO. It includes people who were later targeted for surveillance, according to forensic analysis of their phones.
NSO insists it requires its government clients to only use its powerful spying tools for legitimate investigations into terrorism or crime.
The Guardian and other media partners in the Pegasus project, an international consortium, identified those governments believed to be responsible for selecting individual numbers in the data by closely examining the patterns of selection.
Political figures whose numbers appear in the list include:
• The South African president, Cyril Ramaphosa, who appears to have been selected by Rwanda in 2019.
• Emmanuel Macron, the French president, who appears to have been selected as a person of interest by Morocco in 2019. An Élysée official said: “If this is proven, it is clearly very serious. All light will be shed on these media revelations.”
• Tedros Adhanom Ghebreyesus, the World Health Organization’s director general, who also appears to have been of interest to Morocco in 2019.
• Saad Hariri, who resigned as prime minister of Lebanon last week and appears to have been selected by the UAE in 2018 and 2019.
• Charles Michel, the president of the European Council, who appears to have been chosen as a person of interest by Morocco in 2019, when he was prime minister of Belgium.
• King Mohammed VI of Morocco, who was selected as a person of interest in 2019, apparently by security forces in his own country.
• Saadeddine Othmani, Morocco’s prime minister, who was also selected as a person of interest in 2018 and 2019, again possibly by elements within his own country.
• Imran Khan, the prime minister of Pakistan, who was selected as a person of interest by India in 2019.
• Felipe Calderón of Mexico, the former president. His number was selected in 2016 and 2017 by what is believed to have been a Mexican client during a period when his wife, Margarita Zavala was running for the country’s top political job.
• Robert Malley, a longtime American diplomat who was chief negotiator on the US-Iran deal, and who appears to have been selected as a person of interest by Morocco in 2019. NSO has said its government clients are prevented from deploying its software against US numbers because it has been made “technically impossible”.
The Pegasus project could not examine the mobile phones of the leaders and diplomats, and could therefore not confirm whether there had been any attempt to install malware on their phones.
In addition to denying Macron was a “target”, an NSO Group spokesperson also said King Mohammed VI and Tedros Ghebreyesus “are not, and never have been, targets or selected as targets of NSO Group customers”.
Lawyers for NSO said the firm defined targets as people who were “selected for surveillance using Pegasus, regardless of whether an attempt to infect her or his device is successful”.
The surveillance company says it does not have access to the data of its customers, but says that they are obligated to provide the firm with such information when they have placed them under investigation. The company appears to have undertaken such an investigation into Morocco, which is believed to be one of its clients.
Forensic examinations of a sample of 67 phones in the leaked data belonging to human rights activists, journalists and lawyers found 37 had contained traces of Pegasus infection or attempted infection. The analysis was done by Amnesty International’s Security Lab, a technical partner on the project.
The leaked data also suggests Saudi Arabia and the United Arab Emirates have appeared eager to consider monitoring Egyptian officials, despite both countries’ close ties to Egypt’s authoritarian ruler, Abdel Fatah al-Sisi.
Among the numbers selected as individuals of interest by an NSO client believed to be the Saudi government was that of the Egyptian prime minister, Mostafa Madbouly.
Both Saudi and UAE are believed to have selected Barham Salih, the president of Iraq, who is close to the US, as a candidate of interest to their governments. Salih’s UK number also appeared in the list.
Neither Saudi Arabia or the UAE have responded to requests for comment.
Rwandan authorities have staunchly denied having access to NSO Group technology, but have long been suspected of being a client of the Israeli firm. An analysis of the leaked data shows that Ruhakana Rugunda was selected as a candidate for potential surveillance in 2018 and 2019, when he served as prime minister of Uganda – a selection seemingly made by the government of Rwanda.
Morocco has denied spying on any foreign leaders, and has said reporters investigating NSO were “incapable of proving [the country had] any relationship” with the Israeli company. But an analysis of the leaked records showed Morocco appeared to have listed dozens of French officials as candidates for possible surveillance, including Macron.
Neither India or Pakistan have commented specifically on claims that Delhi may have selected Khan for targeting. India has said it has well established protocols for interception which requires approval from highly ranked national or regional officials for “for clear stated reasons only in national interest.”
Several state agencies in Mexico have acquired the Pegasus spyware starting with the defence ministry in 2011, and pervasive corruption in the country has prompted concerns that it could end up in the wrong hands.
The country’s former interior minister Miguel Ángel Osorio Chong, who served between 2012 and 2018, told the Pegasus project that during his term of office the interior ministry “never, never authorised or had knowledge or information that Cisen [Mexico’s national security intelligence service] owned or acquired the Pegasus hacking kit, and never authorised anything to do with hacking”.
In its statement, NSO said the leaked list “is not a list of targets or potential targets of NSO’s customers”. Through its lawyers, NSO previously said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and the list could not be a list of numbers “targeted by governments using Pegasus”.
Following the launch of the Pegasus project, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute the leaked data “has any relevance to NSO”, but added that he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he said.
Additional reporting by Shah Meer Baloch in Islamabad