The mobile phone of a serving French minister showed digital traces of activity associated with NSO Group’s spyware, according to forensic analysis undertaken by the Pegasus project investigation.
François de Rugy, who was environment minister at the time of the activity, said he was “astonished” by the disclosure, which raises fresh questions over the use of spyware by customers of NSO, an Israeli surveillance company.
His details appeared on a leaked database, which also included mobile numbers for the French president, Emmanuel Macron, and the majority of his 20-strong cabinet, along with the then prime minister Édouard Philippe.
An NSO Group spokesperson said Macron and other French and Belgian government officials on the list “are not and never have been Pegasus targets”. “It is not a list of targets or potential targets of NSO’s customers,” they added.
Research by the Pegasus project suggests that Morocco was the country that may have been interested in Macron and his senior team, raising fears that their phones were selected by one of France’s close diplomatic allies.
An Élysée official said: “If this is proven, it is clearly very serious. All light will be shed on these media revelations. Certain French victims have already announced they will file legal complaints, so judicial investigations will be opened.”
The forensic analysis on De Rugy’s phone was undertaken by Amnesty International’s Security Lab, a technical partner on the Pegasus project. It showed traces of a Pegasus-related activity on the device, but no evidence of a successful infection.
A member of Amnesty’s lab said its researchers had discovered “an iMessage address, logged on the phone, which has been linked to to previous Pegasus attacks on French and Moroccan phones”. They added that the discovery “may be a preliminary step at the early stage of an attempted infection”.
De Rugy said he had reported the issue to the French state prosecutor. “The media investigation attributes a role to Moroccan intelligence services in this operation. This information surprises me. I have asked for an audience with the Moroccan ambassador to France.”
He said he reserved the right to take further legal action, if advised to do so.
The leaked list also contains numbers belonging to Charles Michel, the former prime minister of Belgium who now serves as the president of the European Council, as well as Michel’s father, Louis Michel, a former Belgian foreign minister.
The appearance of a number on the leaked list – which includes numbers selected by governments that are clients of NSO Group, the Israeli spyware firm – does not mean it was subject to an attempted or successful hack. NSO insists the database has “no relevance” to the company. The company said it may be part of a larger list of numbers that might have been used by NSO Group customers “for other purposes”.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
The revelations are the latest from the Pegasus project, a journalistic consortium led by Forbidden Stories, which had access to a database of 50,000 mobile phone numbers.
NSO said that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
But the list is believed to be indicative of individuals identified as persons of interest by government clients of NSO. It includes people, such as De Rugy, who had forensic analysis of their phones that found traces of Pegasus-related activity.
NSO insists it requires its government clients to only use its powerful spying tools for legitimate investigations into terrorism or crime.
Morocco said in a statement that it “categorically rejects and condemns these unfounded and false allegations”, adding that it was “erroneous” and “false” to say the country had infiltrated the phones of national or foreign public figures.
“The government of the kingdom of Morocco has never acquired computer software to infiltrate communication devices, nor have the Moroccan authorities ever resorted to such acts,” the statement said.
Charles Michel said: “We were aware of the threats, and measures were taken to limit the risks.”
Louis Michel was a member of the European parliament and co-president of the European Union and Africa Caribbean Pacific joint parliamentary assembly when his number appeared in the data in early 2019. He has close contact with several African heads of state.
Asked to comment, Louis Michel said: “I’m both surprised and disturbed by that information. I could never have imagined that new technologies could be so intrusive and extremely dangerous to the normal functioning of democracy. I’m glad I’ve been made aware.”
* * *
Macron, Morocco … and the malware
A former protectorate which gained independence from France in 1956, Morocco has a longstanding and extremely close diplomatic relationship with Paris, including intense cooperation on intelligence and counter-terrorism, which increased after the 2015 terrorist attacks in the French capital.
Dorothée Schmid, the head of the Turkey and Middle East programme at the French Institute of International Relations, said the friendship between the two countries could not be better.
“Under Emmanuel Macron the relationship has been seen as a completely idyllic period, a climate where there is a total absence of clouds.”
That was before this data leak.
It shows that Macron appears on the list in 2019 around the time of an African trip, including a visit to the African Union headquarters in Addis Ababa. There he issued a joint statement with the chair of the African Union Commission, Moussa Faki Mahamat, who was also selected by an NSO client government, among other high-level diplomats focused on Africa.
France’s presence in the Sahel region of west Africa, where it was on the frontline of the fight against Islamist militants, was a key area of focus for Macron’s government at the time, and the French president was preparing an upcoming G5 Sahel summit with Niger, Chad, Burkina Faso and Mauritania.
Morocco, an important diplomatic ally in the region, was to be invited to this summit.
It is not clear who specifically within the Moroccan government was apparently interested in monitoring at least one French minister’s phone, or what they hoped to get from it.
However, the forensic discovery on De Rugy’s phone raises questions as to whether there was a desire to spy on the inner workings of the heart of the French government. The data leak raises the possibility the intent could have been broad in scope, with the numbers of nearly all members of Macron’s cabinet appearing on the list.
Separately, Citizen Lab at the University of Toronto has confirmed through its own research that a Moroccan government-linked NSO client infected telephones in France between 2018 and 2021, and in Belgium in 2020.
* * *
Politicians, polemicists, advisers: the listed numbers
In total, 14 serving members of the French government appear in the data.
French politicians who appear on the list in 2019 included the then interior minister, Christophe Castaner, who was in charge of the country’s policing and a key figure in Macron’s election campaign.
The oldest and most experienced member of government, the foreign minister, Jean-Yves Le Drian, who met regularly with Macron, was also in the data.
The economy minister, Bruno Le Maire, the former justice minister Nicole Belloubet and the then budget minister Gérald Darmanin, who became interior minister the following year, also featured.
Others in the data include the education minister, Jean-Michel Blanquer, and the then agriculture minister, Didier Guillaume, Marc Fesneau, the centrist in charge of parliamentary relations, Annick Girardin, minister for France’s overseas territories, and Jacqueline Gourault, the then minister in charge of relations with local authorities.
The number for Julien Denormandie, a member of Macron’s inner circle and one of the founders of his political movement En Marche, was also in the data at the time he was serving as the minister for cities and housing. Sébastien Lecornu, the then minister for local authorities, was also included.
The numbers also included Emmanuelle Wargon, who was then a junior minister at the environment ministry.
The numbers of two of Macron’s advisers at the Élysée also appear in the data: a diplomatic adviser on Africa and Alexandre Benalla, a young aide and security adviser who was close to the president and his wife.
Benalla, who was born in France to Moroccan parents, has come under intense scrutiny over the exact role he played in Macron’s office.
During the presidential campaign he had acted as a bodyguard to Macron. He later served as a kind of non-official security adviser and aide at the Elysée. He was fired after a scandal in 2018 when he was alleged to have impersonated a police officer and attacked two demonstrators at a protest. Benalla, who has denied wrongdoing, will face trial for the alleged violence against demonstrators in September.
Figures from across the political spectrum in France appear in the data, including Éric Zemmour, a controversial polemicist, journalist and TV debate-show star who has been labelled France’s most famous far-right ideologue. Zemmour is considering whether to run in next year’s French presidential election.
He appears in the data in 2019, when he regularly appeared on French rolling news channels. Among inflammatory comments he made on TV that year were remarks criticising what he called too much youth immigration from Morocco.
Also appearing in the data in 2019 is Robert Ménard, the far-right mayor of the southern town of Béziers, who is close to Marine Le Pen’s National Rally party, and was once best known as the outspoken founder of the international journalists’ group Reporters Without Borders (RSF) before turning to the far right.
Olivier Besancenot, a former postal worker who ran as a presidential candidate for the tiny Communist Revolutionary League in 2002 and 2007, also appears.
Besancenot, who later founded the New Anticapitalist party (NPA), was seen as one of the leading figures in France’s anticapitalist movement. In 2017 the party expressed its support for a street protest movement in northern Morocco.
Additional reporting by Damien Leloup, Martin Untersinger, Elodie Guéguen and Jacques Monin in Paris.
Show your support for the Guardian’s fearless investigative journalism today so we can keep chasing the truth
