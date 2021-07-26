Beginning July 18, a consortium of 17 news organisations reported on a mass mobile device surveillance operation by, possibly, multiple state actors. The expose involves a scale that is unprecedented, and involves targets not just typical sought by countries with slack democratic values – for instance journalists and human rights defenders – but also those more likely shielded from usual surveillance targeting — heads of state, judges and industrialists.

At the heart of the disclosures is what the consortium says is a list of 50,000 phone numbers. The data was first obtained by a French nonprofit called Forbidden Stories, which collaborated with the consortium that includes Washington Post, The Guardian and India’s The Wire.

The reports have described the list as being of numbers “selected for targeting” by clients of Israel-based NSO Group, which makes the infamous Pegasus – a mobile device surveillanceware that could intercept communications, retrieve photos and videos, log all key strokes and turn the device’s camera and microphone on.

You can read more about the Pegasus Project by the consortium here and what the NSO Group as well as nation-states suspected of these spying campaigns have said here.

The consortium of journalists and Forbidden Stories have not shared more details of the nature of the list, its origin and how exactly it ties in with the deployment of NSO Group’s Pegasus, but statements from both sides and past discoveries about NSO Group and its associations provide some clues.

To be sure, these constitute clues in the public domain at present, and the nature of the evidence could change when the journalists disclose their source.

What is the list?

One of the Washington Post reports described it as: “...list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group... The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.”

Where they found evidence of a Pegasus was by testing the devices of some of the listed numbers: “But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds”.

But over time, more clues have emerged for what this list could possibly be. One of these is that it could be data off queries to a mobile network routing database, known as the Home Location Register (HLR). Originally, it came from an NSO Group statement, which said: “NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.”

What is an HLR lookup?

An HLR lookup is when mobile network operator sends another mobile network operator requests to check if a particular mobile number is registered – that is switched on and active on the network.

This information previously included data such as the location of the tower it is active on, the network on which the user is actually a subscriber and their home location before some safeguards were brought in. But, according to telephone networking information company xConnect, HLR Lookup “still supports basic number validation and low volume message routing applications”. Essentially, an HLR lookup can, at least, determine if a phone is switched on.

Why is it relevant?

For one, this may be a precursor to a hack by those operating Pegasus. Forbidden Stories cites a source with direct knowledge of NSO’s systems saying: “...an HLR lookup is a key step of determining certain characteristics of a phone, such as whether it is turned on or in a country that allows Pegasus targeting.”

The second reason has to do with a company called Circles and, once again, clues from a recent interview by NSO Group’s CEO and co-founder Shalev Hulio. Here, some things are noteworthy:

NSO was approached with a list of numbers from a data broker a month ago. “He (the broker) said that there is a list circulating in the market and that whoever holds it is saying that the NSO servers in Cyprus were hacked and that there is a list of targets there and that we should be careful. We looked into it. We don’t have servers in Cyprus and don’t have these types of lists.”

This is where Circles may fit into the story. Citizen Labs, a University of Toronto-based cyber research group, published a report in December, 2020 that determined Circles was “a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe”, and that “Circles is affiliated with NSO Group”.

Hulio’s responses in the interview suggest he maintains that NSO has no servers in Cyprus. The interview does not touch upon Circles. But a report from Vice from 2020 seem to confirm the presence of Circles offices in Cyprus and that NSO shut it down that year.

What does all this mean?

NSO’s suspicion that the data is of HLR lookup data, its CEO’s mentioning of a data broker with a list numbers purportedly hacked out of Cyprus, and the known presence of an NSO Group associate Circles – which has also been implicated in providing surveillanceware – potentially offer the closest known trail of clues. It is a possibility that these numbers may have been part of a log of HLR lookups, which could in itself have been a precursor to an infection with Pegasus – or it alone may have constituted a less sophisticated breach.

But it is still important to note that these are circumstantial indications. Unless further evidence is disclosed, it is not possible to conclusively link all of the 50,000 numbers – except for those forensically confirmed to have been infected with Pegasus – to the NSO group’s malware.

