Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group’s client governments, one name stands out as particularly ironic. Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list.
Durov, 36, is the founder of Telegram, which claims to have more than half a billion users. Telegram offers end-to-end encrypted messaging and users can also set up “channels” to disseminate information quickly to followers. It has found popularity among those keen to evade the snooping eyes of governments, whether they be criminals, terrorists or protesters battling authoritarian regimes.
In recent years, Durov has publicly rubbished the security standards of competitors, particularly WhatsApp, which he has claimed is “dangerous” to use. By contrast, he has positioned Telegram as a plucky upstart determined to safeguard the privacy of its users at all costs.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Without a forensic examination of Durov’s phone, it is not possible to say whether there was any attempt to install malware on the device.
An NSO source indicated Durov was not a target, meaning the source denies he was selected for surveillance using Pegasus, NSO’s spyware. The company insists that the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus.
Asked directly whether Durov’s phone was a target of Pegasus or any other activity related to the spyware, an NSO spokesperson did not directly answer the question. They said: “Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.” Lawyers for NSO said its decision not to respond to certain allegations should not be treated as confirmation of those claims.
But the list, which the Guardian and other media had access to as part of the Pegasus project, an international collaboration, is believed to be indicative of individuals identified as persons of interest by government clients of NSO. It includes people who were later targeted for surveillance, according to forensic analysis of their phones.
Cybersecurity experts who have examined how NSO’s Pegasus spyware works say the software does not discriminate between encrypted messaging apps and can access pretty much everything on an infected phone. They say Telegram, as well as WhatsApp, Signal and other messaging apps promising end-to-end encryption, are in effect rendered powerless if the device on which they are installed is infected by hacking software as powerful as Pegasus.
Durov’s number, which appears on the list in early 2018, was the UK mobile number which has been linked to his personal Telegram account for years.
Neither the publicity-averse Durov nor Telegram’s press office responded to requests for comment sent to their Telegram accounts.
The list of governments and intelligence services that might be happy to get a look at the contents of Durov’s mobile phone is long. Durov left Russia in 2013 and has had several conflicts with the country’s security services. Telegram has also played a key role in driving protest movements in Belarus, Hong Kong and Iran.
However analysis of the leaked list suggests Durov might have been of interest to the United Arab Emirates (UAE).
Durov has a passport from the Caribbean country of St Kitts and Nevis and has lived a peripatetic existence since leaving Russia. But papers filed at Companies House in London show that in February 2018 Durov changed his official residence from Finland to the UAE. The timing coincides with the appearance of Durov’s phone in the leaked data, and suggests it may have been a case of his hosts attempting to run checks on their controversial new resident.
Despite an avowed disdain for the concept of nation states, Durov has cosied up to the rulers of his new home country since his move. In February this year, he met Sheikh Hamdan bin Mohammed bin Rashid al-Maktoum, the crown prince of Dubai. “We continue to welcome great talent and ideas to Dubai, which offers a nurturing ecosystem for their development,” said Sheikh Hamdan after the meeting, according to a press release from Dubai authorities.
The UAE and Dubai did not respond to requests for comment on the allegations regarding Durov. The Guardian understands Dubai is a former client of NSO, but had its access to Pegasus terminated after an investigation into allegations of misuse.
Durov only rarely makes public statements via his Telegram account, usually offering idiosyncratic lifestyle advice – always live alone, and eat a “seagan” diet of wild fish and nothing else, are two examples – or extolling the virtues of Telegram.
Some have doubted Telegram’s self-portrayal as a devoted privacy advocate that will bow to no government, noting that Telegram chats are not end-to-end encrypted by default, only the app’s “secret chat” function. “I am inclined to advise people to avoid using Telegram entirely because there are alternatives that are end-to-end encrypted all the time,” said Eva Galperin of the Electronic Frontier Foundation.
Galperin said it was important to note that end-to-end encryption still offered significant protection to the vast majority of users, many of whom, if they were targeted for surveillance at all, would probably be targeted by less advanced forms of surveillance than Pegasus.
In Belarus, where Telegram messages and channels have been driving revolutionary sentiment over the past year, authorities have had to resort to crude tactics to access the phones of activists – demanding arrested protesters unlock their phones and in May forcing a Ryanair plane transiting through Belarusian airspace with the administrator of a leading protest Telegram channel onboard to land in Minsk, where he was arrested.
“According to all the information we have, without physical access to the device, the Belarusian authorities can’t get into our Telegram messages,” said the administrator of another Belarusian protest channel, speaking via a Telegram voice call.
But this equation changes dramatically when the authorities in question have access to Pegasus. Belarus is not known to be among NSO’s clients, and there is nothing to suggest that it is. But several other repressive regimes in countries where human rights activists and journalists regularly use encrypted messaging apps have bought Pegasus. Additionally, the disclosures by the Pegasus papers consortium this week suggest that in many countries a broad range of people, and sometimes their families or associates, can become targets of the spyware.
Serguei Beloussov, a Singaporean tech entrepreneur who runs the data protection company Acronis, said software such as Pegasus made it hard to recommend particular messaging services as better than others. “Protecting a single application is not possible; the main vulnerability is your device,” he said. “The only fully secure device is one which is off.”
