The consortium did not disclose how it had obtained the list, and it was unclear whether the list was aspirational or whether the people had actually been targeted with NSO spyware.
Among those listed were Azam Ahmed, who had been the Mexico City bureau chief for The Times and who has reported widely on corruption, violence and surveillance in Latin America, including on NSO itself; and Ben Hubbard, The Times’s bureau chief in Beirut, Lebanon, who has investigated rights abuses and corruption in Saudi Arabia and wrote a recent biography of the Saudi crown prince, Mohammed bin Salman.
It also included 14 heads of state, including President Emmanuel Macron of France, President Cyril Ramaphosa of South Africa, Prime Minister Mostafa Madbouly of Egypt, Prime Minister Imran Khan of Pakistan, Saad-Eddine El Othmani, who until recently was the prime minister of Morocco, and Charles Michel, the head of the European Council.
Shalev Hulio, a co-founder of NSO Group, vehemently denied the list’s accuracy, telling The Times, “This is like opening up the white pages, choosing 50,000 numbers and drawing some conclusion from it.”
This year marks a record for the discovery of so-called zero days, secret software flaws like the one that NSO used to install its spyware. This year, Chinese hackers were caught using zero days in Microsoft Exchange to steal emails and plant ransomware. In July, ransomware criminals used a zero day in software sold by the tech company Kaseya to bring down the networks of some 1,000 companies.
For years, the spyware industry has been a black box. Sales of spyware are locked up in nondisclosure agreements and are frequently rolled into classified programs, with limited, if any, oversight.
NSO’s clients previously infected their targets using text messages that cajoled victims into clicking on links. Those links made it possible for journalists and researchers at organizations like Citizen Lab to investigate the possible presence of spyware. But NSO’s new zero-click method makes the discovery of spyware by journalists and cybersecurity researchers much harder.