Emirates flight attendant Hanan Elatr surrendered her two Android cellphones, laptop and passwords when security agents surrounded her at the Dubai airport. They drove her, blindfolded and in handcuffs, to an interrogation cell on the edge of the city, she said. There, she was questioned all night and into the morning about her fiance, Saudi journalist Jamal Khashoggi.
The next day, at 10:14 a.m. on April 22, 2018, while her devices were still in official custody, someone opened the Chrome browser on one of the Androids. They tapped in the address of a website “https://myfiles[.]photos/1gGrRcCMO”, on the phone’s keyboard, fumbling over the tiny keys, making two typos, and then pressed “go,” according to a new forensic analysis by cybersecurity expert Bill Marczak of Citizen Lab. The process took 72 seconds. The website sent the phone a powerful spyware package, known as Pegasus, according to the new analysis. Over the next 40 seconds, the phone sent 27 status reports from its web browser to the website’s server, updating the progress it was making installing the spyware.
The spyware had been developed by an Israeli firm, NSO Group, for what it says is use against “terrorists and criminals”. The website was configured by NSO for a United Arab Emirates customer, said Marczak, whose research group is based at the University of Toronto and devoted to uncovering cyberespionage.
The new analysis provides the first indication that a UAE government agency placed the military-grade spyware on a phone used by someone in Khashoggi’s inner circle in the months before his murder.
“We found the smoking gun on her phone,” said Marczak, who examined Elatr’s two Androids at The Washington Post’s and her request. Emirati authorities returned them to her several days after her release.
Marczak said he could see the Android trying to install Pegasus, but he could not determine whether the spyware had successfully infected the phone, which would enable Pegasus to steal its contents and turn on its microphone. But he said the UAE operator did not type the website address in a second time, which would ordinarily be expected in the event of a failed first attempt.
Elatr’s phone was confiscated just after she and Khashoggi had gotten engaged and were in a long-distance relationship. Because both traveled frequently, with Elatr based in Dubai and Khashoggi in Washington, they often discussed travel and meeting plans in the United States and abroad using apps on their phones, according to Elatr and her phone records.
Marczak discovered the https://myfiles[.]photos address in 2017 while researching the presence of Pegasus spyware on global networks. By scanning the Internet, Citizen Lab was able to identify a network of computers and more than a thousand Web addresses used to deliver Pegasus spyware to the phones of targets in 45 countries, according to group’s landmark “Hide and Seek” report. The methodology has been used by other cyber-researchers to identify Pegasus hacks worldwide.
The researchers found a particular set of web addresses, including https://myfiles[.]photos, associated with Pegasus targets primarily in the UAE.
Working with an international journalism consortium led by the Paris-based nonprofit Forbidden Stories, The Post reported in July that an unknown operator employing Pegasus sent five SMS text messages over an 18-day period in November 2017 and a sixth one on April 15, 2018, according to an analysis by Amnesty International’s Security Lab of Elatr’s Androids. The research could not determine if the texts resulted in Pegasus being installed inside the phone.
Marczak’s research advances the understanding of what happened to Elatr’s phone by identifying a UAE agency operator in the process of trying to install Pegasus on the device while she was in UAE custody. He also found forensic data indicating her Android was also trying to install Pegasus.
Following The Post’s report in July, NSO Group chief executive Shalev Hulio said a thorough check of the firm’s client records showed none had used Pegasus to attack the phones of Khashoggi or Elatr before a Saudi hit team murdered him in Istanbul on Oct. 2, 2018.
After The Post’s most recent reporting, NSO’s attorney, Thomas Clare, said, “NSO Group conducted a review which determined that Pegasus was not used to listen to, monitor, track, or collect information about Ms. Elatr. The Post’s continued efforts to falsely connect NSO Group to the heinous murder of Mr. Khashoggi are baffling.”
The international investigation found that authoritarian governments have used Pegasus against journalists, human rights defenders, diplomats, lawyers and pro-democracy opposition leaders. New revelations continue to roll out. France found traces of the spyware on the phones of five ministers. The U.S. State Department announced that indications of Pegasus were found on the phones of 11 employees in Uganda. After initial denials, Hungary admitted it used the spyware.
The UAE, a federation of monarchies in the Persian Gulf, has been one of NSO’s most notorious clients. It has used Pegasus against anti-regime activists, journalists and even a royal princess attempting to escape her father, the international media investigation and others have found. In October, a British court revealed that NSO Group ended its contract with the UAE because Dubai’s ruler had used it to hack the phones of his ex-wife and her lawyer, a member of Britain’s House of Lords.
The UAE continues to deny all allegations against it. The UAE Embassy in Washington did not respond to multiple requests for comment. In the past, the UAE has denied allegations that it used Pegasus against human rights activists and other civil society figures.
The UAE is a longtime ally of Saudi Arabia. In 2013, the two countries signed a mutual security agreement promising cooperation on intelligence and law enforcement matters. The UAE has spied on Saudi dissidents abroad and sent them to Riyadh, according to human rights groups and a recent lawsuit filed in federal court in Portland, Ore., on behalf of an imprisoned Saudi human rights activist.
Three years ago, Hanan Elatr was a globe-trotting supervisor for the Emirates airlines. She was married to a pro-democracy icon and earning a salary that allowed her to support her mother and siblings. Today, she said, she fears for her life.
“Every day when I see the daylight, I don’t know why I’m still alive, because I’m the second victim after Jamal in this tragedy,” she said in a recent interview, tearing up. “I lost my life … I used to provide for my family and now I can’t even find my own food.”
His new fiancee, Hatice Cengiz, was waiting for him outside the Saudi consulate in Istanbul. He had gone there to obtain a document necessary to marry her. Instead, he was murdered with the approval of Saudi leader Mohammad bin Salman, U.S. intelligence agencies later concluded.
Cengiz, whom Le Monde later dubbed the “unofficial heiress of Jamal Khashoggi,” became an effective spokeswoman in front of the crowd of television cameras that gathered outside the consulate.
Source: The Washington Post