In Jordan's Pegasus hack, the digital trail leads to the government
Malak Abu Oraibi could tell something was wrong with his phone: It was frequently hot, slower than usual and the battery would drain at alarming speeds. He had a passing thought that maybe something was wrong – perhaps he had been hacked – but continued on as usual.
What Abu Oraibi, a Jordanian human rights lawyer, could never have imagined was that he had been hacked with one of the most advanced and expensive spywares in the world: Pegasus.
Pegasus is a software developed by the private Israeli company NSO Group. It gives hackers access to an entire phone’s contents, calls and allows for remote control of the microphone and camera.
Abu Oraibi would later find out that it was highly likely that it was his own government who commissioned the hack.
"The total number of Jordanians that have been hacked by Pegasus remains unknown, with some estimates alleging that up to 200 have been targeted by the Israeli spyware"
Technical analysis of his and several other Jordanians’ phones by the human rights organisation Frontline Defenders (FLD) revealed evidence that Jordanian government agencies allegedly used Pegasus in at least two cases against activists.
Evidence shows that Abu Oraibi’s phone was accessed remotely at least 21 times over a period of two years. He was just one of several Jordanian human rights defenders and journalists who were subject to digital intrusion.
The total number of Jordanians that have been hacked by Pegasus remains unknown, with some estimates alleging that up to 200 have been targeted by the Israeli spyware.
The Jordanian government did not respond to The New Arab’s request for a comment, but issued a rejection of FLD’s report shortly after it came out. The National Cyber Security Centre said on 5 April that allegations of Jordan using Pegasus are “baseless” and that it “has not cooperated with any agents with the aim of spying on citizens’ phones.”
The Jordanian denial came after months of silence from the government, despite requests from citizens targeted by Pegasus that the government open up an investigation into their cases.
New @FrontLineHRD & @citizenlab investigation has uncovered #Pegasus spyware on the mobile devices of 4 #Jordanian human rights defenders. Forensic analysis gives reason to believe two Pegasus operators belong to the Jordanian government.https://t.co/hgOHDaMAij pic.twitter.com/SJUhQqudZS— Front Line Defenders (@FrontLineHRD) April 5, 2022
Shifting the blame
In February, local news agency Amoon reported that up to 200 Jordanians had been hacked by an unknown Israeli spyware, citing an unnamed source “from a major investigative news agency.” Among those claimed to have been affected were members of the government, former politicians and current members of Jordan’s royal court.
A week later, a press conference was held in a cramped office building in an Amman business park. A cybersecurity expert, Hussein al-Jidi, flanked by alleged victims of the spyware, told viewers over livestream that the accusations of the hacks were part of an attempt to harm Jordan’s state security.
Al-Jidi said that the hacks were orchestrated by “foreign powers,” without naming who these powers were. Dima Tahboub, a former MP and spokesperson for the Muslim-Brotherhood affiliated Islamic Action Front, told The New Arab that she believed she was targeted by Pegasus by Israeli authorities.
Al-Jidi continued that activists like human rights lawyer Hala al-Ahed and politician Dima Tahboub were targeted by Pegasus as a way of gaining access to the Jordanian Royal Court. He explained that hackers used their phones as a sort of “bridge” to infect the WiFi of the Jordanian Royal Court and gain access to the computer systems there.
He concluded that the hacks in Jordan were an attack on the Jordanian state by an unspecified foreign power, and that activists who were hacked were merely collateral damage.
This explanation of how and why the Pegasus hacks happened “is totally not true ... and is a technical misunderstanding" of how the spyware works, Muhammed al-Maskati, a researcher at FLD who worked on the Jordan report, told The New Arab.
According to al-Maskati, Pegasus does not work through WiFi. Instead, it targets individual phones and cannot be used to “infect” WiFi networks or even other phones in the proximity of a hacked individual’s phone.
“This is just not how Pegasus works,” he said.
"Jordanian opposition sources privately told The New Arab that they viewed the state’s narrative as the government redirecting the blame for the Pegasus hacks away from itself"
Jordanian opposition sources privately told The New Arab that they viewed the state’s narrative as the government redirecting the blame for the Pegasus hacks away from itself.
They are a further attempt to cast doubt on the list of 200 Jordanians hacked by Pegasus, viewing it as an attempt by the state to claim it was not only Jordanian opposition figures that were hacked.
What is the evidence against Jordan?
It is near impossible for researchers to say with 100 percent certainty who was behind the Pegasus hacks. The primary evidence FLD relied upon to conclude that it was likely the Jordanian government who conducted the hacks constituted links sent to targets in an attempt to gain control of their devices.
At some point in late 2020 however, Pegasus switched to a “zero-click exploit,” allowing hackers to gain control of a device without any action from the user. This makes tracking the culprit much more difficult.
Still, the links prior to the advent of the zero-click exploit led to domain clusters used by Pegasus operators which were “highly likely” Jordanian government agencies, al-Maskati said.
He further pointed to the list of those who were proven to be targeted by Pegasus. Most were Jordanian human rights defenders whose main concern was Jordanian domestic politics and civil society.
Al-Maskati said the list of targets made the Jordanian government the most interested and most likely party to have ordered the Pegasus hacks.
Both Hala al-Ahed and Malak Abu Oraibi are human rights lawyers who are primarily working to defend activists in domestic political movements, such as the pro-democracy Hirak movement.
Abu Oraibi in particular worked to defend members of the Jordanian Teachers’ Syndicate, which was shut down in July 2020. Records show that a flurry of Pegasus hacks targeted his phone in the months before and after the shutdown of the syndicate.
"Abu Oraibi said that he was not particularly surprised that it was likely to be the Jordanian government behind the Pegasus hacks"
Security agencies are “terrified” of activists
Abu Oraibi said that he was not particularly surprised that it was likely to be the Jordanian government behind the Pegasus hacks. Still, it was an “extremely dangerous” development for activists and freedom of speech in the country, he said.
“I am no angel, every person has flaws and makes mistakes. But, if I were afraid of this [pressure], I would have never gotten into this work,” Abu Oraibi said.
Hala Al-Ahed said that the violation of privacy was particularly alarming for female activists who can face severe consequences in a more conservative country like Jordan as a result of their privacy being violated.
Rights groups, like the Committee to Protect Journalists, quickly objected to the hacking of human rights defenders and journalists’ phones. They called for Jordan and the international community to halt the use of surveillance technology against activists.
The NSO Group did not respond to a request for a comment, but has said in the past that it does not target human rights activists. Instead, it says, its technology is used to stop “terrorists, hardened criminals and paedophiles.”
To Abu Oraibi, the targeting of him and his fellow Jordanian activists is a sign that the authorities are “terrified.”
“The security agencies have begun to be afraid of everyday activists, not activists with foreign agendas, or people … with ulterior motives to create chaos. This is a sign of terror … and weakness, not strength,” Abu Oraibi said.
William Christou is The New Arab's Levantine correspondent, covering the politics of the Levant and the Mediterranean.
Follow him on Twitter: @will_christou