Inside Morocco’s deployment of Pegasus spyware against journalists and officials

A former member of Morocco’s domestic intelligence service has revealed how the country used Pegasus spyware to monitor journalists, politicians, and human rights defenders. This disclosure provides new insight into Morocco’s surveillance...

Inside Morocco’s deployment of Pegasus spyware against journalists and officials

A former member of Morocco’s domestic intelligence service has revealed how the country used Pegasus spyware to monitor journalists, politicians, and human rights defenders. This disclosure provides new insight into Morocco’s surveillance practices over several years.

The whistleblower’s testimony, supported by leaked data and investigations by multiple media outlets and Amnesty International, shows Morocco began deploying Pegasus in 2017. The spyware, made by Israel’s NSO Group, is alleged to have been used against both domestic and international targets.

A former member of Morocco’s domestic intelligence service has helped to provide an unprecedented insight into how the north African state used hacking software – including Pegasus spyware – to target journalists, human rights defenders, French politicians and Spanish cabinet ministers and police officers.

Related coverage: France and Morocco Deepen Strategic Partnership Following Diplomatic Reset.

Pegasus, which is manufactured by the Israel-based NSO Group, allows its operator to access everything on a target’s mobile phone, including emails, text messages and photographs. It can also activate the phone’s recorder and camera, turning it into a listening device.

Although NSO Group says Pegasus is sold only to governments to help them track criminals and terrorists, the spyware is alleged to have been used by several countries to target dissidents, journalists, diplomats and politicians.

More context: Community Health Volunteers Combat Polio Spread in Northern Kenya.

Morocco has long denied using Pegasus to target critics at home or abroad, and has claimed that reporters who have investigated NSO Group were “incapable of proving [the country had] any relationship” with the company.

However, evidence from a whistleblower who worked for Morocco’s Direction Générale de la Surveillance du Territoire (DGST) for almost a decade suggests the country’s internal security services began using Pegasus in 2017 and went on to deploy it against domestic and foreign targets over the course of four years.

Also read: How South African innovators are reshaping African wildlife documentaries.

Testimony from the source, known by the pseudonym of Safir, forms the basis of a multiyear investigation by the Moroccan journalist Hicham Mansouri, which has led to a collaborative investigation between several media groups, with technical support from Amnesty International’s Security Lab.

The consortium, which was coordinated by Forbidden Stories and comprises 14 media organisations – including Le Monde, Haaretz, El Confidencial, Die Zeit and the Guardian – has also analysed material detailing Morocco’s surveillance practices, from leaked emails to targeting records relating to Pegasus and other spyware, and from victims’ testimony to internal training material. Two other former Moroccan intelligence agents also provided information and corroborated facts. Safir’s testimony is corroborated by leaked material, including the Pegasus project dataset, which has been forensically analysed by Amnesty International’s Security Lab.

Background: Living with the Constant Threat of Floods in Lagos: The Emotional Toll.

According to information gathered by the consortium, NSO Group representatives gave high-ranking Moroccan intelligence officers and technical experts a long and detailed demonstration of new technologies – including Pegasus – in an expensive villa in Rabat in 2017. The source said the house was nicknamed “the FSSYS villa” after FSSYS Maroc, which was then the Moroccan branch of the UAE-based surveillance intermediary al-Fahad, and which frequently used the property for such demonstrations.

It is understood that those gathered for the demonstration immediately realised Pegasus’s “revolutionary” potential as its remote-infection capacity meant they would no longer have to physically access the mobile phones of their targets. As they watched, NSO representatives infected a number of test phones, remotely activating cameras, switching on microphones and accessing data and messages.

The whistleblower has suggested that the hugely expensive spyware was a gift from the UAE. “Millions for the Emiratis, that’s nothing,” said Safir. “The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.”

Before Pegasus was adopted by the DGST, the service had relied on a mix of old-fashioned human intelligence, targeting terminals in internet cafes and even persuading shopkeepers to sell mobiles pre-infected with other spyware to dissidents. According to Safir, the costly new spyware was used only for high-value targets once cheaper and less sophisticated options had been exhausted.

“We never start with Pegasus,” they said. “It’s the monster’s weapon.”

Evidence gathered for the journalistic investigation, which is titled the Pegasus Project: Inside the Moroccan Spying Machine, also reveals that four unique Moroccan mobile phone numbers were selected as Pegasus targets in September 2017, seemingly in order to test the fledgling system in Morocco. They included mobile numbers linked to two DGST staff members, which were apparently input to determine the spyware’s capabilities.

The leaked database at the centre of a previous Pegasus project investigation reveals that the numbers of Moroccan journalists and human rights defenders began to be put into the Pegasus system that same month – September 2017. Before long, the targeting had begun to extend beyond Morocco’s borders.

A Spanish mobile number belonging to Aminatou Haidar, a prominent human rights activist from Western Sahara, was included in the leaked database and found to have been targeted by Pegasus dating back to 2018. Traces of the spyware were also found on a second phone belonging to Haidar in November 2021. Meanwhile, a Spanish mobile number for the journalist Ignacio Cembrero – whose work is focused on the Maghreb – was also listed on the Pegasus project database.

All in all, Pegasus project records show more than 200 Spanish mobile numbers were selected for Pegasus targeting by the user believed to be Morocco. In May 2022, the Spanish government revealed that the mobile phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, were both infected with Pegasus spyware in May and June 2021.

The targeting came at a time when Madrid and Rabat were locked in a tense diplomatic row over Spain’s decision to allow the leader of the Polisario Front, which has long fought for the independence of western Sahara from Morocco, to be treated for Covid-19 in a hospital in northern Spain.

It later emerged that the phones of Spain’s interior minister, Fernando Grande-Marlaska, and its agriculture minister, Luis Planas, had also been targeted.

Repeated judicial attempts to get to the bottom of the use of Pegasus to target the Spanish cabinet have come to nothing. The investigating judge originally ended the inquiry in July 2023, but reopened it a few months later after the French authorities provided information on the use of Pegasus to infect the mobile phones of French ministers, MPs, lawyers and journalists.

But he shelved it once again in January this year, citing a chronic lack of cooperation from the Israeli authorities – including a failure to respond to his request to take a statement from NSO’s chief executive – that had violated “the principle of good faith” between countries.

However, recent analysis points to the DGST being responsible for the targeting of the senior Spanish politicians. Material assembled by the Pegasus project – including court documents – shows one of the attacker accounts that was assigned to Morocco’s Pegasus system and used to target politicians, journalists and human rights defenders in France was also used to target the phones of the Robles and Grande-Marlaska.

And yet, despite suspicions that Morocco may have been linked to the Pegasus targeting of Spanish politicians, Grande-Marlaska last year presented Abdellatif Hammouchi, the director general of the DGST, with the highest honour bestowed by Spain’s Guardia Civil, a gendarmerie that reports to both the interior and defence ministries. The move did not go down well with one Guardia Civil union, which said that giving the award “to a man who has faced international accusations of human rights violations and spying” was an affront to the dignity of the force’s officers.

More damningly, leaked documents, photographs and testimony from Spanish security forces and a former Moroccan intelligence agent suggest the DGST used its technical knowledge to seek access to the communications of Guardia Civil officers who had travelled to Morocco to share their counter-terrorism expertise.

The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco.

“We spy on everyone,” one former DGST officer told the consortium, adding that such targeted surveillance was carried out “just in case”. A senior Guardia Civil official described the revelations of spying on his force as “a betrayal”.

Although officers from Spain’s other nationwide law enforcement agency, the Policía Nacional, employ stringent precautions while travelling to Morocco – including using separate mobile devices for sensitive information – the Guardia Civil did not think such precautions would be necessary when collaborating with an ally.

“We didn’t do it because we didn’t suspect we would be spied on,” a senior Guardia Civil intelligence officer said.

Further evidence that Morocco used Pegasus emerged last year after WhatsApp’s parent company, Meta, took NSO Group to court in the US for exploiting its messaging platform to target people. An unsealed, redacted presentation given to the board of NSO Group’s parent company, Q Cyber Technologies, in early August 2018 includes a list of Pegasus end-user codenames.

According to reporting by the Israeli newspaper Haaretz, countries using Pegasus are assigned a name based on the first letter of that country and the name of a car manufacturer. Subaru, for example, had previously been identified as Saudi Arabia. Morgan has now been identified as Morocco after former NSO employees confirmed to the consortium that Morocco was a Pegasus end-user and was known by that codename.

In November 2021, NSO Group was placed on a US blacklist after Joe Biden’s administration determined the company had acted “contrary to the foreign policy and national security interests of the US”. Three weeks later, the Israeli financial newspaper Calcalist reported that Israel’s defence ministry had barred imports of Israeli cyber-technology to a number of countries, including Morocco and the UAE.

The investigation has not found any evidence of Pegasus-aided surveillance in Morocco after late 2021.

NSO Group, the Moroccan government, the UAE authorities and al-Fahad’s parent company have all been approached for comment, as have the Spanish government and its interior, foreign and defence ministries.

Related coverage:

Share
Discussion Inside Morocco’s deployment of Pegasus spyware against journalists and officials

    No comments yet. Start the discussion.

Related Stories