Washington Post: Investigation finds Israeli-designed spyware was used to hack journalists and activists around the world - CNN

The Post reported that "the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled."

CNN has not independently verified the findings of the Pegasus Project investigation, which was organized by Forbidden Stories.

In a lengthy statement to CNN on Sunday, NSO Group strongly denied the investigation's findings, saying in part that it sells its "technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts."

"NSO does not operate the system and has no visibility to the data," the company said, saying it will continue to investigate "all credible claims of misuse and take appropriate action based on the results" of such investigations.

NSO also said its systems "are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones."

The Post reported that while many of the numbers on the list were in the Middle East, including Qatar and the UAE, "the greatest number was in Mexico, where more than 15,000 numbers, including those belonging to politicians, union representatives, journalists and other government critics, were on the list."

Other countries, including India, Pakistan, Azerbaijan, Kazakhstan, France and Hungary, are also represented on the list, according to the newspaper.

The investigation found that the "numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks," the Post said.

"The consortium could not perform forensic analysis on most of these phones."

The newspaper noted that NSO "has said for years that its product cannot be used to surveil American phones" and added that the probe "did not find evidence of successful spyware penetration on phones with the US country code."

The spyware, which was developed a decade ago with the help of Israeli ex-cyberspies, is designed to easily circumvent typical smartphone privacy measures, "like strong passwords and encryption," according to the Post, which said it can "attack phones without any warning to users" and "read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts." The Post also noted that "spyware also can activate cameras and microphones for real-time surveillance."

The Pegasus spyware can initiate the attack in a number of different ways, the newspaper said, including through "a malicious link in an SMS text message or an iMessage." Some spyware companies use "zero-click" attacks, according to the Post, which deliver spyware simply by sending a message to a user's phone that produces no notification." "Users," the Post reported of such attacks, "do not even need to touch their phones for infections to begin."

In the case of Khashoggi, the newspaper said the spyware had targeted the two women closest to the late Washington Post journalist, who was killed in October 2018.