A former member of Morocco’s domestic intelligence service has provided an unprecedented insight into how the north African state used hacking software – including Pegasus spyware – to target journalists, human rights defenders, French politicians and Spanish cabinet ministers and police officers.
Pegasus, manufactured by Israel-based NSO Group, allows its operator to access everything on a target’s mobile phone, including emails, text messages and photographs. It can also activate the phone’s recorder and camera, turning it into a listening device.
Although NSO Group says Pegasus is sold only to governments to help them track criminals and terrorists, the spyware is alleged to have been used by several countries to target dissidents, journalists, diplomats and politicians.
Morocco has long denied using Pegasus to target critics at home or abroad, and has claimed that reporters who investigated NSO Group were “incapable of proving [the country had] any relationship” with the company.
However, evidence from a whistleblower who worked for Morocco’s Direction Générale de la Surveillance du Territoire (DGST) for almost a decade suggests the country’s internal security services began using Pegasus in 2017 and went on to deploy it against domestic and foreign targets over the course of four years.
Testimony from the source, known by the pseudonym of Safir, forms the basis of a multiyear investigation by the Moroccan journalist Hicham Mansouri, which has led to a collaborative investigation between several media groups, with technical support from Amnesty International’s Security Lab.
The consortium, coordinated by Forbidden Stories and comprising 14 media organisations, has also analysed material detailing Morocco’s surveillance practices, from leaked emails to targeting records relating to Pegasus and other spyware, and from victims’ testimony to internal training material. Two other former Moroccan intelligence agents also provided information and corroborated facts.
According to information gathered by the consortium, NSO Group representatives gave high-ranking Moroccan intelligence officers and technical experts a detailed demonstration of new technologies – including Pegasus – in an expensive villa in Rabat in 2017. The source said the house was nicknamed “the FSSYS villa” after FSSYS Maroc, then the Moroccan branch of the UAE-based surveillance intermediary al-Fahad.
The whistleblower has suggested that the hugely expensive spyware was a gift from the UAE. “Millions for the Emiratis, that’s nothing,” said Safir. “The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.”
Before Pegasus was adopted by the DGST, the service had relied on a mix of old-fashioned human intelligence, targeting terminals in internet cafes and even persuading shopkeepers to sell mobiles pre-infected with other spyware to dissidents. According to Safir, the costly new spyware was used only for high-value targets once cheaper and less sophisticated options had been exhausted.
Evidence gathered for the investigation, titled the Pegasus Project: Inside the Moroccan Spying Machine, also reveals that four unique Moroccan mobile phone numbers were selected as Pegasus targets in September 2017, seemingly to test the fledgling system in Morocco. The leaked database shows that numbers of Moroccan journalists and human rights defenders began to be put into the Pegasus system that same month.
Before long, targeting extended beyond Morocco’s borders. A Spanish mobile number belonging to Aminatou Haidar, a prominent human rights activist from Western Sahara, was included in the leaked database and found to have been targeted by Pegasus dating back to 2018. Pegasus project records show more than 200 Spanish mobile numbers were selected for targeting by the user believed to be Morocco.
In May 2022, the Spanish government revealed that the mobile phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles were both infected with Pegasus spyware in May and June 2021. It later emerged that the phones of Interior Minister Fernando Grande-Marlaska and Agriculture Minister Luis Planas had also been targeted.
Repeated judicial attempts to investigate the use of Pegasus to target the Spanish cabinet have come to nothing. The investigating judge ended the inquiry in July 2023, but reopened it a few months later after French authorities provided information on the use of Pegasus to infect the mobile phones of French ministers, MPs, lawyers and journalists. However, he shelved it again in January this year, citing a chronic lack of cooperation from the Israeli authorities.
Recent analysis points to the DGST being responsible for the targeting of the senior Spanish politicians. Material assembled by the Pegasus project shows one of the attacker accounts assigned to Morocco’s Pegasus system and used to target politicians, journalists and human rights defenders in France was also used to target the phones of Robles and Grande-Marlaska.
Despite suspicions that Morocco may have been linked to the Pegasus targeting of Spanish politicians, Grande-Marlaska last year presented Abdellatif Hammouchi, the director general of the DGST, with the highest honour bestowed by Spain’s Guardia Civil. The move was criticized by a Guardia Civil union, which said giving the award “to a man who has faced international accusations of human rights violations and spying” was an affront to the dignity of the force’s officers.
Leaked documents, photographs and testimony from Spanish security forces and a former Moroccan intelligence agent suggest the DGST used its technical knowledge to seek access to the communications of Guardia Civil officers who had travelled to Morocco to share their counter-terrorism expertise. The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco.
“We spy on everyone,” one former DGST officer told the consortium, adding that such targeted surveillance was carried out “just in case”. A senior Guardia Civil official described the revelations of spying on his force as “a betrayal”.
Further evidence that Morocco used Pegasus emerged last year after WhatsApp’s parent company, Meta, took NSO Group to court in the US. An unsealed presentation given to the board of NSO Group’s parent company includes a list of Pegasus end-user codenames. According to Haaretz, Morgan has now been identified as Morocco after former NSO employees confirmed to the consortium that Morocco was a Pegasus end-user and was known by that codename.
In November 2021, NSO Group was placed on a US blacklist. Three weeks later, Israel’s defence ministry barred imports of Israeli cyber-technology to a number of countries, including Morocco and the UAE. The investigation has not found any evidence of Pegasus-aided surveillance in Morocco after late 2021.
Source: www.theguardian.com