The American daughter of Paul Rusesabagina, the imprisoned Rwandan activist who inspired the film Hotel Rwanda, has been the victim of a near-constant surveillance campaign, according to a forensic analysis of her mobile phone that found evidence of multiple attacks using NSO Group spyware.
Carine Kanimba, a US-Belgian dual citizen, has been leading her family’s effort to free her father from prison following Rusesabagina’s abduction and forced return to Kigali last year by the government of the Rwandan president, Paul Kagame.
Amnesty International’s forensic analysis found that Kanimba’s phone had been infiltrated since at least January this year.
Quick GuideWhat is in the Pegasus project data?
Show
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
It strongly suggests that the Kagame government – which has long been suspected of being a client of the Israeli surveillance firm NSO – has been able to monitor the 28-year-old’s private calls and discussions with US, European and British government officials. A spokesperson for the Rwandan government said the country “does not use this software system … and does not possess this technical capability in any form”.
A phone infected with NSO malware, as Kanimba’s has been, not only gives users of the spyware access to phone calls and messages, but it can also turn a mobile phone into a portable tracking and listening device. In the period before she was alerted to her phone being hacked, Kanimba said she had contacts with the US special presidential envoy for hostage affairs, British MPs, and the UK high commission office in Rwanda – all of which could have been monitored. She also held talks with Baroness Helena Kennedy, a barrister and member of the House of Lords.
The State Department declined to comment.
The forensic evidence suggests the spying began in January – though it may have been earlier – and paused in May while Kanimba was in the US. It resumed again on 14 June, the day she met the Belgian foreign affairs minister, Sophie Wilmès. Sources in the minister’s office said no sensitive information was shared in the meeting.
Rusesabagina is a Belgian national widely credited with saving more than 1,000 people in the Rwandan genocide. He became a vocal critic of Kagame and was living in the US and Belgium until his arrest by the Rwandan government last year. He is facing life in prison after being accused of terror-related charges, including murder and staging attacks in Rwanda. The 67-year-old’s family staunchly deny the allegations.
In an interview with Knack, a journalism partner in the Pegasus project, Kanimba described how the diplomatic effort to have her father released began from the moment she and her family discovered he had been kidnapped, with calls to “every single member of the European parliament and every member of the Belgian parliament” as well as human rights organisations.
“In 1994, during the genocide, the way my father was able to protect people in the hotel was that he made calls every day. With the last working telephone in the hotel,” she said. “And we did the exact same thing.”
News of the hacking campaign will heighten scrutiny of the Rwandan government’s treatment of Rusesabagina at a time when some US lawmakers have pushed for the administration of Joe Biden to put more pressure on Kagame to release him and to protect Rwandans in the US from harassment.
Q&AWhat is the Pegasus project?
Show
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Rwanda has long been suspected of being an end user of NSO malware, with a history of targeting dissidents at home and abroad.
In 2019, at least six dissidents connected to Rwanda were warned by WhatsApp that they had been targeted by spyware made by the NSO in an attack that affected hundreds of users around the world over a two-week period from April to May that year.
Key figures in the Rwandan diaspora, including exiles living in Canada and the US, appear to have been included in a leaked list of persons of interest to NSO clients.
Rusesabagina, who has been referred to as “Africa’s Schindler”, is alleged by family members to have been tortured in the days after his rendition. Rwandan authorities have denied that he was kidnapped or mistreated in custody. His trial has been condemned by human rights groups and has sharpened criticism of Kagame’s nearly three-decade-long hold over Rwanda from key allies in the UK and the US.
In an interview, Anaïse Kanimba, Carine’s sister, said her entire family felt as if they were under constant watch by the Kagame government.
In one case, she said she and her family had reason to suspect their emails were being monitored after her father’s lawyer, Felix Rudakemwa, was searched during a prison visit following a private communication from the family about an affidavit he wanted Rusesabagina to sign that would attest to his allegations of torture. The search, she said, appeared to be focused on finding the affidavit.
“We just assume we are being watched,” Anaïse Kanimba said. “We tell ourselves we have nothing to hide. But this idea of knowing constantly that someone is looking over you, it is really uncomfortable and scary … I hate living with it.”
There is no evidence that Anaïse Kanimba’s phone was hacked.
Vincent Biruta, Rwanda’s minister of foreign affairs, said: “Rwanda does not use this software system … and does not possess this technical capability in any form. These false accusations are part of an ongoing campaign to cause tensions between Rwanda and other countries, and to sow disinformation about Rwanda domestically and internationally.”
NSO denied “false claims” made about the activities of its clients, but said it would “continue to investigate all credible claims of misuse and take appropriate action”. It said in the past it had shut off client access to Pegasus where abuse had been confirmed.
Among the Rwandans that the Pegasus project found were listed in the data as candidates for possible surveillance was David Himbara, an economist who formerly worked for Kagame in Rwanda but later fled and sought protection in Canada. Himbara has questioned claims of stellar economic growth over the years, calling the figures a “fantasy”.
“The lifestyle forced on me is a preoccupation to avoid becoming another victim of Kagame’s death warrant. I do not take personal security for granted even though the distance between Toronto, Canada, where I live, and Kigali, Rwanda, is 11,703km to be precise,” he said.
A forensic analysis of Himbara’s mobile phone by Amnesty International has not found any evidence that it was successfully hacked. It is not clear from leaked records which client country selected Himbara as a potential target.