NSO Group's Pegasus malware was used to spy on Dubai princess's lawyers during child custody dispute

Firm apparently terminated UAE's contract when it realised

Updated Cherie Blair tipped off a Jordanian princess that the royal's estranged husband, the Sheikh of Dubai, had deployed NSO Group's Pegasus malware against her and her lawyers, a series of explosive High Court judgments [PDFs] have revealed.

Set against a backdrop of kidnappings, espionage and a bitterly contested child custody case, the judgments shine fresh light on the abusive uses to which NSO Group's malware products are put by some of its customers.

Sheikh Mohammed bin Rashid al Maktoum, the absolute ruler of Dubai, was found to have ordered the deployment of one of the world's most potent malware strains against Princess Haya bint Hussein, his former wife and a member of the Jordanian royal family, during a bitter court battle over custody of their children.

The judgments, made public last night, also revealed that diligent infosec work carried out by Canada's Citizen Lab, an academic surveillance research organisation, had helped uncover the spying and alert its victims. The sheikh's agents targeted not only Princess Haya but also her UK legal team, her physical security detail and others in her entourage.

While Sheikh Al Maktoum denied wrongdoing in a statement to the BBC, the Court of Appeal was clear:

… the phones of the mother, her legal advisers and various associates were hacked through the use of Pegasus software and that this surveillance was carried out by the servants or agents of [Sheikh Al Maktoum] and with his express or implied authority.

NSO confirmed to the High Court that it had terminated its contract with the United Arab Emirates (of which Dubai is one of seven federal states) on 7 December 2020, costing it "tens of millions of dollars".

The court case is the tip of the iceberg: the sheikh kidnapped two of his daughters during the 2000s after they attempted to flee from his control, according to a 2020 UK family court judgment.

Princess Haya fled to the UK in 2019, filing for various non-molestation orders in the High Court as well as for custody of their children, forcing the sheikh to fight the case away from his home turf.

Pegasus is malware deployed against iPhones that is capable of silently recording and forwarding activity from a vast number of common social media apps, as well as voice calls, photos and videos. It is widely seen as one of the leading mobile malware threats deployed by state and near-state threat actors.

Spouse of former PM Tony Blair tipped off fellow lawyer

Sheikh Al Maktoum sought to blame "the states of Iran, Israel and Saudi Arabia" and even Jordan, Princess Haya's home country, for deploying Pegasus, as the president of the High Court's Family Division ruled in May.

According to the judgement, the first inkling any of Princess Haya's team had that Pegasus was being used to spy on them through their personal devices was when Martyn Day, founder of London human rights law firm Leigh Day, contacted the princess's lead barrister, Baroness Fiona Shackleton. Day told her that Citizen Lab's Dr William Marczak, whom he knew, had seen internet traffic suggesting Princess Haya's lawyers had been infiltrated using Pegasus.

Separately Cherie Blair, who is married to former UK prime minister Tony Blair and advisor to NSO Group, contacted Baroness Shackleton on the same day (5 August 2020) saying the same thing. Blair, it emerged, had been giving legal advice to NSO Group. She had been "invited to make contact with Baroness Shackleton by a senior official in NSO Group."

IP addresses flagged up

Citizen Lab's Marczak had been investigating Pegasus' operation through a UAE activist named only as Mr X. Through analysis of Mr X's phone he had obtained a list of IP addresses of NSO's command-and-control (C2) servers used to manage Pegasus.

...the way in which Mr X's phones were made to communicate with the suspicious domain names, by sending a sequence of "knocking" packets before it sent a request, rather than simply making contact, further suggested that covert surveillance was being undertaken.

Further analysis of internet traffic yielded, so the court was told, IP addresses of devices communicating with those C2 servers.

"This led Dr Marczak to spot the IP address of the firm of solicitors instructed in these proceedings by the mother… Payne Hicks Beach ('PHB'). An internet search of PHB led to news stories relating to the present proceedings involving the mother and the father," recounted the High Court's "hacking" judgment [PDF].

Verifying Marczak's findings to the court's satisfaction proved tricky. A British firm called in to examine the iPhones of Princess Haya and her lawyers said there was "no sign" of surveillance – only for it to throw in the towel when handed a copy of Marczak's witness statement detailing Pegasus' presence, partially shown by suspiciously named apps installed on the iPhones.

"IntaForensics were not to know the scale and character of the task for which they were being recruited and they command the court's respect, rather than criticism, for flagging up their inability to complete the instruction as soon as the situation became clear," commented the judge.

Professor Alastair Bereford, of the University of Cambridge's Department of Computer Science and Technology, was able to verify Marczak's findings after being given access to his methodology.

Appeals dismissed

Sheikh Al Maktoum did not fully engage in the High Court's fact-finding process, instructing his lawyers to walk out of the courtroom. The High Court also refused to let his experts see raw data from the hacked iPhones, something he alleged was unfair to him.

Those experts included Sygnia, Israel-based purveyor of "military grade cyber security" – and, legally, had not been instructed as experts for the court proceedings. As the Court of Appeal noted, the company is based outside the UK's jurisdiction and therefore its views "would remain confidential to the father and would not be disclosed to the mother or the court."

Put another way, Sygnia could have extracted more data for the sheikh to use against Princess Haya – or even tipped off NSO as to Marczak's precise attribution method, enabling the malware vendor to shut him out in future. Had Sheikh Al Maktoum formally instructed a UK-based expert witness, the underlying data would have been disclosed – but he didn't.

The hugely complicated case shows, from an infosec perspective, that surveillance malware is not only an abstract computer security challenge. It has the power, especially in the modern era, to cause life-changing effects.

The courts concluded that Princess Haya's children should live with her in the UK and not with Sheikh al Maktoum in Dubai. The full set of judgments can be read on the judiciary website.

Neither NSO Group nor Citizen Lab responded to requests for comment. ®


If you're worried your devices may have been targeted by or infected with NSO's Pegasus spyware, Amnesty has technical details on detecting a compromise here.

Updated to add at 15:27 UTC 7 October:

The Register asked whether the revelations contradicted previous statements from NSO that the company was unable to ascertain the targets of its malware.

A spokesperson from the company responded: "To be clear, there is no discrepancy, NSO does not operate the products itself; we license approved government agencies to do so, and we are not privy to the details of individuals monitored.

"When we become aware of accusations of alleged misuse by one of our clients, we undertake a full investigation with the cooperation of that client as part of their contractual obligations to us. If we determine misuse, we will act to resolve the issue and shut down the product's capabilities, as we have done in the past."

Similar topics

Other stories you might like

  • Ubuntu 21.10: Plan to do yourself an Indri? Here's what's inside... including a bit of GNOME schooling

    Plus: Rounded corners make GNOME 40 look like Windows 11

    Review Canonical has released Ubuntu 21.10, or "Impish Indri" as this one is known. This is the last major version before next year's long-term support release of Ubuntu 22.04, and serves as a good preview of some of the changes coming for those who stick with LTS releases.

    If you prefer to run the latest and greatest, 21.10 is a solid release with a new kernel, a major GNOME update, and some theming changes. As a short-term support release, Ubuntu 21.10 will be supported for nine months, which covers you until July 2022, by which point 22.04 will already be out.

    Continue reading
  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading

Biting the hand that feeds IT © 1998–2021