Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware  

This is a joint report between Front Line Defenders and the Citizen Lab. 

● The devices of four Jordanian human rights defenders, lawyers, and journalists were  hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021. The targets include those working against corruption in Jordan. 

● We assess that two of the four targets were hacked by Pegasus operators primarily  focused on Jordan, based on SMS messages containing Pegasus links that map to a  cluster of domain names focusing on Jordanian themes. 

● We identify two Pegasus operators that we believe are likely agencies of the Jordanian  government. The first, MANSAF, has been active since at least December 2018, and the second, BLACKIRIS, has been active since at least December 2020. 

● One of the targets’ iPhones was successfully hacked on December 5, 2021, showing  that NSO Group has remained active on Apple’s platform even after Apple sued NSO  Group and notified Pegasus targets in November 2021. 

● Our findings build on an earlier report from Front Line Defenders, which found that the  phone of Hala Ahed Deeb, a Jordanian lawyer and woman human rights defender, was  infected with Pegasus. 

Human Rights Context in Jordan 

General Context 

The Hashemite Kingdom of Jordan is a constitutional monarchy ruled by King Abdullah II bin al Hussein. The King retains wide executive and legislative power under the constitution of 1952  which guarantees him the power to appoint the Senate, the prime minister, and the  ministers.The Monarch is also the commander-in-chief of the armed forces. The parliament (Majlis al-Umma) consists of two chambers: the House of Representatives (Majlis al-Nuwwab),  elected by the public, and the Senate (Majlis al-Ayan), appointed by the monarch. 

Human rights defenders (HRDs) in Jordan operate in a restrictive environment. Since 2011, however, waves of grassroots protests have erupted – often catching the authorities by surprise  – as increasing frustration over government corruption and the widening gap between rich and  poor fuels discontent. Recent international investigations as part of the Pandora papers confirmed suspicions about corruption at the very highest levels of the state, and in response to  popular protest, authorities have taken harsher measures to crackdown on activists.  

Jordanian authorities have exploited the global COVID-19 pandemic to further curtail individual  freedoms, including freedom of expression and assembly. In response to the pandemic, King  Abdullah issued a royal decree on March 17, 2020 activating a 1992 defence law, which gives  the Prime Minister (Omar Razzaz) broad powers to restrict basic rights. On April 15, 2020, the  authority issued an emergency decree that prohibits the publishing, republishing or circulating  any news about the epidemic that would terrify people or cause panic among them through the  media, telephone or social media. Breaking the order, can result in a jail sentence of up to three  years, a fine of 3,000 Jordanian Dinars (US$4,230), or both. The emergency decree has had  chilling effects on freedom of expression and freedom of online discussion around the  pandemic.  

Human Rights Watch documented various arrests related to spreading misinformation about the COVID-19 pandemic. 

Despite the government’s countermeasures, large-scale protests organised by public school  teachers emerged in July 2020. While the protests were initially motivated by issues around  teachers’ wages, the discontent swiftly extended to broader economic and political issues. Jordanian security forces intervened to suppress protesters and around 1000 teachers were  arrested in August 2020. Further, the government used the judicial system to target and  dissolve the Jordanian Teachers’ Syndicate (JTS). The Amman Magistrate Criminal Court made a contentious ruling on December 31 2020 authorizing the dissolution of the Jordan Teachers’ Syndicate and the imprisonment of its board members. United Nations human rights experts condemned the government’s actions and called on Jordan to annul the decision and free the  detained board members. However, on October 31, 2021, the Amman Court of Appeal decided  to annul the decision of the Court of First Instance regarding the dissolution of the JTS’ Council  and the case is still pending in the Amman Court of First Instance. 

In March 2022, in an attempt to prevent protests, the Jordanian authorities arrested 29 activists  on the anniversary of Jordan’s 2011 Arab Spring protests. 

Jordanian Teachers’ Syndicate Case 

JTS is a labor union formed in the aftermath of 2011 protests in Jordan. It is considered the largest independent union in Jordan. In 2019 , Jordanian public school teachers led the longest  public sector strike in the nation’s history. After four weeks of strikes, the government was  forced to agree to a deal over wages to end the strike. Despite the hardship caused by the strike – delaying the start of the school year by a month for the vast majority of students – the  teachers enjoyed wide popular solidarity and support. 

In April 2020, the government announced a freeze on all public sector pay rises, including for  teachers, citing the COVID-19 pandemic. On July 25, 2020, Amman’s prosecutor-general  ordered the – Teachers Syndicate’s national headquarters, as well as its branches and offices,  to close for two years and security forces arrested all of the 13 syndicate board members.  Moreover, a gag order has been issued by the prosecutor on investigations into this case.  Following the closure, authorities cracked down on demonstrations across the country  protesting the closure.. 

The Jordanian Hirak Movement 

The Jordanian Hirak emerged as a youth social movement in 2011 (Hirak means movement in  Arabic). Hirak mobilized a new wave of social movements in Jordan. Unlike traditional political opposition groups that historically focus on electoral and political parties’ legislations reform,  many Hiraki youth activists believed that true change was not the reform of a powerless Lower  House. Instead, they advocated for economic transformation, which they saw as central to  political decision-making and sovereignty.  

Activists associated with the movement have experienced years of government persecution,  including multiple arrests, termination of employment and travel bans. 

A new wave of crackdown on Hirak activities emerged in February 2022 when Jordanian  security forces arrested nine Hirak reform activists from their residences late on February 13  and another activist from his workplace in Zarqa on February 14. On February 24, they detained an eleventh activist, Ahmad Neimat, when he paid bail for one of the inmates, Abed Tawahie, a 65-year-old engineering professor (although Tawahie was arrested again on February 25). Each of the detainees has been charged with “spreading false news” under article 15 of the Cybercrime Prevention Law and “inciting strife” under article 150 of the Penal Code.  

Jordan’s Nongovernmental Organization Law 

In December 2019, Jordanian authorities amended the pre-approval process for local Jordanian nongovernmental organizations (NGOs) to receive funding from foreign sources (although this amendment excluded international organizations). This significantly limited NGOs; work and local NGO leaders stated that the new process was not transparent and forced them to reconsider their operations in order to continue their work.

The Jordanian authorities have been pursuing to expand its monitoring and restricting access to online platforms and content. 

In 2019, Jordan blocked local access to a website run by exiled activists alurdunyya.net.  The authorities imposed restrictions on social media networks during the Teachers’ Syndicate’s  protests and strikes in July and August 2020, Facebook Live stream was restricted on multiple  occasions, especially during larger demonstrations. Similarly, the authority responded to the  mass protests in the aftermath of Covid-19 patients’ death in al-Salt Hospital due to oxygen  shortage, by restricting access to Facebook Live streaming and Clubhouse.  

Denial of access to platforms or websites has been a common practice in Jordan.  www.archive.org is among these examples, as the Citizen Lab report concluded. Further, the online LGBTQ magazine My.Kali has been blocked in Jordan since 2016, later in  2017, The Jordanian Audiovisual Commission issued an order to block access to the website.  Recently, on October 2, 2021, hours before the release of Pandora papers, Jordan blocked  access to the ICIJ website. 

Several circumvention techniques were reported by service providers in 2021, resulting in  restrictions on virtual private networks (VPNs). Furthermore, in order to be able to use the  internet in an Internet café, clients must provide personal identity information. Under the  Cybercrime law of 2010, Internet café have been ordered to install surveillance security  cameras and to retain the browsing histories of users for at least six months. 

In January 2022, Front Line Defenders published a report finding that the phone of Hala Ahed  Deeb, a Jordanian lawyer and woman human rights defender, was infected with Pegasus.  Following publication, Front Line Defenders received numerous requests from Jordanian human rights defenders, journalists and other civil society activists to check their devices. Front Line  Defenders checked 60 iPhones, with case referrals from the Jordan Open Source Association, in collaboration with the Citizen Lab. Three of the victims consented to be identified (listed  below), while one wished to remain anonymous. 

Hacking of Jordanian Targets 

Victim: Ahmed Al-Neimat 

Ahmed Al-Neimat is a human rights defender, an anti-corruption activist, and a member of the Hirak movement. Because of his activism, Al-Naimat was exposed to various issues with the Jordanian security forces; including multiple arrests and the imposition of a travel ban and a ban on employment. 

On May 30, 2018, Al-Neimat was among the organizers and supporters of a general strike to reject a proposed bill on income tax that had been submitted to the parliament. Most institutions and industrial and commercial sectors joined the strike, including the engineers’ union, the lawyers’ union, the nurses’ union, and the journalists’ union. 

Al-Neimat’s activism was partly motivated by the As-Salt Hospital incident, where news spread of a lack of oxygen for patients with COVID-19 in the governorate of Balqa. According to local media outlets citing the government, the incident occurred in a department where more than 150 patients were being treated and resulted in the deaths of at least seven patients. 

In 2020, Al-Neimat was arrested when he was leaving the National Centre for Human Rights, which he had visited to file a complaint against his mistreatment by the Jordanian authorities. He was then later released.  

In February 2022, Al-Neimat was again arrested due to a court ruling issued against him regarding the hospital protests. 

Al-Naimat’s phone logs show that his phone was hacked on or around January 28, 2021 for a period of approximately two days. The logs indicate that this was a zero-click exploit, likely the  FORCEDENTRY exploit. We had not previously seen any cases of FORCEDENTRY deployed  before February 2021. So far, this is the earliest suspected FORCEDENTRY case. 

Victim: Malik Abu Orabi 

Malik Abu Orabi is a human rights lawyer and a member of The National Forum for the Defense of Liberties and part of the legal team defending the JTS. In 2021. Orabi was arrested at protests that occurred in the Ministry of Interior Roundabout (Gamal Abdel Nasser Square) for the commemoration of the 10th anniversary of the Arab Spring in Jordan. He was detained for five days before he was released with personal bail until a conviction against him was issued. 

The court decided to fine him 100 Jordanian dinar (approximately 128 euro) for violating the  defense law relating to the health situation in the country. He has been arrested several times  due to his participation in several demonstrations. He was also summoned more than once by  security authorities. 

We identified the following text messages on Abu Orabi’s phone that contain links to Pegasus  servers.

Victim: Suhair Jaradat 

Suhair Jaradat is a human rights defender and a trainer specializing in investigative reporting  as well as feature and editorial writing. Jaradat received the al-Hussein Prize for creative  journalism in 2018. She is a former member of the Jordanian Journalists’ Syndicate Council and Member of the Executive Committee of the International Federation for Journalists (IFJ) in  Brussels. 

We identified the following SMS message on Jaradat’s phone containing a link to the Pegasus spyware:

We also identified the following WhatsApp messages on Jaradat’s phone, impersonating a popular anti-government Twitter user in Jordan https://twitter.com/GeneralInspect2: 

Victim: WHRD and Journalist A 

WHRD and Journalist A is a Jordanian Woman Human Rights Defender (WHRD) and journalist, who has chosen to remain anonymous due to the risks that she may face. Her phone was hacked at the following times: 

Read Also:

Unsafe Anywhere: Attacked by Pegasus, Women Activists Speak Out

Spyware in Jordan

The Jordanian Government appears to have used spyware for a number of years, including  FinFisher spyware, which Citizen Lab detected in December 2014. However, no civil society  targets of this spyware were publicly identified at the time. 

Pegasus in Jordan 

Based on our Internet scanning and monitoring of NSO Pegasus servers at the Citizen Lab, we  believe that there are two Pegasus customers that are primarily focused on spying in Jordan.  

One of the customers, which we name MANSAF, appears to be spying primarily in Jordan, with  limited additional operations in Iraq, Lebanon, and Saudi Arabia. We believe that MANSAF has  been operating since December 2018. 

The other customer, which we name BLACKIRIS, appears to be spying almost exclusively in  Jordan, and has been active since at least December 2020. An April 2021 report in Axios mentioned negotiations between NSO Group and Jordanian authorities “in recent months”, with one source mentioning a contract had been signed. 

Targets in This Case

Both Jaradat and Abu Orabi received text messages (Figures TKTK, TKTK) that included links  to Pegasus websites. The websites matched our Internet scanning for Pegasus servers, and  appear to all have been registered by Dreamhost. We have typically observed different Pegasus customers’ infrastructure set up with different hosting providers. 

We provide a list of all Dreamhost websites that we detected in scanning below. We redact  several names below given that they contain themes suggestive of targeting terrorist groups:

While we cannot directly connect these names to any specific Pegasus operator (because of the way the domain names are set up), we do believe that this cluster of domains shows a focus  indicative of Jordan.

In this report, we find once again that a government client of NSO Group has used Pegasus to  spy on civil society targets that are neither terrorists nor criminals. This case adds to the large  number of other cases of abuse of Pegasus worldwide, which amount to an indisputable  indictment against NSO Group, and its ownership, for their inability or unwillingness to put in  place even the most basic human rights-respecting safeguards. The fact that the targeting we  uncovered happened after the widespread publicity around Apple’s lawsuit and notifications to  victims is especially remarkable; a firm that truly respected such concerns would have at least  paused operations for government clients, like Jordan, that have a widely publicised track  record of human rights concerns and had enacted emergency powers giving authorities  widespread latitude to infringe on civil liberties. 

This case is also noteworthy with respect to failures around Israel’s export control and licensing  regime. NSO Group’s sales are overseen by the Israeli Ministry of Defense, although it is  unclear to what extent human rights considerations are actually factored into granting licences,  if at all. In November 2019, the Israeli government reportedly slashed the number of countries to which NSO Group could sell Pegasus, possibly in response to Apple’s notifications to victims  that included U.S. government personnel. However, that list did not include Jordan, a country  with a problematic human rights history and a known track record of abusing Pegasus to hack  the phone of a woman human rights defender in November 2019, as documented by Front Line  Defenders, Access Now, and verified by the Citizen Lab. 

The targeting of women HRDs merits special attention. Our research, and that of a growing number of others, has documented a disturbing rise in gender-based digital repression  practices. Women are also disproportionately vulnerable to online harms, blackmail and  digitally-related acts of violence or technology-facilitated gender-based violence, especially in  countries where misogyny is pronounced. The impacts of this repression on women are  multifold and severe, such as loss of employment, loss of voice, a negative impact on self-worth and dignity, and harms to physical and emotional wellbeing, among others. As Sarah Sobieraj  writes, “[e]ntering and using digital publics to share work, ideas, opinions, and experiences often comes at a great cost for women” who “bear the brunt of digital hate.”  

As Access Now and Front Line Defenders noted in a previous report regarding the targeting of  women HRDs in Bahrain and Jordan with Pegasus spyware, the impacts for women are  particularly severe, causing women to “live in a perpetual state of fear, become socially isolated  and restricted in their social lives, work, and activism.” Our latest report adds yet another  troubling indicator to the NSO Group file and to the deeply harmful impact that the use of  Pegasus spyware has on women activists. The fact that Jaradat and Journalist A are also both  women journalists compounds and amplifies these concerns. There can be no doubt that NSO Group has become one of the world’s leading purveyors of these harms, and its continued use  will invariably contribute to further discrimimation against women and marginalized groups.  Going forward, further research into the impact of digital repression on women HRDs in the  Global South is critical. Amplifying the voices of women in the Global South targeted by  Pegasus spyware, as well as other forms of digital repression, is important to showing how  severe the impacts of digital repression are–particularly in regions where human rights are  routinely disregarded–and bringing accountability to an industry running wild.

Read Also:

Israel’s NSO Group: Blacklisted in the US and Sued by WhatsApp