This is a joint report between Red Line for Gulf and The Citizen Lab.
- Our forensic analysis confirms that phones belonging to three individuals in Bahrain were hacked in 2021 with NSO Group’s Pegasus spyware. Two have consented to be named.
- One target, Mohammed Al-Tajer, is a prominent Bahraini lawyer, who was previously hacked with FinFisher spyware and blackmailed in an operation linked to the Bahraini government in 2011.
- Al-Tajer’s phone was hacked on September 2, 2021, approximately one week after a previous report by Red Line for Gulf and the Citizen Lab on the hacking of Bahraini activists’ devices.
- Dr. Sharifa Siwar is an exiled Bahraini psychiatrist who accused a member of the Bahrain Royal Family of being involved in a scheme to distribute medications for recreational use to schoolchildren.
- Journalist A, hacked in September 2021, received a notification from Apple in November 2021 that their device was targeted by government attackers, as did Al-Tajer.
Victim: Mohammed Al-Tajer
Mohammed Al-Tajer is a lawyer known for being outspoken about human rights violations in Bahrain, and for defending political prisoners and activists. Al-Tajer was the president of the Bahrain Human Rights Observatory, a human rights coalition inside Bahrain. Al-Tajer was targeted with FinFisher spyware in 2011 when he received a CD containing a video of himself and his wife recorded from a hidden camera in his beach house. His computer was infected with FinFisher around the same time he received the CD.
Al-Tajer’s wife, Dr. Huda, was detained for her activism during the 2011 uprising for providing medical aid to injured protesters. Ultimately, Al-Tajer did not accede to the blackmail demands, and the video was circulated online on pro-government forums and social media accounts.
Al-Tajer has had a long career in defending opposition figures and human rights activists in Bahrain. He was arrested and tortured during a 2011 crackdown on Bahrain’s opposition, and he has been repeatedly attacked by pro-government journalists due to his participation in human rights events, as well as his political activities, which include advocating for a UK style constitutional monarchy in Bahrain.
The Hacking of Mohammed Al-Tajer
Our analysis of Al Tajer’s iPhone 11 Pro Max showed that the phone had been hacked with NSO Group’s Pegasus spyware at least three times in September 2021, starting on September 2, 2021 and ending on September 27, 2021. Al Tajer’s phone was hacked while running iOS 14, and the phone does not appear to have been hacked after he updated it to iOS 15.0.2 in October 2021. Evidence of the hack on Mohammed Al-Tajer’s phone included records showing that three processes were run on the phone in September 2021 that we link to NSO Group’s Pegasus spyware with high confidence.
|Date of Hacking||Evidence|
|On or around 2021-09-02||[redacted process name] observed running on the phone|
|On or around 2021-09-15||[redacted process name] observed running on the phone|
|On or around 2021-09-27||[redacted process name] observed running on the phone|
In response to the hack, Al-Tajer told Red Line for Gulf and the Citizen Lab:
|I am shocked by the news of the recent hack, it came at the time of me grieving my mom who just passed away. But what saddened me more is to discover that after all of the years of my career as a lawyer, there was nothing I could have done to protect myself from a zero-click hack. The state can hack into your device and gain access to all of your personal information, work information, financial information, emails, and personal and family photos. All of that information is exposed to those who hacked me.
It is distressing that in Bahrain, which always claims to protect freedom, you don’t have any privacy or protection. All of the data inside the device is leaked now. My main question is, why did they hack me? Does the agency who hacked my device have the authority to do so? Or should it be forbidden, like the state criminalizes others who violate privacy? Recently the government is punishing those who take videos of car accidents or publish pictures without permission. Now all of my pictures and videos are hacked by the government.
I used to be the head of the Bahrain Human Rights Observatory, and used to participate in sessions of the UN Human Rights Council. But, now, I don’t have any ongoing human rights activities, I am only focusing on my career as a lawyer. That’s why I don’t understand why they hacked into my device? What information do they need? What reason can they use to justify the hack?
The worst and most harmful thing is you feel you are not secure, that instead of your phone being your friend, it is now your enemy. You don’t know what information is private, and what is already exposed to the state. This is painful.
Victim: Dr. Sharifa Siwar
Dr. Sharifa Siwar is a psychologist currently seeking asylum in the UK.
In March 2019, Dr. Siwar conducted an Instagram Live interview with a school student reportedly expelled for dealing Lyrica, a prescription anti-anxiety medication that is sometimes abused to produce a “relaxed and euphoric” high. The student said that she was part of an organized drug-dealing group in Hamad Town Intermediate Girls School. Dr. Siwar said that “powerful people” were implicated in the drug dealing. Bahrain Mirror later revealed that Dr. Siwar was referring to the King’s fifth son, Khalid bin Hamad Al Khalifa.
Bahrain’s then Prime Minister announced an investigation into Dr. Siwar’s allegations. The investigative report stated that the Lyrica incident was isolated, and that Dr. Siwar was guilty of slander and defamation. Dr. Siwar was sentenced to a year’s imprisonment in the case.
Dr. Siwar also faced other allegations: a pro-government newspaper announced that she would be charged with “covering up a rape,” and she was sentenced to a year in prison for reportedly providing Panadol (a medicine similar to Tylenol) to a mentally ill teenager.
Although Dr. Siwar was pardoned by Bahrain’s King in May 2021 after spending several months in prison, the prosecution re-introduced the same case in court again in November 2021. When she was summoned in the case, she fled to the UK and sought asylum. Further, in January 2022, the Ministry of Interior’s General Directorate of Anti-Corruption and Economic & Electronic Security began legal action against Dr. Siwar after several individuals complained that Dr. Siwar’s Instagram video had defamed them. The Directorate also accused Dr. Siwar of practicing medicine without a license, defaming employees of a ministry and spreading false information during her court hearing.
The Hacking of Dr. Siwar
Dr. Siwar’s iPhone was hacked with Pegasus on June 10, 2021, while she was still in Bahrain. The hack took place one month after she was pardoned by the King. Evidence of the hack on Dr. Siwar’s phone includes records showing that a process was run on the phone in June 2021 that we link to NSO Group’s Pegasus spyware with high confidence.
|Date of Hacking||Evidence|
|On or around 2021-06-10||Process “fservernetd” observed running on the phone|
In response to the hack, Dr. Siwar told Red Line for Gulf and the Citizen Lab:
|I was shocked by the news, especially as I was pardoned in May 2021, and the hack happened in June 2021 which is less than a month after my release when I thought I would finally be free.
I was already under the stress of being a top target of the authorities, and I was fearful of my safety and the safety of those who communicated with me. It was no surprise that even after my pardon, the same case was reopened and filed against me in the court for the second time.
Knowing for a fact that I was hacked put me under huge stress and emotional pressure, and I am fearful of what they might do to me in future.
Hacking of Journalist A
Journalist A, who prefers to remain anonymous, is active in broadcasting news about ongoing protests and events in Bahrain’s pro-Democracy movement. Journalist A is a well known and trusted source among many activists inside Bahrain.
Our analysis of Journalist A’s iPhone 6s Plus shows that it was hacked with NSO Group’s Pegasus spyware on September 20, 2021. Evidence of the hack on Journalist A’s phone includes records showing that a process was run on the phone in September 2021 that we link to NSO Group’s Pegasus spyware with high confidence.
|Date of Hacking||Evidence|
|On or around 2021-09-20||[redacted process name] observed running on the phone|
In response to the hack, Journalist A told Red Line for Gulf and the Citizen Lab:
|Knowing that your device is hacked and monitored by untrusted eyes makes you feel how insecure the situation is for you and for all of those who are in touch with you. Hacking into citizens’ devices is not a solution but instead complicates existing problems. The solution is to end all the problems by respecting basic human and civil rights.|
Attribution to Pegasus
We attribute all three cases to NSO Group’s Pegasus spyware with high confidence, because all of the hacks contain indicators that we associated with Pegasus with high confidence. Citizen Lab research first discovered traces of Pegasus in Bahrain in 2017, notably several years before Bahrain and Israel had normalized relations.
Bahrain has a long history of brutal political repression and authoritarianism. Although the country is governed under a constitutional monarchy, in practice all political power is controlled by the ruling family. Civil society has been stifled and silenced over many years by the routine practice of torture, arbitrary arrests, and aggressive policing of political opposition and dissent.
As is the case with many other authoritarian regimes, particularly in the Gulf region, Bahrain undertakes extensive information controls that include Internet censorship and mass and targeted surveillance, often implemented by or outsourced to private companies. Prior Citizen Lab research has shown that Bahrain employs the services of the Canadian company, Netsweeper Inc., to censor access to banned content, and has contracted with several different mercenary spyware firms, including Hacking Team, Finfisher, and NSO Group, to undertake targeted political espionage against regime critics and human rights defenders, and has used technology from Cellebrite to prosecute a torture victim. One of the victims identified in this report was hacked at least twice using two different spyware technologies: once in 2011 with Finfisher, and then again ten years later with NSO Group’s Pegasus.
The discovery that Bahrain has used Pegasus to hack the devices of individuals involved in the political opposition should therefore come as no surprise. That a victim’s device was hacked a mere one week after our prior publication of the abuse of Pegasus in Bahrain underscores just how recklessly the regime’s security services employ spyware, seemingly without concern for repercussions. Barring any unlikely shift in regime behaviour, Bahrain will surely continue to use surveillance technology in the service of domestic and transnational repression, as it has done consistently for well over a decade.
NSO’s failure to act on proven Pegasus abuses
NSO has claimed “Whenever a suspicion of a misuse arises, NSO investigates, NSO alerts, NSO terminates. NSO is proud to prove its commitment to protect human rights.”
This case proves that the opposite is true: NSO had clear evidence of abuses in Bahrain, yet they neither alerted these victims, nor terminated the customer. Selling hacking tools to an authoritarian regime with such a notorious track record was irresponsible. Enabling them to continue hacking despite publicly documented abuses was unethical.
Even minimal good faith due diligence by NSO Group prior to selling spyware to Bahrain would have uncovered the gravest of concerns about the likelihood of abuse. Nevertheless, the sale was made despite nearly a decade of evidence that Bahrain is a serial spyware abuser. This case dramatically underscores both NSO Group’s failure to halt repeated misuse of its technology, and the continued failure of Israel’s export control regime to prevent even the most predictable abuses.