Investigative reporter Bradley Hope was named in the Pegasus Project as a journalist whose phone may have been targeted with Pegasus spyware. (Photo: Bradley Hope)

Investigative reporter Bradley Hope: Pegasus spyware revelations a ‘wake-up call for journalists’

Bradley Hope was in Abu Dhabi in 2009, the year the BlackBerry devices overheated. “If you put it next to your face it would almost burn,” he told CPJ in a phone interview. The BBC that year reported that a UAE telecom company had prompted local BlackBerry owners to install a rogue surveillance update disguised as a performance enhancement, accidentally sending phones into overdrive.  

“I’ve had many experiences of these – sometimes clumsy – surveillance attempts,” Hope said.   

More recently, Hope may have been singled out for more sophisticated surveillance. A veteran newspaper reporter specializing in complex international stories, Hope was identified by investigative collaboration the Pegasus Project as one of nearly 200 journalists potentially targeted by clients of the Israel-based technology company NSO Group, which manufactures Pegasus spyware to help governments and law enforcement secretly infiltrate cellphones.

The Guardian, which contributed to the Pegasus Project, reported that a client believed to be the UAE began selecting Hope’s phone number for possible surveillance while he was working for The Wall Street Journal in London in early 2018.

Hope has since left the Journal to launch his own investigative project with his reporting collaborator Tom Wright. It’s dubbed Project Brazen, he said, after the codename the pair used while uncovering a corruption scandal implicating former Malaysian Prime Minister Najib Razak in the embezzlement of funds from the 1Malaysia Development Berhad (1MDB) company. That investigation became the focus of their September 2018 book, “Billion Dollar Whale,” a story that led them to conspirators in the UAE.  

Hope spoke to CPJ about the press freedom implications of the Pegasus Project’s list – which also includes some of slain Saudi journalist Jamal Khashoggi’s close associates. Khashoggi’s violent 2018 death features in Hope’s second book, “Blood and Oil,” on Saudi Crown Prince Mohammed bin Salman, whom the CIA has concluded ordered the journalist’s murder.

This interview has been edited for length and clarity. CPJ asked NSO Group to comment on Hope’s remarks; in an emailed statement, a spokesperson said “any claim that a name on the list was necessarily related to a Pegasus target or Pegasus potential target is erroneous and false. NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” The company has told CPJ that it investigates credible claims of misuse made against its vetted clients.

CPJ emailed requests for comment to the Saudi Center for International Communications under the media ministry; the UAE’s ministry of foreign affairs and international cooperation; and the Chinese ministry of foreign affairs but received no responses before publication.

How did you learn you were on the list that is the focus of the Pegasus Project?  

The Guardian contacted me and let me know that I was a target. We did some forensic analysis of my current phone which was considered clean. I was changing my phone frequently when I was a reporter at The Wall Street Journal – I was not particularly worried about the UAE, but more concerned about other characters in the 1MDB case who have a lot of money and a lot of reasons to try and sabotage our reporting. I used best practices to avoid this kind of risk, so if it’s true that they infiltrated a phone of mine, it would have been for a short period.

I was disappointed on one level. I try and have a relationship with all parties that I’m covering, even people that hate my coverage. I always try and [let] them put their point of view. I don’t rush them at the last minute, I give them more time than you would think to respond to anything. I would hope that the UAE would continue to engage me at that level rather than resorting to black ops techniques.

In a way I was surprised that it was NSO software that was allegedly used. They had been briefing many journalists – some that I know – saying that this software couldn’t be used on U.S. or U.K. numbers. I’ve seen in the press recently that they referred only to U.S. numbers, but I’ve heard that they disable its use against U.K. numbers [like the one Hope was using at the time]. I’ve never been a fan of this kind of software but [that idea] was some tiny bit of reassurance.

I wasn’t worried about NSO, I was worried about [actors] that are not well known that have similar software or employ hackers. When it turned out to be the most well-known company – that was surprising.      

Jamal Khashoggi, whose associate Omar Abdulaziz was targeted with Pegasus spyware, features prominently in “Blood and Oil.” Were you surprised to learn that more of his connections, including his fiancée Hatice Cengiz, were also listed?

From the perspective of people like myself, in America or Europe, he was a Saudi commentator writing opinion pieces. From the perspective of Saudi Arabia, he was a traitor for a variety of reasons. So knowing that, I’m not surprised that they would be trying to find [proof] that he was working for other countries.

The classic technique to find out about someone is to go through family members. In this case they might have been targeted after he was killed. It would be partially because they’re trying to understand what countries are working with those family members to elevate that story or whether his family members were being paid or anything like that – evidence for what they believe to be true. 

What were you working on yourself?

I was doing some reporting that would have been viewed in Abu Dhabi by some parties as problematic. We wrote a series of stories [for the Journal] about the UAE’s main conspirator in the 1MDB scandal. That would likely be very annoying for different parties in the UAE.

The fact-checking part of [“Billion Dollar Whale”] was the culmination of all that, where we really laid out all the damaging things we had found. That would have been reason for somebody in the UAE potentially to put my phone number on a list because they’d be wanting to know, “Who are the sources for this journalist?” They’d be wondering what other country was supplying this information – even though it was never the case, many people in the government would think that way.  

After the prime minister of Malaysia was voted out of office, all these documents were released [including] talking points between China and the Malaysian government. Chinese officials offered to penetrate [“Billion Dollar Whale” co-author] Tom [Wright]’s devices and do physical surveillance of him in Hong Kong, where he lived at the time. Another time when Tom was reporting in Malaysia, a source close to the bad guy called us and said they were thinking about arresting him and he had to escape through Singapore very rapidly.

I never once really worried about physical threats in my career particularly because I was an American journalist at a major international newspaper. But cybersecurity [threats] I was always afraid of, and things like [the Pegasus Project], they kind of highlight it.   

[Editor’s note: In January 2019, Hope and Wright reported in the Journal that a Chinese domestic security official had established “full scale residence/office/device tapping, computer/phone/web data retrieval, and full operational surveillance,” in order to “establish all links that WSJ HK has with Malaysia-related individuals.” Neither that official nor the Chinese government information office responded to their requests for comment at the time.]

Where were you at the time you could have been targeted, and how does that factor into the risk of surveillance?

I would have been mostly located in the U.K. [with a U.K. number] at that time. I didn’t travel to the Middle East. If I was in the country, it would be a lot easier to insert something [on the device].

In many countries in the world – Gulf countries, countries in Asia like China – there is no safe way to travel there with any of your technology. If you’re doing reporting in those places you have to leave everything behind and not log into anything while you’re there. I would bring a new phone. [When you leave] you have to assume that everything you’ve taken with you is no longer usable. You have to have a temporary set of equipment. 

If you’re reporting on anything that relates to the leadership of those countries, I would argue it’s too dangerous to do any reporting on the ground [if] you’re not comfortable leaving a trail. It would be very hard to ask people in those countries [questions] about the leadership. It’s a funny situation. If you’re the Saudi bureau chief you’re actually restricted in what you could find out. The best place to report on the UAE, Saudi Arabia for example, would be London.  

[Those] Middle Eastern countries [that] are not developing tools themselves are having to go and buy them which increases the risk to them of being exposed. In China we hear all the time about Chinese hacking initiatives, mostly through U.S. federal lawsuits that name and shame them, explaining what they did and who they hacked within America. We don’t hear about them buying the software because they develop it all within China.

The Gulf states are essentially buying those things – everything from intelligence work to cyber intrusion, and that’s much easier to get exposed, whereas China is much better at keeping a tight lid on what’s going on in China.

What does this mean for journalists?

The arms race for intrusion is so profound, there’s no real stopping it. There’s always going to be someone out there with this kind of equipment. It’s a wake-up call for journalists. We love our phones, all this high-tech stuff, using Signal – but there’s no way to protect yourself enough.

The toolbox for journalists has to change. I hope that Apple and others take up the challenge to make phones more secure, but ultimately if you’re dealing with any story where someone’s life is at risk, you have to go lo-fi and take really annoying, time-consuming steps to protect people – meeting people and leaving your phone behind. Giving your source an old-fashioned pay-as-you-go phone that you only use to plan the meeting. Tools like Signal have been such a boon for journalists, but if your phone itself is vulnerable it doesn’t help.