RWANDA: Victim Of Private Spyware Warns It Can Be Used Against US

Carine Kanimba speaks during a House Intelligence Committee hearing on Commercial Cyber Surveillance, Wednesday, July 27, 2022, on Capitol Hill in Washington. Kanimba and technology experts urged Congress to oppose the use of commercial spyware in the U.S. and discourage investment in spyware that has been used to hack the phones of dissidents, journalists, and even U.S. diplomats. John Scott-Railton, senior Researcher Citizen Lab, center, and Shane Huntley, Director, Google Threat Analysis Group, right, listen. (AP Photo/Mariam Zuhaib)

BY NOMANN MERCHANT

WASHINGTON (AP)
— Months after her father was lured back to Rwanda under false pretenses and jailed, Carine Kanimba discovered her own phone had been hacked using private spyware.

Kanimba is the youngest daughter of Paul Rusesabagina, who is credited with saving more than 1,200 lives during the 1994 Rwandan genocide in a story that inspired the movie “Hotel Rwanda.” An opponent of Rwandan President Paul Kagame, Rusesabagina is now serving a 25-year prison sentence on charges that he has dismissed as politically motivated.

Researchers have alleged Pegasus was used to spy on Kanimba and her cousin as Rusesabagina’s family was advocating for his release from Rwanda, which received $160 million in foreign aid from the United States in the last budget year.

“Unless there are consequences for countries and their enablers which abuse this technology, none of us are safe,” she told the House Intelligence Committee on Wednesday.

Kanimba and technology experts urged Congress to oppose the use of commercial spyware in the U.S. and discourage investment in spyware that has been used to hack the phones of dissidents, journalists, and even U.S. diplomats.

Pegasus infiltrates phones to control their camera and microphone and siphon off data without requiring the user to click on a malicious link. It is part of a burgeoning international market for states to acquire cyber tools that were once available only to the most technically advanced governments. Researchers at Google have identified at least 30 vendors selling “zero click” exploits or other spyware.

NSO Group says its software can’t be activated against phone numbers with a U.S. country code unless used by an American agency. But there are several documented reports of American officials and citizens having their data captured by Pegasus.

One committee member, Rep. Jim Himes, D-Conn., suggested that off-the-shelf spyware felt “like a very serious threat to our democracy and to democracies around the world.” Himes questioned whether spyware could be deployed from another country against American officials and he criticized companies that invest in it.

Among the investors in a private equity firm that held majority ownership of NSO Group were the Oregon state employee pension fund and the Alaska Permanent Fund Corporation.

U.S. officials and many lawmakers in both parties are concerned about foreign interference in future elections and the prospect of Americans trying to overturn a lawful vote by force.

“Nobody, not Mike Pence, not Nancy Pelosi, not Kevin McCarthy ... are immune from having their most private deliberations watched,” Himes said. “And that may be just enough to interfere in our elections, just enough to end our democracy.”

U.S. law enforcement and intelligence agencies have long been in the market themselves for ways to hack into phones.

The Biden administration last year imposed export limits on NSO Group and three other firms. But the FBI has acknowledged buying a license for Pegasus for what it said was “product testing and evaluation only.” While spyware companies make huge profits in the Middle East and Europe, it is American business and investment that “legitimizes what they’re doing,” said John Scott-Railton, senior researcher at Citizen Lab, which has long studied how the programs work.

“Doing business with the U.S. government, getting acquired by a U.S. company or even doing business with an American police department is the golden price for many in the spyware industry,” he said. “As long as that remains as a possibility for problematic actors, they’re going to get support from investors.”

The committee is pushing U.S. spy agencies to “decisively act against counterintelligence threats posed by foreign commercial spyware,” according to the public version of its latest bill authorizing intelligence activities. The bill, which has not yet been voted on by the full House, proposes that the director of national intelligence “may prohibit” individual U.S. agencies from acquiring or using foreign commercial spyware.

But the bill would also allow any intelligence agency chief to seek a waiver from the director if the waiver “is in the national security interest of the United States.”

In a statement, NSO Group noted that the discussion over spyware “at times lacks balance (by) intentionally omitting their lifesaving benefits.”

“NSO reiterates that it thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found,” the company said. “Nonetheless, it is critical to consider the benefits and alternatives to these critical technologies.”

Kanimba testified that she was alerted last year by a collective of journalists working with Citizen Lab and Amnesty International that there was reason to believe that she had been spied on. A subsequent forensic analysis of her phone revealed that she had been targeted by Pegasus spyware, she said.

She said the surveillance was triggered as she walked with her mother into a meeting with Belgium’s minister of foreign affairs – Rusesabagina holds Belgian citizenship and U.S. residency – and was active during calls with the State Department and with the office of the U.S. government’s special presidential envoy for hostage affairs.

Her family lives in San Antonio. Democratic Rep. Joaquin Castro, a committee member who represents that city, noted that his office’s communications may have been captured by Rwanda because he was advocating for Rusesabagina’s release.

Rwanda denies using Pegasus. Its embassy in Washington said in a statement Thursday that its response “has not changed regardless of who raises them.”

“These are politically motivated allegations aimed at undermining Rwanda’s judicial system and sowing disinformation,” the embassy statement said.

Rusesabagina was sentenced for terrorism offenses related to his alleged links to the armed wing of his opposition political platform. Rusesabagina has denied supporting violence and called the verdict a “sham.”

___

Associated Press writer Eric Tucker contributed to this report.

Comments