The telephone number of an intelligence officer at the Special Service for National Security (SSNS), which conducts secret surveillance and interceptions, also appears in the list of Pegasus spyware targets, a Direkt36 investigation has found. The phone number is used by a person who has worked at SSNS in the technical field and appears to be still working there. His directorate handles, among other things, spywares.

However, it is unclear why this SSNS telephone number was selected for targeting. There are two plausible explanations. One is that the intelligence officer himself became a target for some reason. The other is that Pegasus is operated by SSNS and it was only installed on the employee’s phone for testing purposes. Both explanations further reinforce previous information that Pegasus is used against Hungarian targets by Hungary’s government agencies.

As the Hungarian partner of an international consortium of journalists called Pegasus Project, Direkt36 reported back in July that Hungarian journalists, media company owners, lawyers, opposition politicians and government officials were or could have been surveilled with the Israeli spyware. The investigation was based on a leaked database of 50,000 worldwide telephone numbers. The list includes more than 300 telephone numbers from Hungary, which were selected for surveillance by the Israeli company manufacturing Pegasus, NSO Group’s customers. This database was jointly obtained by Forbidden Stories, a Paris-based network of journalists, and international human rights advocacy organization Amnesty International, and then analyzed by the 17 media outlets involved in the project, including Direkt36.

One of the most important parts of this analysis was identifying the users of these phone numbers. Direkt36 and the international team of journalists were able to assign names to the leaked phone numbers using different tools and methods, including CallApp, an open-source Internet phonebook application.

Like NSO’s Pegasus, CallApp was also developed in Israel. CallApp’s service is based on the fact that many phone users around the world share their phonebook with different apps (think about how many messaging apps request access to your phone’s contact list). Among other methods, this is how CallApp and other similar applications collect telephone number data. Over the years, CallApp has amassed a constantly expanding database of more than 3 billion phone numbers from more than 60 sources.

We were able to identify the telephone number associated with the SSNS officer because it was saved in someone’s contact list with the real name of the intelligence officer and the Hungarian abbreviation of his position (’ov nbsz tech elh’) and then added to CallApp’s database. The abbreviation apparently refers to the user of this number as the head of the technical counter-surveillance department at SSNS.

Direkt36 then managed to confirm through retired Hungarian intelligence officers that the phone number indeed belongs to this SSNS officer. This intelligence officer, whose name we do not publish due to privacy reasons, works in a technical position at SSNS, but we do not know his exact position at the time of his selection as a target.

Eventually, we called the phone number. After this person introduced himself by the name we already knew, we told him the reason of our call and that, to the best of our knowledge, he was an employee of the intelligence service. He responded by saying that if all this is indeed the case, we can understand why he cannot answer our questions. Above all, we wanted to find out from him why his phone number ended up in the leaked database, but he didn’t want to comment on that either.

According to the website of SSNS, technical counter-intelligence belongs to the Technical Intelligence Directorate. In addition to technical counter-intelligence, this directorate is responsible for the “surveillance and recording by technical means of what happens in apartments”, “supporting covert research” and “uncovering and recording the content of communications on a telecommunications network and data transmitted by or stored on a computer device or system”. The latter also means operating spyware like Pegasus.

Pegasus is a military-grade cyberweapon only sold with the approval of the Israeli Ministry of Defense, and its users are exclusively government actors, such as law enforcement or intelligence services. There is a lot of circumstantial evidence to suggest that Hungarian phone numbers were targeted with Pegasus by Hungarian government agencies. A retired Hungarian intelligence officer and a former NSO employee both confirmed to the international consortium of journalists that Hungary purchased and used the spyware. Hungary’s government does not deny that they are using Pegasus, nor do they refute the surveillance of individuals reported in Direkt36’s previous articles.

According to former security officers interviewed by Direkt36, there could be several reasons as to why the SSNS officer’s phone became a target. One is that the targeted SSNS employee has either just undergone a routine national security screening or may have committed some suspicious act and has therefore been surveilled. Another possibility, however, is that the intelligence officer’s phone number was used for testing purposes only and Pegasus was tried out on one of the service’s devices. According to several sources familiar with the inner workings of Hungarian security agencies, they keep dedicated mobile phones and phone numbers for spyware and other mobile device testing purposes.

There is of course a theoretical possibility that authorities of a foreign country have tried to spy on the SSNS officer. However, according to the information available on how Pegasus is used, the chances of this are minimal. This is because NSO Group sells this spyware to foreign countries specifically for domestic counterintelligence and law enforcement purposes. For example, sources familiar with the company’s internal affairs told the international consortium of journalists working on the Pegasus Project that NSO customers could only gain access to monitor targets outside their countries for compelling reasons. However, the SSNS officer’s phone number appears in the leaked database next to other Hungarian numbers only.

Neither SSNS, nor the Hungarian government reacted to our requests for comment.

Surveillance on demand

In today’s Hungary, state surveillance and interceptions are typically carried out by officers of the Special Service for National Security, the ‘Hungarian NSA’. They provide technical and personnel support for secret information gathering, from physical surveillance to bugging homes, hacking phones or computers. At the same time, SSNS does not have its own cases or investigations, as they only support the operations of the police and the various intelligence agencies with their expertise, which commission them for these surveillances.

In practice, requesting surveillance support looks like this: for example, a case officer at the Constitution Protection Office (AH) indicates on a so-called service ticket what type of surveillance (physical surveillance, opening of mail letters, phone tapping, intercepting electronic communications, apartment bugging, etc.) is needed for their operation. According to several former counter-intelligence officers, in theory, clients do not even need to know exactly what tools and technologies SSNS will utilize to fulfill their request. According to them, however, the use of cyber weapons such as Pegasus typically needs to be justified and approved by the leadership of the client agency. This is because the capabilities of Pegasus are much more brutal than the usual tools, and much more expensive too. (Based on previously published contracts of NSO Group’s customers, surveilling a Hungarian target with their spyware can cost $50,000 (15 million HUF) or even more.)

Procurement and operation of spyware similar to Pegasus is the responsibility of SSNS, and there is evidence that they purchased and used similar technologies in the past. When servers of Gamma Group, the developer behind a spyware called FinFisher/FinSpy, were hacked in 2014, the company’s internal emails were published online, revealing that SSNS was an active user of FinSpy. A year later, in 2015, servers of an Italian company called Hacking Team were hacked in a similar way, and data from their clients was also released on the Internet. Based on the leaked contracts, some of the oldest clients of Hacking Team included Hungary’s foreign intelligence agency (Information Office) and SSNS.

FinSpy and Hacking Team’s products were nowhere near as sophisticated as Pegasus. Based on the leaked documents, a former intelligence officer explained that those spywares could only hack a phone or computer if the intelligence agency had physical access to the device, or if the user of the device had inadvertently clicked on a deceptive link or file sent by the agencies. In addition, the spyware’s control interface used in the mid-2010s could only be accessed from an internal, closed system, the source added. This meant that the officers conducting the surveillance always knew the identity of the target, and they were also the ones receiving all data gathered by the spyware.

However, according to the former intel officer, the situation is more complicated in the case of Pegasus. For example, the Israeli spyware no longer requires any action to be taken by the target to infect the phone. This is because a so-called “zero-click attack” occurs, and the spyware is installed on the device virtually automatically and invisibly to the user. However, this also means that it is sufficient for the client agency requesting surveillance to provide only certain metadata (eg telephone number) to the SSNS officers who operate Pegasus. The latter do not necessarily know the target’s real identity. For example, not even if they are assisting in the surveillance of a journalist or opposition politician.

The leaked list of Pegasus targets, including Hungarian phone numbers, does not in itself contain any direct information about who targeted these numbers with spyware and why. The list of Hungarian numbers, on the other hand, shows an extreme variety of targets. Among them, there are convicted criminals, high-ranking government officials, prominent lawyers and opposition politicians. If the Hungarian state really uses Pegasus to surveil targets in Hungary, the list of targets with completely different profiles point to SSNS as the spyware’s operator, as they are the ones who receive all the various surveillance requests from various agencies such as the Counter Terrorism Center (TEK) or the police.

If SSNS indeed operates Pegasus, this does not necessarily mean that they also house the data gathered through surveillance. According to the former intel officer, Pegasus is a so-called on-demand software (or software as a service, SaaS), which means that data is stored centrally and users can access it from anywhere with the right authorization. Thus, it can even be arranged that SSNS would only handle the installation – ie the infection of a telephone – but the incoming information would be processed by a completely different agency and user.

According to the former intel officer, this flexibility of Pegasus also poses a serious risk. As the information gathered can no longer be exclusively accessed by trained and disciplined intelligence officers operating the spyware from inside the headquarters of SSNS, it is more difficult to secure the data. As we reported in our previous article, there is also a strong suspicion that even the Israeli intelligence service may have access to data gathered with Pegasus.

Inquiries at SSNS bring no answers

After the Pegasus surveillances were revealed this summer, several Hungarian opposition politicians began to investigate, including MP Attila Mesterházy, Vice-President of the NATO Parliamentary Assembly. “It is my firm belief that the Hungarian state possesses such software, and in spite of any scandal, its use has not been restricted, so it is still used today,” he told Hungarian weekly 168 Óra. The opposition MP requested a personal meeting with the director-generals of Constitution Protection Office (AH), then later the SSNS, where he asked them about the procurement and use of Pegasus.

Mesterházy told Direkt36 that although the director-generals of these agencies – in line with government communication – did not give concrete, clear answers to his questions, he could only conclude from their replies that Pegasus is indeed used by the Hungarian state, and it is technically operated by SSNS. Mesterházy could not say exactly why he came to this conclusion because he had to sign an NDA before the meetings.

The Hungarian parliament’s national security committee is also investigating the use of the spyware, with little success. Fidesz MPs blocked the first committee hearing on the subject. At the second meeting, opposition MPs received no substantive answers, which were still classified until 2050.

Subsequently, committee chairman János Stummer (Jobbik party) convened an on-site committee hearing at the SSNS headquarters on October 18th. After the meeting, Stummer told Direkt36 that, again, they did not receive sufficient answers, so he tried to initiate a fact-finding investigation. “As part of this, we could have looked at the documents created during the surveillances and interrogated the operators of surveillance, but this initiative was rejected by the committee’s Fidesz majority. So we still don’t know who was spied on by the agency with the permission of Minister of Justice Judit Varga,” he said.

When the Pegasus scandal broke on July 18, Hungarian weekly Magyar Hang contacted Attila Péterfalvi, president of the National Authority for Data Protection and Freedom of Information (NAIH), to find out if he would launch an investigation. Péterfalvi told the paper that he was on vacation, so he would only be able to decide on a possible investigation after his return, weeks later. The paper also asked Péterfalvi whether, given the gravity of the surveillance scandal, it was possible to decide to initiate the procedure earlier, but Péterfalvi “could not answer” that. NAIH finally launched an inquiry on August 5th, but Péterfalvi later told hvg.hu that he would not disclose most of the findings of the investigation, which is expected to end in early November.

Péterfalvi showed up at the on-site committee meeting at SSNS, but according to János Stummer, the president of NAIH did not really show much interest. “Attila Péterfalvi, who launched his own inquiry, also took part in the meeting, but the he did not address any substantive issues to the staff of SSNS during the meeting,” the chairman of the national security committee told Direkt36. We requested a comment from Péterfalvi, but his office said they would not provide any information until their investigation was completed.

Illustration: szarvas/telex.hu