The Israeli spyware firm NSO Group destroyed the life of Hanan Elatr, the wife of murdered journalist Jamal Khashoggi, forcing her to live in fear and isolation, never able to safely return to, or even visit, her family in Egypt or have a normal life, according to a lawsuit filed Thursday.

The lawsuit, filed in the U.S. District Court in the Eastern District of Virginia where Elatr lives and works as she awaits approval of her request for political asylum, asserts that NSO infected her cellphone with the Pegasus software to spy on him. It asks for unspecified damages.

The lawsuit relies heavily on facts uncovered in 2021 by an international consortium of news outlets that included The Washington Post and was led by Paris-based Forbidden Stories that detailed Pegasus’s use against journalists, politicians and dissidents. The lawsuit also cites pioneering forensic work by Citizen Lab at the University of Toronto and Amnesty International’s Security Lab.

Efforts to reach NSO Group for comment were unsuccessful. NSO has said it developed the spyware to track criminals and terrorists, but reporting showed that it was often deployed against opposition political parties, human rights activists and even disloyal family members.

NSO Group’s former chief executive Shalev Hulio has previously denied that the company’s spyware was used to monitor Elatr’s phone or was linked to Khashoggi’s murder in Turkey. “It has nothing to do with this horrible murder,” he said of the spyware.

Elatr was a flight attendant for Emirates Airlines when she and Khashoggi became close, and he proposed to her in April 2018. By then he was a world-renowned critic of Saudi Crown Prince Mohammed bin Salman and had left Saudi Arabia and taken refuge in the United States, where he contributed columns to The Washington Post. He knew to be careful with his electronic devices, Elatr and other associates have said.

After Khashoggi’s October 2018 murder and dismemberment inside the Saudi Consulate in Istanbul, Elatr, now 54, was put under house arrest in Dubai, lost her job of 20 years and went into hiding for 17 months in the United States, living with acquaintances in Northern Virginia. She now works at a local hotel but tries to keep her identity hidden.

By spying on Elatr, the lawsuit alleges, NSO Group violated federal and Virginia anti-hacking laws that make it illegal to hack a cellphone or computer without legal authorization or the owner’s consent. Beyond that, the lawsuit says, NSO spyware “caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career.”

“She lives in a state of constant hyper-vigilance, unable to safely participate in social activities, constantly looking over her shoulder,” the suit claims.

NSO Group faces several other lawsuits over the use of its spyware against journalists, lawyers and political activists in other countries. Facebook parent company Meta has sued NSO for allegedly hacking the WhatsApp app, which it also owns. Apple also has sued NSO.

In the WhatsApp case, NSO argued that it was immune from prosecution because it was acting on behalf of sovereign governments; the sale of its spyware must be approved by the Israeli Defense Ministry and is sold only to foreign governments. But the court rejected that position, and the U.S. Supreme Court refused to take up NSO’s appeal.

Hulio, who stepped down as CEO last year, also has asserted previously that the company vets the behavior of every potential client before approving a sale but that it does not know who its clients target with the spyware. That argument, however, is a contradictory one, said Annie E. Kouba, an attorney at the Motley Rice law firm that is representing Elatr. “It’s just not an argument they can have both ways,” she said.

The suit alleges that NSO was negligent in repeatedly selling its Pegasus spyware “to clients that were widely known to violate human rights and do harm to dissenters.”

Several months after The Post published the Forbidden Stories series, the Biden administration added NSO Group to the Commerce Department’s Entity List, saying its operations were counter to American interests. The designation prohibited U.S. companies from exporting hardware or software of any kind to the company. Because NSO Group requires the prior approval of the Israeli Defense Ministry for its sales, the move was seen as an unusual rebuke to the Israeli government. But the lawsuit asserts that NSO still paid more than $1 million to public relations companies and law firms in the United States in 2022.

The CIA determined that Mohammed ordered Khashoggi’s murder, but the limits of the Biden administration’s willingness to act against Saudi Arabia, a long-standing ally and major supplier of oil, came in November 2022 when it ruled that Mohammed, as head of a foreign government, was immune from a lawsuit filed by another woman close to Khashoggi, his Turkish fiancée Hatice Cengiz.

Elatr’s suit is different, however, because she is targeting the company that made and sold the spyware, not the country that used it. Also, unlike Cengiz, she was married to Khashoggi in an Islamic ceremony in Virginia and had shared an apartment with him in Fairfax County in suburban Washington before his murder.

One December evening in 2021, Hanan learned definitively that NSO had hacked her cellphone. Bill Marczak, a cybersecurity expert at Citizen Lab who had been analyzing her devices, told her via Zoom that he not only had found traces of NSO spyware but that he could see that a human had typed in the name of a known NSO website used to infected devices.

The time stamps corresponded to the day and hour that United Arab Emirates authorities had detained Elatr at the Dubai airport and confiscated her devices after she arrived on a routine work flight.

Marczak could see, he told her, that someone in possession of her cellphone had made several mistakes typing in the website’s letters, then backspaced and typed them correctly.

Marczak said he could see her Android device trying to install Pegasus, but he could not determine whether the spyware had successfully infected the phone, which would enable Pegasus to steal its contents and turn on its microphone. But, he added, the UAE operator did not type the website address in a second time, which would be expected in the event of a failed first attempt.

“We found the smoking gun on her phone,” Marczak told her lawyer and a Washington Post reporter seated next to her.

Elatr was visibly shaken by the news. She gasped, covered her mouth and stared blankly at the table. “They got to him through me,” she said after a long pause.

She has been racked by guilt ever since, she says. She still does not socialize, avoids telling her co-workers much about herself and has not made any friends in the three years she has been trying to make a life in the United States.

“I hope to achieve justice for Jamal and for me,” Elatr said Thursday. “It did destroy my life. I’m the living victim.”

This post appeared first on The Washington Post

Comments are closed.