Rwanda has been linked to a series of wiretapped conversations of top Ugandan officials, according to a recent global reporting investigation, the Pegasus Project, published by the Organised Crime and Corruption Reporting Project (OCCRP).
The OCCRP issued a detailed report on Monday indicating how Rwanda wiretapped on various phone conversations of Uganda's top officials including ex-Prime Minister Ruhakana Rugunda and former Foreign Affairs Minister Sam Kutesa.
The report alleged that Israeli-made spyware was also used to monitor phone conversations of director-general of External Security Organisation (ESO) Joseph Ocwet.
Relations between Rwanda and Ugandan have recently become soiled by counter-accusations of espionage and engaging in activities to destabilise each other.
Ugandan recently deported several top telecommunications officials including a Rwandan national, accusing them of compromising its national security.
The diplomatic spat between Rwanda and Uganda has been played out in recent years on social media as high-level officials of the two governments trade accusations over the genesis of the conflict.
“Among the Ugandans on the [wiretapping] list, OCCRP has identified numbers belonging to long-time senior Cabinet member Sam Kutesa, former [Chief of Defence] Forces General David Muhoozi, senior intelligence officer Joseph Ocwet and leading opposition figure Fred Nyanzi Ssentamu. The selection [of the telephone numbers for tapping] coincided with a visit by Kagame to Uganda,” the report revealed.
The list of selected numbers also shows the Kagame government may have used Pegasus to target high-ranking political and military figures in neighboring countries.
Several numbers for high-profile figures in Uganda, Burundi, and the Democratic Republic of Congo (DRC) feature in the data. Rwanda has had frosty relations with these neighbors over the years. It has sponsored armed groups in the east of DRC, criticized Uganda for harboring anti-RPF militias, and been accused by Burundi of plotting to overthrow its president.
How Pegasus works
Like many private spyware companies, NSO Group’s stock in trade is so-called “zero-day exploits” — previously undiscovered flaws in commercial software that can allow third parties to gain access to devices, such as mobile phones.
Pegasus and other top tools enjoy a particular strength: They are often able to infect devices silently, without the user even having to click a link.
Though it’s one of the bigger players on the market, with over 750 employees and annual revenues of over $250 million, NSO Group is just part of a broader spyware landscape.
“In order to bypass [encrypted messaging] you just need to get to the device at one or the other end of that communication,” said Claudio Guarnieri, head of Amnesty International’s Security Lab. Pegasus does just that. “Pegasus can do more [with the device] than the owner can. If Signal, for example, encrypts the message… [an attacker] can just record using the microphone, or take screenshots of the phone so you can read [the conversation]. There is virtually nothing from an encryption standpoint to protect against this,” the report revealed.
Such tools have given governments the edge amid the widespread adoption of encrypted messaging applications, such as WhatsApp and Signal, which otherwise supposedly allow for users to communicate beyond the reach of state surveillance.
Once devices are successfully compromised, however, the contents of such apps become readily available, along with other sensitive data like messages, photographs, and calls.
Meanwhile, the ubiquity of mobile phone cameras and microphones means they can be easily accessed by spyware clients as remote recording devices.