The report, released on Sunday by Citizen Lab, a research unit at the University of Toronto specializing in cybersecurity, alleged that the phones belonging to the employees of the Qatar-based media network, including journalists, producers, anchors, and executives, had been compromised and hacked with “an invisible zero-click exploit in IMessage” in July and August this year.
NEW REPORT “The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage “Zero-Click Exploit” by @citizenlab @billmarczak @jsrailton @nouraaljizawi @sienaanstis @RonDeibert: https://t.co/Z8FVRaePHB
— Citizen Lab (@citizenlab) December 20, 2020
The exploit allowed the perpetrators of the attack, which Citizen Lab, “with a medium degree of confidence,” blamed on “government operatives” from Saudi Arabia and the United Arab Emirates, to infect the phones with spyware without the journalists having to click on malicious links themselves.
In its report, Citizen Lab said that the clandestine techniques employed in the attack “were sophisticated” and therefore “difficult to detect,” since the “targets” were often unaware of anything suspicious going on.
The hack might have remained undetected this time as well, were it not for the network’s Arabic language channel reporter Tamer Almisshal, who sounded the alarm that his phone might have been spied-on and let the researchers monitor his online traffic starting from January 2020. Several months after, in July, the researchers saw his personal phone visiting a website where it got infected with NSO’s group Pegasus spyware without Almisshal’s ever clicking on the link.
The discovery has prompted a wide-ranging search for possible other victims among Al Jazeera staff, eventually leading to Citizen Lab and the channel’s IT unit identifying a total of 36 personal phones that had been successfully targeted by the “four NSO group operators.” One of them, who the group nicknamed “Monarchy,” allegedly tapped into 18 phones, while another one – dubbed “Sneaky Kestrel” – spied on 15 phones.
The group said that it believes “Monarchy” was acting on the marching orders from Riyadh, since it “appears to target individuals primarily inside Saudi Arabia,” while “Sneaky Kestrel” focused on those journalists who were “primarily inside UAE.”
The researchers said that the security loophole that facilitated the hack was closed with the IOS 14 update released in September, but noted that, until then, it had likely been taken advantage of on a large scale.
We suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit
Apple, for its part, appeared to throw weight behind Citizen Lab’s allegations of a state-sanctioned hack, saying that the reported attack “was highly targeted by nation states,” but noted that it could verify the findings of the report.
The Israeli group told The Guardian it would “take all necessary steps,” if it is provided with “credible evidence” that its spying tools were abused.
It’s not the first time the producer of Pegasus spyware kit finds itself in the spotlight in connection with allegations that its tech was used against reporters. Amnesty International reported in June this year that an award-winning Morocco-based journalist Omar Radi fell victim to the same spyware in an attack strikingly similar to the one described by Citizen Lab.
Last year, WhatsApp confirmed that dozens of Indian lawyers, journalists, and rights activists were among 1,400 users affected by the snooping software.
Despite the perpetual controversy surrounding the NSO group, an Israeli court in July sided with the firm and the Israeli Ministry of Defense in a case brought by Amnesty International, which demanded a ban on international sales of the software.