Israel Company NSO's Pegasus Spyware Used to Hack Middle East Journalists' iPhones

Canada-based Citizen Lab found that 36 journalists' iPhones were hacked exploiting a "zero-click" vulnerability in Apple's iMessage.

As per a report by Citizen Lab, an internet watchdog from the University of Toronto, dozens of journalists had their iPhones hacked through exploiting a known vulnerability in Apple's iMessage, allowing hackers "zero-click" access. While the vulnerability has now been fixed, it was used to plant malware that was used by nation-states in at least 36 prominent journalists' phones.

Citizens Lab in its report said that hackers planted notorious Pegasus spyware that was developed by Israeli surveillance company NSO Group. The spyware can read text messages, intercept phone calls, use GPS location to track the user and also access the phone's camera and microphone to gather information. Pegasus first came to light in 2016 during a failed attempt to infect a human rights activist's iPhone.

This time, the targets were journalists from mainly Al Jazeera besides London-based Al Araby TV. The researchers said that those phones were hacked by at least four Pegasus operators including from Saudi Arabia and the United Arab Emirates. "The journalists were hacked by four Pegasus operators, including one operator 'MONARCHY' that we attribute to Saudi Arabia, and one operator 'SNEAKY KESTREL' that we attribute to the United Arab Emirates," the report said.

MosaicRegressor malware
At least 36 journalists' phones were spied on by state-backed actors using Pegasus spyware (representational image) Pixabay

How Were They Hacked?

Tamer Almisshal, an investigative journalist from Al Jazeera, asked Citizen Lab to check his iPhone as he suspected that it might have been hacked. Almisshal who reported on many sensitive topics in the Middle East consented to Citizen Lab to install a VPN service to monitor traffic. As the researchers began probing, they found Almisshal's phone was connected to NSO servers that were known to deliver Pegasus spyware. Further analysis suggested that the spyware might have been delivered over iMessage without the journalist's knowledge.

According to the report, the phones were hacked exploiting a "zero-click" vulnerability in iMessage that was fixed in the iOS 14 update. NSO operators used the vulnerability to deploy KISMET "zero-click" between October and December 2019. Researchers said it was likely that the spyware was delivered via iPhones' Apple's Push Notification Service (APNs), the protocol iMessage operates on.

The spyware could impersonate another application on the phone that sends push notifications through Apple's servers. As Apple was not aware of the vulnerability, it allowed transmitting the spyware into the device.

"While reviewing his VPN logs, we noticed that on July 19, 2020, his phone visited a website that we had detected in our Internet scanning as an Installation Server for NSO Group's Pegasus spyware, which is used in the process of infecting a target with Pegasus," Citizen Lab researchers said in the report.

Tamer Almisshal
Al Jazeera's Tamer Almisshal was one of journalists, whose phone was hacked Facebook/ Tamer Almisshal

Apart from Almisshal, Al Araby journalist Rania Dridi was one of the other victims whose phone was allegedly hacked. The UAE government allegedly spied on her iPhone XS Max between October 2019 and July 2020 through two separate zero-day attacks. "My life is not normal anymore. I don't feel like I have a private life again. To be a journalist is not a crime," Dridi told TechCrunch.

Why Were They Targeted?

The primary reason for targeting Al Jazeera journalists was due to the Middle East crisis. The news outlet was at the center of deteriorating relations between Qatar and four Middle East countries — Saudi Arabia, UAE, Bahrain and Egypt. The four countries jointly organized a blockade against Qatar in 2017, alleging the latter of harboring dissidents.

Qatar-based Al Jazeera was targeted, thanks to its coverage of Arab Spring — an anti-government protest that quickly escalated, toppling regimes in Tunisia, Libya, Egypt and Yemen. Monarchies like Saudi Arabia, Bahrain and UAE. Regimes in those countries believed that Al Jazeera's coverage helped fuel protests in other neighboring nations. They were afraid of a similar fate in their countries. Many nations in the Middle East blocked Al Jazeera's availability during the Arab Spring and the blockade.

Arab Spring
The primary reason behind targeting Al Jazeera journalists was its coverage on Arab Spring (picture of protests in Yemen) Wikimedia Commons

Bahrain's Foreign Minister criticized Al Jazeera's documentary on the protests saying, "It's clear that in Qatar there are those who don't want anything good for Bahrain. And this film on Al Jazeera English is the best example of this inexplicable hostility."

However, this is not the first time NSO Group's spyware has been used to target journalists. Saudi Arabian author and journalist Jamal Khashoggi, who died under mysterious circumstances in 2018, was targeted by the same Pegasus spyware by the Saudi government, allegedly with instructions from Prince Mohammed bin Salman. NSO Group has although denied allegations that its spyware was used to target those 36 journalists.

Related topics : Cybersecurity