- Saudi, UAE govt. targets 36 personal phones of journalists hacked in July, August with spy software developed by Israel- based NSO Group
- ‘Zero Click’ Spyware found deployed against Al Jazeera journalists’ Phones
- NSO spyware was repeatedly found deployed to hack into the journalists, lawyers, human rights defenders and dissidents, most notably the Saudi journalist Jamal Khashoggi
In an attack likely to be related to the governments of Saudi Arabia and the United Arab Emirates, dozens of journalists at Al-Jazeera, the Qatari state-owned media company, have been hit by sophisticated spyware, a cybersecurity watchdog said Sunday.
The Citizen Lab at University of Toronto said it traced malware that infected the private phones of 36 Al-Jazeera reporters, anchors, producers, executives back to the Israel-based NSO Group, which has been widely criticized for selling spyware to repressive governments.
The investigators were most unnerved by the fact that iMessages infected targeted cell phones without any action being taken by the users, known as a zero-click vulnerability. The malware instructed the phones to upload their content to servers linked to the NSO Group via push notifications alone, Citizen Lab said, turning the iPhones of journalists into effective surveillance tools without even luring users to click on dubious links or messages that are threatening.
In July, just weeks before the Trump administration announced the normalization of relations between Israel and the UAE, the archival of Qatar, the coordinated attacks on Qatari-funded Al-Jazeera, which Citizen Lab described as the largest concentration of phone hacks targeting a single organization, took place. The breakthrough deal made what had been a long-secret alliance public. Analysts claim that normalization is likely to lead to greater digital surveillance cooperation between Israel and the Persian Gulf Sheikhdoms.
Apple said it was aware of the Citizen Lab report and said that iOS 14, the latest iteration of its mobile operating system, “provided new protections against these types of attacks.” The company also tried to reassure its consumers that the NSO does not threaten the average owner of the iPhone, but rather sells its apps to a small number of foreign governments to target limited groups. Apple said it was unable to validate Citizen Lab’s analysis independently.
Based on their past targeting of dissidents at home and abroad with the same spyware, Citizen Lab, which has been monitoring NSO spyware for four years, tied the “medium confidence” attacks to the Emirati and Saudi governments. In a bitter diplomatic rivalry with Qatar, the two countries are entangled in which hacking and cyber surveillance have steadily become preferred instruments.
In 2017, a blockade against Qatar over its alleged funding for extremist groups was imposed by the two Gulf nations and their allies, a claim Doha rejects. The UAE and Saudi Arabia have served the small country with a list of demands, including the shutdown of their popular Arabic-language TV network, which is seen by the UAE and Saudi Arabia as pushing a political agenda unlike their own. The feud continues to fester, although a resolution could be within reach, officials have recently suggested.
Requests for comment were not received by the Emirati and Saudi authorities.
“In a statement, the NSO Group cast doubt on the allegations of Citizen Lab, but said it was “unable to comment on a report we have not yet seen.”
The group had said it only provides the technology which can enable the “government law enforcement agencies to tackle serious organized crime and counterterrorism.” Nonetheless, it said, “when we receive credible evidence of misuse, we take all necessary steps to review the allegations in accordance with our product misuse investigation procedure.” NSO does not recognize its customers.
NSO’s spyware was routinely used to hack journalists, lawyers, human rights defenders, and dissidents prior to Sunday’s report. The spyware was most famously involved in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered at the Istanbul Saudi Consulate in 2018 and whose body was never identified. Several suspected spyware targets, including a close friend of Khashoggi and several Mexican civil society figures, have sued NSO over the hacking in an Israeli court.
The surveillance software for the NSO Group, known as Pegasus, is intended to bypass detection and conceal its activity. The malware infiltrates phones to suck up personal and location data and suddenly monitor the microphones and cameras of the smartphone, enabling hackers to spy on the face-to-face meetings of reporters with sources.
A senior researcher at the Citizen Lab, Bill Marczak said, “It is not only very scary, but it is the holy grail of phone hacking,” and added, “Normally, you can use your phone, completely unaware that somebody else is looking at everything you do.”
In attacks attributed to Saudi Arabia and the UAE over the last four years, the Citizen Lab researchers linked the hacks to previously known Pegasus operators.
Rania Dridi, a newscaster for the London-based Al Araby satellite channel, never found anything wrong. While she said she was accustomed to Emirati and Saudi criticism over her human rights reporting and the involvement of the UAE in the wars in Libya and Yemen, she was surprised to learn that, since October 2019, her phone has been infected with intrusive spyware on several occasions.
It’s a terrible feeling to be so vulnerable, to know that this whole time, my private life was not private,” she said.”
The zero-click vulnerability is rapidly being used without a trace to hack cellphones, Marczak said. Last year, an unprecedented lawsuit against the NSO Group was brought by WhatsApp and its parent company Facebook, accusing the Israeli firm of targeting some 1,400 users of its encrypted messaging service with highly advanced spyware via missed calls. Earlier this month, an Al-Jazeera anchor filed another complaint in the US claiming that the NSO Group hacked her phone through WhatsApp over her report on Saudi Arabia’s powerful Crown Prince Mohammed bin Salman. The use of Israeli spyware in the region can accelerate with the UAE and Bahrain normalizing relations with Israel, Marczak added, covering a “much wider range of government agencies and customers across the Gulf.”
As Yaniv Balmas, head of cyber research at Check Point, an Israeli security firm, said, the Al-Jazeera attack represents the tip of the iceberg.
Balmas said, “Such hacks are not intended to be public,” and added that “We should assume they’re happening everywhere, all the time.”