The mobile phones of dozens of employees at news outlet Al Jazeera were hacked using a stealthy ‘zero-click’ exploit developed by NSO Group, a heavily scrutinized Israeli commercial spyware vendor, according to a new report by researchers at Citizen Lab.
The security research group associated with the University of Toronto said that the 36 journalists identified in their report likely represent a “minuscule fraction” of the total victims of the company’s spyware given the size of NSO Group’s customer base and the reach of the vulnerability, which affects iPhones prior to the iOS 14 update that was released this fall and included several security enhancements.
The report comes as NSO Group faces growing scrutiny for enabling government clients across the globe to unlawfully surveil and harass dissidents, journalists, activists, and policymakers.
In an emailed response to a request for comment, NSO Group affirmed that its products are used to “tackle serious organized crime and counterterrorism only” and pledged to take all necessary steps to review allegations when it is presented with “credible evidence of misuse”—a threshold the Citizen Lab report, alarmingly, appears not to have met in the eyes of NSO Group.
“This memo is based, once again, on speculation and lacks any evidence supporting a connection to NSO. Instead, it relies on assumptions made solely to fit Citizen Lab’s agenda,” wrote NSO Group. “We question whether Citizen Lab understands that by pursuing this agenda, they are providing irresponsible corporate actors as well as terrorists, pedophiles, and drug cartel bosses with a playbook for how to avoid law enforcement.”
Citizen Lab has a strong reputation among cybersecurity experts, and this is not the first time it has shined a light on human rights abuses involving NSO Group. Bill Marczak, one of the authors of the report, affirmed that Citizen Lab has “high confidence” that NSO Group is behind the exploit.
“NSO Group tries to have it both ways, they boast about their technology being used to stop criminals, but they also say that the customer makes all the decisions about who to spy on,” Marczak told The Record. “Without regulation of this industry, we fear that NSO Group’s ultimate legacy will be helping their authoritarian customers undermine democracy around the world.”
The stealth and cunning of NSO Group’s latest exploit casts doubt on researchers’ continued ability to hold the company accountable, while illustrating the widening gap between the surveillance capabilities that governments have at their disposal and those civil society has to protect itself.
“The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance. Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators,” warned the researchers at Citizen Lab, which for years has spotlighted the threat that commercial spyware poses to civil society.
Zero-click exploits are extremely pernicious because they require no user interaction. That not only makes them more effective, as they do not rely on social engineering, but it also raises less suspicion. Users can be surveilled for months without realizing something is afoot.
Zero-click exploits for Android and iPhone sell for millions of dollars, according to Forbes. They have been used in some of the most sophisticated, and notorious, targeted hacks, including the compromise of Jeff Bezos’s mobile phone, believed to have been triggered by a message sent from Saudi crown prince Mohammed bin Salman.
The researchers were able to unravel the campaign because they were contacted by a victim who already suspected his phone had been hacked. Tamer Almisshal, an investigative journalist for Al Jazeera, asked the Citizen Lab researchers in January of this year to have them monitor metadata on his iPhone.
But it was not until July 19, roughly six months later, that the researchers detected Almisshal’s phone visiting a known installation server for Pegasus spyware. Suspicious internet traffic occurring before and after the suspected infection then pointed the researchers to the iOS infection vector.
Citizen Lab subsequently worked with Al Jazeera’s IT team and discovered the personal phones of 36 journalists, producers, anchors and executives had been compromised by four separate NSO Group clients.
The spyware gives customers the ability to record ambient sound and phone calls, take or exfiltrate photos, access the victim’s passwords, and track the phone’s location, according to Citizen Lab
Citizen Lab assessed with “moderate confidence” that Saudi Arabia and the United Arab Emirates were responsible for 33 of the 36 infections. It was unable to identify the two other operators.
Citizen Lab did not elaborate on the purposes of the campaign, though it appeared to have clear geopolitical motives.
Al Jazeera, perhaps the most influential broadcasting and media organizations in the Middle East, has rankled political leadership elsewhere in the region for its sympathetic coverage of the Arab Spring and the Muslim Brotherhood, an Islamist political movement with links to terrorist groups.
In 2017, Saudi Arabia, the United Arab Emirates, Egypt and Bahrain issued Qatar a thirteen-point list of demands, including that it shutter Al Jazeera, in exchange for lifting a trade and economic embargo the countries coordinated against the emirate.
The report represents yet another black mark for NSO Group, whose software has been implicated in a spate of human rights abuses, including the killing of Jamal Khashoggi, the Washington Post columnist murdered by Saudi agents in October 2018 at the Kingdom’s consulate in Istanbul. NSO Group has denied those allegations.
NSO Group claims to work exclusively with government clients in intelligence and law enforcement. It has previously defended its practices by arguing that its commercial surveillance software gives governments a necessary tool to counter the wide availability of end-to-end encryption services for criminals and terrorists.
In recent years NSO Group has made a concerted effort to cleanse its image. It published a Human Rights Policy in 2019 that “publicly affirmed” the company’s “unequivocal respect for human rights.” Their website also claims that the company’s “vetting process” for clients “goes beyond legal and regulatory requirements to ensure the lawful use of our technology.”
The revelation that NSO has been exploiting vulnerabilities in iOS software may put it in the crosshairs of Apple—much like it has with another technology giant, Facebook.
In September of 2019, Facebook-owned WhatsApp sued NSO group, after NSO Group developed an exploit for WhatsApp that was used to launch attacks against 1,400 WhatsApp users during a two-week period in May 2019.
In that suit, NSO Group has argued that it should not be held responsible for the actions of its clients. While the company claims that it does not have specific knowledge of how its products are used, reports suggest that NSO Group is more involved than it lets on for the simple reason that its clients need help implementing the firm’s technology.
In July, the US district court for California rejected that argument, meaning the case will proceed to discovery, where NSO might ultimately be forced to divulge more information regarding its business practices and its clients
The WhatsApp exploit used a separate zero-user interaction exploit that allowed attackers to inject spyware on phones simply by ringing the number of a target’s device.
Apple has not independently verified the findings of the report, but it recommends that users immediately update to iOS 14.