NSO Group's Pegasus spyware zero click attacks 36 journalists at Al Jazeera

Saudi Arabia, the UAE has possibly hacked telephones for journalists

Ranie Dridi, Araby's TV journalist, never clicked on suspected links and messages sent to her cell phone - but she didn't have to deal with the sophisticated hack she was alleged to have been targeting.

Dridi's personal iPhone has reportedly been converted at least six times between October 2019 and July into a spying device, according to a university research laboratory, by Pegasus spyware from the group NSO as part of 'zero-click' attacks possibly linked to the UAE and Saudi Arabia.

A NSO Group spokesman challenged the conclusions but refused to comment on the report's content, stating that the organization had not heard the information. United Arab Emirates and Saudi Arabia officials did not respond immediately to a comment message.

Drida was among two London-based journalists and 36 journalists in the Qatar-based Al Jazeera TV network who were possibly targeted by the Saudi and Emirate governments using spyware, as stated by researchers in the Citizens' Laboratory at the Munk School of Global Affairs and Public Policy in the University of Toronto on Sunday.

Al-Jazeera staff work at their TV station in Doha, Qatar
Al-Jazeera staff work at their TV station in Doha, Qatar

The users in Pegasus were most likely to hack into mobile phones using a "zero-click exploit," without engaging with them and leaving strong evidence of the infiltration behind, concluded Citizens Lab. Once in a while, the government suspected operators may have bypassed encryption, tracked, and registered all cell telephone operation and heard the talks around it.

The City Lab Researchers reported that they had "medium confidence" in their estimation of the attacks, citing ties to the internet domain, behind the governments of Saudi Arabia and of the United Arab Emirates, both Pégasus customers.

Pegasus Spyware, developed by NSO Company, was sued in the US by WhatsApp, accusing journalists and human rights campaigners worldwide of using the encrypted program for spying.

The spokesperson of the NSO Party, who spoke about anonymity on a protocol, claimed in a statement that "CitizenLab continues to publish reports based on speculations, inaccurate assumptions and without a full command of the facts,"

The statement continued, "NSO is providing products that enable government law enforcement agencies to tackle, apparently, no other company than NSO appears to know about and while we're proud of being a leading global company, we want to emphasize not everything related to us is really a using of our technology."

"there was nothing the targets could have done to prevent this." said Bill Marczak, a senior Citizen Lab research fellow and co-author of the study. He called the results especially frightening because these "products are being sold to some of the world's most repressive governments."

"The information that's gained can be used in ways to silently sabotage journalists' stories or civil society's investigations," he said.

"The industry tends to talk about the darkness of terrorists and criminals, but in this case the spy industry itself is dark."."

One signature move of Pegasus was that the spyware had access to the destination computer by sending malicious links through text messages. The Citizen Lab reported cases in which, including the UAE human rights defender Ahmed Mansoor and Saudi activist Omar Abdulaziz, the slain Saudi journalist, Jamal Khashoggi, the columnist contributing to the Washington Post, deployed Pegasus against political disidents and others. Saudi Arabia is also a leading country of Saudi Arabia.

As hacking efforts using SMS can be reasonably easy to detect and track, however, according to Citizen Lab, the NSO Group is increasingly becoming a spyware that can compromise a mobile phone with no actions needed by the victim. In one instance in 2019, WhatsApp alerted 1400 users to the use of spyware via failed telephone calls. In 2016, Reuters said it bought a zero-click iMessage operation in the United Arab Emirates which was used to track hundreds of targets.

Out of two major attack operators, in addition to at least one Saudi activist abroad, one of the servers Citizen Lab referred to as Monarchy was previously attacked mainly within the territory of Saudi Arabia. The other operator, known in the study as "Sneaky Kestrel" also concentrated on goals within the UAE and was connected to attacks against Emirati people outside the country of the Persian Gulf.

A Geopolitical dispute with Al Jazeera's owner, Qatar, has hit Saudi Arabia and the UAE which critics claim advocates Qatari interests. Al Araby TV, the Dridi station, belongs to a businessman in Qatar. Her job and close relationship with a TV presenter often critical of Saudi and Emirati policies targeted her. She was reported to be targeted.

Researchers at Citizen Lab heard about hacks by chance while tracking the telephone of Tamer Almisshal, Al Jazeera journalist. In fear of becoming a hacking target, Almisshal had approached Citizen Lab and set up his telephone with a private virtual network to allow the research center to monitor its internet activities.

On 19 July, Almisshal reported a telephone visit to a website called the Pegasus installation server. In the 54 minutes prior to the visit, researchers observed a number of suspicious iCloud connections that download and upload data.

Once the zero-clicks of attacks were aligned, 35 other Al Jazeera journalists were equally suspicious on cell phones.

Three months ago, Dridi told her that her boss was similarly hacked by a journalist from Al Araby. Then she found that it was her private cell phone, and someone listened for months and accessed her camera and images. It was her personal conversations.

"Since then, I've started this new life," she said. "Everything's changed in my life. You felt like you had privacy, now you feel like you don't. It's really, really ridiculous.I feel insecure.

Dridi is preparing a lawsuit against the United Arab Emirates, one of the two reporters who have been made public in the article.

Marczak encouraged iPhone users to download patches to fix such vulnerabilities at the very least.

It described the results of the investigation as a "wake-up call for technology companies to use the code on the phones to make sure that the bugs, which are extremely dangerous, are not so called "zero click."

Pegasus: Surveilling journalists from inside their phones
Here is an offer many governments cannot refuse: do you want to hack into the phones of journalists, gather every bit of data and trace every call, message and keystroke?

Those governments are in luck, as there is some malware - malicious software - designed specifically for that purpose.

This story starts with an Israeli company called the NSO Group. It says it is in the business of "cyber-intelligence for global security and stability".

The company's primary product is known as Pegasus - a programme so sophisticated that it can embed into your mobile phone through just a phone call - even if you do not take the call.

The governments that use Pegasus - from Saudi Arabia to Mexico to India - say they are out to stop "security threats" but it is also used against civil society, including human rights activists.

And in October, WhatsApp sent the NSO Group a clear message: it is suing the company for developing Pegasus to specifically hack people's devices through that messaging app.

The Listening Post's Meenakshi Ravi looks into the growing surveillance threat against journalists and the malware of choice for the governments involved.