Zero-click iPhone exploit, NSO Group spyware used to target Mideast journalists, Citizen Lab says

Hackers suspected to work for the governments of Saudi Arabia and the United Arab Emirates breached 36 devices belonging to Al Jazeera journalists in recent months by using a zero-click iPhone exploit and NSO Group spyware, according to new Citizen Lab research published Sunday.

The suspected government hackers behind the operations had a particularly pernicious tactic for accessing their targets — an iPhone iMessage that requires zero interaction from the target to work, according to the researchers. Citizen Lab is based at the Munk School of Global Affairs and Public Policy at the University of Toronto.

The hacking operations, which researchers attribute to the governments of Saudi Arabia and the UAE with “medium confidence,” could have allowed the operators to record audio, take pictures, track device location and access passwords or stored credentials on compromised phones, the researchers said.

Qatar, where Al Jazeera is based, historically has a fraught relationship with both Saudi Arabia and the UAE. Citizen Lab said the spy campaign’s targets include Al Jazeera investigative journalist Tamer Almisshal as well as Rania Dridi, a presenter for a London-based network, Al Araby TV.

The zero-click campaign is particularly concerning as it could represent an increasing interest from the commercial spyware industry in leveraging more surreptitious surveillance operations like zero-click exploits, the researchers say.

“The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected,” the researchers wrote in a blog post.

The operations, which appear separate but share some overlap, allegedly took place between July and August of this year, targeting the personal phones of journalists, producers, anchors, and executives at Al Jazeera, according to the researchers. The exploit chain on iMessage only appears to have affected operating systems before iOS 14.

An NSO Group spokesperson said in a statement that the firm does not operate its products once they’re in the hands of customers, and suggested that the surveillance software only enables law enforcement to track terrorists and criminals — and not journalists, as alleged.

“NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, and as stated in the past we do not operate them,” the spokesperson said. “However, when we receive credible evidence of misuse with enough information which can enable us to assess such credibility, we take all necessary steps in accordance with our investigation procedure in order to review the allegations.”

It’s just the latest allegation that NSO Group spyware has been leveraged against journalists and human rights activists in recent years. Researchers have previously accused NSO Group products of being responsible for surveillance of journalists in Morocco, religious and political dissidents in Togo, as well as associates of the murdered journalist Jamal Khashoggi. Just last week another Al Jazeera journalist, anchor Ghada Oueiss, filed a lawsuit accusing the crown princes of Saudi Arabia and the UAE of using NSO Group spyware to monitor and disparage her.

The research and allegations come at a contentious moment for NSO Group, which is currently battling Facebook’s allegations in court that it used Facebook’s WhatsApp to surveil thousands of journalists and human rights activists. Microsoft President Brad Smith indicated in a recent blog post that the tech titan would be throwing its weight behind WhatsApp’s allegations, in part because Microsoft takes issue with NSO Group’s suggestion that it can’t be scrutinized in a U.S. court of law because its clients are foreign sovereign nations.

“NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers,” Smith wrote in his blog. “Its argument is that it is immune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that government’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why Microsoft is joining with other companies in opposing this interpretation.”