CINXE.COM

The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit - The Citizen Lab

<!doctype html> <!--[if lt IE 7]><html lang="en-US" prefix="og: https://ogp.me/ns#"><![endif]--> <!--[if (IE 7)&!(IEMobile)]><html lang="en-US" prefix="og: https://ogp.me/ns#"><![endif]--> <!--[if (IE 8)&!(IEMobile)]><html lang="en-US" prefix="og: https://ogp.me/ns#"><![endif]--> <!--[if gt IE 8]><!--> <html lang="en-US" prefix="og: https://ogp.me/ns#"><!--<![endif]--> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The Citizen Lab</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1"/> <link rel="apple-touch-icon" sizes="57x57" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-57x57.png"> <link rel="apple-touch-icon" sizes="60x60" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-60x60.png"> <link rel="apple-touch-icon" sizes="72x72" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-72x72.png"> <link rel="apple-touch-icon" sizes="76x76" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-76x76.png"> <link rel="apple-touch-icon" sizes="114x114" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-114x114.png"> <link rel="apple-touch-icon" sizes="120x120" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-120x120.png"> <link rel="apple-touch-icon" sizes="144x144" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-144x144.png"> <link rel="apple-touch-icon" sizes="152x152" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-152x152.png"> <link rel="apple-touch-icon" sizes="180x180" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/apple-icon-180x180.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/android-icon-192x192.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/favicon-16x16.png"> <link rel="manifest" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/manifest.json"> <meta name="msapplication-TileColor" content="#ffffff"> <meta name="msapplication-TileImage" content="/ms-icon-144x144.png"> <meta name="theme-color" content="#ffffff"> <!--[if IE]> <link rel="shortcut icon" href="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/favicon.ico"> <![endif]--> <link rel="pingback" href="https://citizenlab.ca/xmlrpc.php"> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <!-- Search Engine Optimization by Rank Math PRO - https://rankmath.com/ --> <meta name="description" content="Government operatives used NSO Group鈥檚 Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates."/> <meta name="robots" content="follow, index, max-snippet:-1, max-video-preview:-1, max-image-preview:large"/> <link rel="canonical" href="https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The Citizen Lab" /> <meta property="og:description" content="Government operatives used NSO Group鈥檚 Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates." /> <meta property="og:url" content="https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/" /> <meta property="og:site_name" content="The Citizen Lab" /> <meta property="article:tag" content="Apple" /> <meta property="article:tag" content="iOS" /> <meta property="article:tag" content="NSO Group" /> <meta property="article:tag" content="Pegasus" /> <meta property="article:tag" content="Targeted Threats" /> <meta property="article:tag" content="Zero Day" /> <meta property="article:section" content="Targeted Threats" /> <meta property="og:updated_time" content="2021-06-29T16:10:48-04:00" /> <meta property="og:image" content="https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png" /> <meta property="og:image:secure_url" content="https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png" /> <meta property="og:image:width" content="1960" /> <meta property="og:image:height" content="1104" /> <meta property="og:image:alt" content="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#8216;Zero-Click&#8217; Exploit" /> <meta property="og:image:type" content="image/png" /> <meta property="article:published_time" content="2020-12-20T14:57:58-05:00" /> <meta property="article:modified_time" content="2021-06-29T16:10:48-04:00" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:title" content="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The Citizen Lab" /> <meta name="twitter:description" content="Government operatives used NSO Group鈥檚 Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates." /> <meta name="twitter:site" content="@citizenlab" /> <meta name="twitter:creator" content="@billmarczak" /> <meta name="twitter:image" content="https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Bill Marczak" /> <meta name="twitter:label2" content="Time to read" /> <meta name="twitter:data2" content="25 minutes" /> <script type="application/ld+json" class="rank-math-schema-pro">{"@context":"https://schema.org","@graph":[{"@type":["CollegeOrUniversity","Organization"],"@id":"https://citizenlab.ca/#organization","name":"The Citizen Lab","url":"https://citizenlab.ca","sameAs":["https://twitter.com/citizenlab"],"logo":{"@type":"ImageObject","@id":"https://citizenlab.ca/#logo","url":"https://citizenlab.ca/wp-content/uploads/2019/02/citlablogo.png","contentUrl":"https://citizenlab.ca/wp-content/uploads/2019/02/citlablogo.png","caption":"The Citizen Lab","inLanguage":"en-US","width":"7824","height":"5216"}},{"@type":"WebSite","@id":"https://citizenlab.ca/#website","url":"https://citizenlab.ca","name":"The Citizen Lab","publisher":{"@id":"https://citizenlab.ca/#organization"},"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png","url":"https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png","width":"1960","height":"1104","inLanguage":"en-US"},{"@type":"WebPage","@id":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/#webpage","url":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/","name":"The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The Citizen Lab","datePublished":"2020-12-20T14:57:58-05:00","dateModified":"2021-06-29T16:10:48-04:00","isPartOf":{"@id":"https://citizenlab.ca/#website"},"primaryImageOfPage":{"@id":"https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png"},"inLanguage":"en-US"},{"@type":"Person","@id":"https://citizenlab.ca/author/bmarczak/","name":"Bill Marczak","url":"https://citizenlab.ca/author/bmarczak/","image":{"@type":"ImageObject","@id":"https://secure.gravatar.com/avatar/6222009c0f327b63f3dae11506004eec?s=96&amp;d=mm&amp;r=g","url":"https://secure.gravatar.com/avatar/6222009c0f327b63f3dae11506004eec?s=96&amp;d=mm&amp;r=g","caption":"Bill Marczak","inLanguage":"en-US"},"sameAs":["https://billmarczak.org/","https://twitter.com/billmarczak"],"worksFor":{"@id":"https://citizenlab.ca/#organization"}},{"@type":"BlogPosting","headline":"The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The","datePublished":"2020-12-20T14:57:58-05:00","dateModified":"2021-06-29T16:10:48-04:00","author":{"@id":"https://citizenlab.ca/author/bmarczak/","name":"Bill Marczak"},"publisher":{"@id":"https://citizenlab.ca/#organization"},"description":"Government operatives used NSO Group\u2019s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.","name":"The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit - The","@id":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/#richSnippet","isPartOf":{"@id":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/#webpage"},"image":{"@id":"https://citizenlab.ca/wp-content/uploads/2020/12/ajArtboard-1@4x.png"},"inLanguage":"en-US","mainEntityOfPage":{"@id":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/#webpage"}}]}</script> <!-- /Rank Math WordPress SEO plugin --> <link rel="alternate" type="application/rss+xml" title="The Citizen Lab &raquo; Feed" href="https://citizenlab.ca/feed/" /> <link rel="alternate" type="application/rss+xml" title="The Citizen Lab &raquo; Comments Feed" href="https://citizenlab.ca/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/citizenlab.ca\/wp-includes\/js\/wp-emoji-release.min.js"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://citizenlab.ca/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css' type='text/css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css' type='text/css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css' type='text/css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='rank-math-toc-block-style-inline-css' type='text/css'> .wp-block-rank-math-toc-block nav ol{counter-reset:item}.wp-block-rank-math-toc-block nav ol li{display:block}.wp-block-rank-math-toc-block nav ol li:before{content:counters(item, ".") ". ";counter-increment:item} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bigfoot-number-css' href='https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot-number.css' type='text/css' media='all' /> <link rel='stylesheet' id='__EPYT__style-css' href='https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/styles/ytprefs.min.css' type='text/css' media='all' /> <style id='__EPYT__style-inline-css' type='text/css'> .epyt-gallery-thumb { width: 33.333%; } </style> <link rel='stylesheet' id='bones-base-stylesheet-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/css/tachyons.css' type='text/css' media='all' /> <link rel='stylesheet' id='bones-stylesheet-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/css/style.css' type='text/css' media='all' /> <!--[if lt IE 9]> <link rel='stylesheet' id='bones-ie-only-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/css/ie.css' type='text/css' media='all' /> <![endif]--> <link rel='stylesheet' id='fontawesome-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/fontawesome.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='fontawesome-brands-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/brands.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='fontawesome-solid-css' href='https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/fontawesome/css/solid.min.css' type='text/css' media='all' /> <script type="text/javascript" src="https://citizenlab.ca/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" id="__ytprefs__-js-extra"> /* <![CDATA[ */ var _EPYT_ = {"ajaxurl":"https:\/\/citizenlab.ca\/wp-admin\/admin-ajax.php","security":"e012a0088c","gallery_scrolloffset":"20","eppathtoscripts":"https:\/\/citizenlab.ca\/wp-content\/plugins\/youtube-embed-plus\/scripts\/","eppath":"https:\/\/citizenlab.ca\/wp-content\/plugins\/youtube-embed-plus\/","epresponsiveselector":"[\"iframe.__youtube_prefs__\",\"iframe[src*='youtube.com']\",\"iframe[src*='youtube-nocookie.com']\",\"iframe[data-ep-src*='youtube.com']\",\"iframe[data-ep-src*='youtube-nocookie.com']\",\"iframe[data-ep-gallerysrc*='youtube.com']\"]","epdovol":"1","version":"14.2.1.2","evselector":"iframe.__youtube_prefs__[src], iframe[src*=\"youtube.com\/embed\/\"], iframe[src*=\"youtube-nocookie.com\/embed\/\"]","ajax_compat":"","maxres_facade":"eager","ytapi_load":"light","pause_others":"","stopMobileBuffer":"1","facade_mode":"","not_live_on_channel":"","vi_active":"","vi_js_posttypes":[]}; /* ]]> */ </script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js" id="__ytprefs__-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/libs/modernizr.custom.min.js" id="bones-modernizr-js"></script> <link rel='shortlink' href='https://citizenlab.ca/?p=74693' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://citizenlab.ca/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcitizenlab.ca%2F2020%2F12%2Fthe-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://citizenlab.ca/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fcitizenlab.ca%2F2020%2F12%2Fthe-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit%2F&#038;format=xml" /> <script type="text/javascript" id="google_gtagjs" src="https://www.googletagmanager.com/gtag/js?id=G-RCDQQLPVF0" async="async"></script> <script type="text/javascript" id="google_gtagjs-inline"> /* <![CDATA[ */ window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}gtag('js', new Date());gtag('config', 'G-RCDQQLPVF0', {'anonymize_ip': true} ); /* ]]> */ </script> </head> <body itemscope itemtype="http://schema.org/WebPage"> <!-- <div class="mw-12 pv3 ph3 pv3-l ph6-l bg-lab-dark-brown"> --> <header id="header" role="banner" itemscope itemtype="http://schema.org/WPHeader"> <div id="header__inner" class="flex-ns items-center justify-between"> <div class="v-mid flex justify-between items-center"> <div class="mr-auto"> <a href="https://citizenlab.ca" rel="nofollow" id="logo" itemscope itemtype="http://schema.org/Organization"> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/CL-logo-3-headed.png" alt="The Citizen Lab"/> </a> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/MunkSchool-WHT.png" class="munk-logo" alt="Munk School of Global Affairs & Public Policy | University of Toronto" /> </div> <!-- Visible on mobile --> <a href="#main-menu" id="homepage" aria-label="Open main menu"> <span class="fa-solid fa-bars-staggered white dib" title="Open Menu"></span> <span class="screen-reader-text">Open main menu</span> </a> </div> <!-- Main navigation menu --> <a class="skip-main" href="#main">Skip to main content</a> <div class="flex-ns main-menu" id="main-menu"> <a href="#homepage" id="homepage" class="menu-close" aria-label="Close main menu"> <span class="fa-solid fa-x white dib" title="Close Menu"></span> <span class="screen-reader-text">Close main menu</span> </a> <nav id="nav-main" role="navigation" itemscope itemtype="http://schema.org/SiteNavigationElement" class="tc tl-l"> <ul id="menu-top-menu" class="list ma0 mt2 mt0-ns pa0 b dib-ns"><li id="menu-item-29705" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-has-children menu-item-29705 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/" class="white no-underline h-underline pr2 ml0">Research</a> <ul class="sub-menu"> <li id="menu-item-72358" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-72358 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/targeted-threats/" class="white no-underline h-underline pr2">Targeted Threats</a></li> <li id="menu-item-72357" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72357 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/free-expression-online/" class="white no-underline h-underline pr2 mr0">Free Expression Online</a></li> <li id="menu-item-72359" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72359 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/transparency/" class="white no-underline h-underline pr2">Transparency and Accountability</a></li> <li id="menu-item-72360" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72360 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/app-privacy-and-security/" class="white no-underline h-underline pr2">App Privacy and Controls</a></li> <li id="menu-item-72362" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72362 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/global-research-network/" class="white no-underline h-underline pr2">Global Research Network</a></li> <li id="menu-item-72385" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72385 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/research/tools-resources/" class="white no-underline h-underline pr2">Tools &amp; Resources</a></li> <li id="menu-item-72361" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72361 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/publications/" class="white no-underline h-underline pr2">Publications</a></li> </ul> </li> <li id="menu-item-29706" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-has-children menu-item-29706 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/" class="white no-underline h-underline pr2">News</a> <ul class="sub-menu"> <li id="menu-item-72363" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72363 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/mentions/" class="white no-underline h-underline pr2">In the Media</a></li> <li id="menu-item-72364" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72364 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/events/" class="white no-underline h-underline pr2">Events</a></li> <li id="menu-item-72365" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72365 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/category/lab-news/opportunities/" class="white no-underline h-underline pr2">Opportunities</a></li> </ul> </li> <li id="menu-item-29707" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-29707 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/about/" class="white no-underline h-underline pr2">About</a> <ul class="sub-menu"> <li id="menu-item-72367" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72367 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/about/" class="white no-underline h-underline pr2">About The Citizen Lab</a></li> <li id="menu-item-72368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72368 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/media/" class="white no-underline h-underline pr2">Media Resources</a></li> <li id="menu-item-72369" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72369 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/people/" class="white no-underline h-underline pr2">People</a></li> <li id="menu-item-72370" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-72370 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/teaching/" class="white no-underline h-underline pr2">Teaching</a></li> <li id="menu-item-72387" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-72387 dib-ns f5-l f4 ttu pv2 "><a href="https://engage.utoronto.ca/site/SPageServer?pagename=donate#/fund/847" class="white no-underline h-underline pr2">Donate</a></li> <li id="menu-item-74537" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-74537 dib-ns f5-l f4 ttu pv2 "><a href="https://citizenlab.ca/disclosure-of-security-vulnerabilities/" class="white no-underline h-underline pr2">Security Vulnerabilities</a></li> </ul> </li> </ul> </nav> <!-- Search bar --> <div class="flex items-start justify-center searchbar"> <form class="db-l ma0 pa0 b0 lh0 f5" role="search" method="get" id="menuSearchform" action="https://citizenlab.ca/"> <div id="menuSearchContainer" class="ml3 dib w0 transition-width overflow-hidden"> <input type="search" id="menuSearch" name="s" value="" class="b--none ma0 pa1 w-100" placeholder="Search"/> </div> <!--end of menuSearchContainer--> </form> <div id="menuSearchButton" class="db-l ml3 pointer items-end"> <span class="fa-solid fa-magnifying-glass white f5" aria-label="Search" title="Search"></span> </div> </div> <!--end of searchbar--> </div> <!--end of main-menu --> </div> <!-- end of header__inner --> </header> <!-- </div> --> <div id="container" class="pa3 pv4-l ph5-l"> <!--TODO move to stylesheet --> <main id="main" role="main" itemscope itemprop="mainContentOfPage" itemtype="http://schema.org/Blog"> <section id="content" class="container"> <article id="post-74693" dir="ltr" 74693role="article" itemscope itemprop="blogPost" itemtype="http://schema.org/BlogPosting" class="lh-copy"> <header> <span class="f6 mt0" dir="ltr"><a href="https://citizenlab.ca/category/research/" class="breadcrumbs"><a href="https://citizenlab.ca/category/research/" class="breadcrumbs">Research</a><span class="fa-solid fa-chevron-right mh2" aria-hidden="true"></span></a><a href="https://citizenlab.ca/category/research/targeted-threats/" class="breadcrumbs">Targeted Threats</a></span> <h1 itemprop="headline" rel="bookmark" class="ma0 mt5 lh-title"> <!-- Title --> <span class="db f2 f1-ns black lh-solid no-hyphen">The Great iPwn</span> <!-- Subtitle --> <span class="db f4 f2-ns mid-gray mt2 lh-title oswald-regular mb2-ns no-hyphen"> Journalists Hacked with Suspected NSO Group iMessage &#8216;Zero-Click&#8217; Exploit</span> </h1> <div dir="ltr" class="mt2"> <div class="f5 mr4 b dark-gray dib">By <a href="https://citizenlab.ca/author/bmarczak/" title="Posts by Bill Marczak" class="author url fn" rel="author">Bill Marczak</a>, <a href="https://citizenlab.ca/author/jsrailton/" title="Posts by John Scott-Railton" class="author url fn" rel="author">John Scott-Railton</a>, <a href="https://citizenlab.ca/author/noura/" title="Posts by Noura Aljizawi" class="author url fn" rel="author">Noura Aljizawi</a>, <a href="https://citizenlab.ca/author/siena-anstis/" title="Posts by Siena Anstis" class="author url fn" rel="author">Siena Anstis</a>, and <a href="https://citizenlab.ca/author/profd/" title="Posts by Ron Deibert" class="author url fn" rel="author">Ron Deibert</a></div> <time class="dark-gray dib f5 mr4" datetime="2020-12-20" itemprop="datePublished">December 20, 2020</time> <!-- Display other versions of the post --> <div id="other_version_of_post" class="dib f5"> <p><a href="https://citizenlab.ca/2020/12/丕賱丕禺鬲乇丕賯-丕賱毓馗賷賲-氐丨賮賷賵賳-鬲賲-丕禺鬲乇丕賯賴賲-亘丕" target="_blank" rel="noopener">Arabic translation</a></p> </div> </div> <!-- Display the link for the PDF version of the post --> <div> <a class="cta-button-outline" href="https://tspace.library.utoronto.ca/bitstream/1807/106226/1/Report%23135--thegreatipwn.pdf" title="Download this report">Download this report</a> </div> </header> <section itemprop="articleBody" class="article-body mb4 mt4 pt2 bt b--light-gray"> <h2 id="summary-key-findings" class="lh-solid mb3"><strong>Summary &amp; Key Findings</strong></h2> <ul class="mt0"> <li class="mt2">In July and August 2020, government operatives used <a href="https://www.business-humanrights.org/en/companies/nso-group/" class="pointer" target="_blank" rel="noopener"><u>NSO</u> <u>Group</u></a>&rsquo;s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at <em>Al Jazeera</em>. The personal phone of a journalist at London-based <em>Al Araby TV</em> was also hacked.</li> <li class="mt2">The phones were compromised using an exploit chain that we call <em><strong>KISMET</strong></em>, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple&rsquo;s then-latest iPhone 11.</li> <li class="mt2">Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.</li> <li class="mt2">The journalists were hacked by four Pegasus operators, including one operator <em><strong>MONARCHY</strong></em> that we attribute to Saudi Arabia, and one operator <em><strong>SNEAKY KESTREL</strong></em> that we attribute to the United Arab Emirates.</li> <li class="mt2">We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system.</li> <li class="mt2">Given the global reach of NSO Group&rsquo;s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit.</li> <li class="mt2">Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.</li> <li class="mt2">We have shared our findings with Apple and they have confirmed to us they are looking into the issue.</li> </ul> <h2 id="background" class="lh-solid mb3"><strong>1. Background</strong></h2> <p class="mt0">NSO Group&rsquo;s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been <a href="https://citizenlab.ca/tag/nso-group/" class="pointer"><u>regularly linked to surveillance abuses</u></a>.</p> <p>Pegasus became known for the telltale malicious links sent to targets via SMS for many years. This method was used by NSO Group customers to target <a href="https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" class="pointer"><u>Ahmed Mansoor</u></a>, dozens of members of civil society in <a href="https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/" class="pointer"><u>Mexico</u></a>, and political dissidents targeted by <a href="https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/" class="pointer"><u>Saudi Arabia</u></a>, among others. The use of malicious links in SMSes made it possible for investigators and targets to quickly identify evidence of past targeting. Targets could not only <em>notice</em> these suspicious messages, but they could also <em>search</em> their message history to detect evidence of hacking attempts.</p> <p>More recently, NSO Group is shifting towards zero-click exploits and <a href="https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/" class="pointer" target="_blank" rel="noopener"><u>network-based attacks</u></a> that allow its government clients to break into phones <a href="https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/" class="pointer"><u>without any interaction from the target</u></a>, and without leaving any visible traces. The <a href="https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/" class="pointer"><u>2019 WhatsApp breach</u></a>, where at least 1,400 phones were targeted via an exploit sent through a missed voice call, is one example of such a shift. Fortunately, in this case, WhatsApp notified targets. However, it is more challenging for researchers to track these zero-click attacks because targets may not notice anything suspicious on their phone. Even if they do observe something like &ldquo;weird&rdquo; call behavior, the event may be transient and not leave any traces on the device.</p> <p>The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected. Nevertheless, we continue to develop new technical means to track surveillance abuses, such as new techniques of network and device analysis.</p> <h3 id="imessage-emerges-as-a-zero-click-vector" class="lh-solid mb3"><strong>iMessage Emerges as a Zero-Click Vector</strong></h3> <p class="mt0">Since at least 2016, spyware vendors appear to have <a href="https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-pernicious-invisibility-of-zero-click-mobile-attacks/" class="pointer" target="_blank" rel="noopener"><u>successfully deployed</u></a> zero-click exploits against iPhone targets at a global scale. Several of these attempts have been reported to be through Apple&rsquo;s iMessage app, which is installed by default on every iPhone, Mac, and iPad. Threat actors may have been aided in their iMessage attacks by the fact that certain components of iMessage have historically <a href="https://www.wired.com/story/ios-security-imessage-safari/" class="pointer" target="_blank" rel="noopener"><u>not been sandboxed</u></a> in the same way as other apps on the iPhone.</p> <p>For example, <em>Reuters</em> <a href="https://www.reuters.com/investigates/special-report/usa-spying-karma/" class="pointer" target="_blank" rel="noopener"><u>reported</u></a> that United Arab Emirates (UAE) cybersecurity company DarkMatter, operating on behalf of the UAE Government, purchased a zero-click iMessage exploit in 2016 that they referred to as &ldquo;Karma,&rdquo; which worked during several periods in 2016 and 2017. The UAE reportedly used Karma to break into the phones of hundreds of targets, including the <a href="https://www.reuters.com/investigates/special-report/usa-raven-media/" class="pointer" target="_blank" rel="noopener"><u>chairmen</u></a> of <em>Al Jazeera</em> and <em>Al Araby TV</em>.</p> <p>A 2018 <a href="https://www.vice.com/en_us/article/qvakb3/inside-nso-group-spyware-demo" class="pointer" target="_blank" rel="noopener"><em><u>Vice Motherboard</u></em> <u>report</u></a> about a Pegasus product presentation mentioned that NSO Group demonstrated a zero-click method for breaking into an iPhone. While the specific vulnerable app in that case was not reported, a <a href="https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027" class="pointer" target="_blank" rel="noopener"><u>2019</u> <em><u>Haaretz</u></em> <u>report</u></a> interviewed &ldquo;Yaniv,&rdquo; a pseudonym used by a vulnerability researcher working in Israel&rsquo;s offensive cyber industry, who seemed to indicate that spyware was sometimes deployed to iPhones via Apple&rsquo;s Push Notification Service (APNs), the protocol upon which iMessage is based:</p> <blockquote><p>&ldquo;An espionage program can impersonate an application you&rsquo;ve downloaded to your phone that sends push notifications via Apple&rsquo;s servers. If the impersonating program sends a push notification and Apple doesn&rsquo;t know that a weakness was exploited and that it&rsquo;s not the app, it transmits the espionage program to the device.&rdquo;</p></blockquote> <h3 id="the-gulf-cooperation-council-a-booming-spyware-market" class="lh-solid mb3"><strong>The Gulf Cooperation Council: A Booming Spyware Market</strong></h3> <p class="mt0">The Gulf Cooperation Council (GCC) countries is one of the most <a href="https://wired.me/technology/privacy/surveillance-gulf-states/" class="pointer" target="_blank" rel="noopener"><u>significant customer</u> <u>bases</u></a> for the commercial surveillance industry, with governments <a href="https://www.haaretz.com/middle-east-news/.premium-with-israel-s-encouragement-nso-sold-spyware-to-uae-and-other-gulf-states-1.9093465" class="pointer" target="_blank" rel="noopener"><u>reportedly</u></a> paying hefty premiums to companies that provide them special services, including analysis of intelligence that they capture with the spyware. The UAE apparently became an NSO Group customer in 2013, in what was <a href="https://www.ynetnews.com/articles/0,7340,L-5444998,00.html" class="pointer" target="_blank" rel="noopener"><u>described</u></a> as the &ldquo;next big deal&rdquo; for NSO Group after its first customer, Mexico. In 2017, Saudi Arabia (which the <a href="https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" class="pointer"><u>Citizen Lab calls</u></a> <em><strong>KINGDOM</strong></em>) and Bahrain (<em><strong>PEARL</strong></em>) appear to have also become customers of NSO Group. <em>Haaretz</em> has also <a href="https://www.haaretz.com/middle-east-news/.premium-with-israel-s-encouragement-nso-sold-spyware-to-uae-and-other-gulf-states-1.9093465" class="pointer" target="_blank" rel="noopener"><u>reported</u></a> that Oman is an NSO Group customer, and that the Israeli Government prohibits NSO Group from doing business with Qatar.</p> <h3 id="al-jazeera-and-the-middle-east-crisis" class="lh-solid mb3"><strong><em>Al Jazeera</em> and the Middle East Crisis</strong></h3> <p class="mt0">The relationship between Saudi Arabia, UAE, Bahrain, Egypt (jointly, &ldquo;the four countries&rdquo;) and Qatar is fractious. The four countries often claim that Qatar shelters dissidents from the four countries and supports political Islamist groups, including the Muslim Brotherhood, whom they view as the most serious challenge to the existing political order in the Middle East.</p> <p>In March 2014, Saudi Arabia, UAE and Bahrain <a href="https://www.nytimes.com/2014/03/06/world/middleeast/3-persian-gulf-states-pull-ambassadors-from-qatar.html" class="pointer" target="_blank" rel="noopener"><u>withdrew their ambassadors</u></a> and froze relations with Qatar for <a href="https://www.reuters.com/article/us-gulf-summit-ambassadors-idUSKCN0J00Y420141116" class="pointer" target="_blank" rel="noopener"><u>eight months</u></a>. A second crisis occurred on June 5, 2017, when the four countries <a href="https://www.bbc.com/news/world-middle-east-40164552" class="pointer" target="_blank" rel="noopener"><u>cut off diplomatic relations</u></a> and closed their borders with Qatar. The crisis was ostensibly precipitated by a fake story planted on the state-run <em>Qatar News Agency</em> (QNA) by hackers, which misquoted Qatar&rsquo;s Emir referring to Iran as &ldquo;an Islamic power,&rdquo; and praising Hamas. According to US intelligence officials speaking with <em>The</em> <em>Washington Post,</em> senior UAE Government officials <a href="https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html" class="pointer" target="_blank" rel="noopener"><u>approved</u></a> the QNA hacking operation.</p> <p>On June 23, 2017, the four countries <a href="https://www.theguardian.com/world/2017/jun/23/close-al-jazeera-saudi-arabia-issues-qatar-with-13-demands-to-end-blockade" class="pointer" target="_blank" rel="noopener"><u>issued</u></a> a joint statement which outlined 13 demands to Qatar, including closing a Turkish military base in Qatar, scaling down ties with Iran, and shutting down <em>Al Jazeer</em>a and its affiliate stations and news outlets.</p> <h4 id="al-jazeera-targeted-by-criticism-hacking-blocking-by-neighboring-countries" class="lh-solid mb3"><em>Al Jazeera</em>: targeted by criticism, hacking &amp; blocking by neighboring countries</h4> <p class="mt0"><em>Al Jazeera</em> is somewhat distinctive in the Middle East in terms of its media coverage. On many issues, it presents alternative viewpoints not available from largely state-run media outlets in the region. Several other attempts at building credible media channels in the GCC have been met with less success, including Prince Al-Waleed bin Talal&rsquo;s highly publicized Bahrain-based <em>Al Arab</em> channel, which was permanently shut down by local authorities on its <a href="https://www.theguardian.com/world/2015/feb/02/saudi-prince-alarab-news-channel" class="pointer" target="_blank" rel="noopener"><u>first day of operations</u></a> after airing an interview with a member of Bahrain&rsquo;s opposition Al Wefaq political society.</p> <p><em>Al Jazeera</em>&rsquo;s reporting featured prominently in the Arab Spring, where its <a href="https://www.nytimes.com/2011/01/28/world/middleeast/28jazeera.html" class="pointer" target="_blank" rel="noopener"><u>extensive, real-time coverage of protests</u></a> in Tunisia, Egypt, Yemen and Libya &ldquo;helped propel insurgent emotions from one capital to the next.&rdquo; Leaders of countries neighboring Qatar regularly express deep concerns about its coverage and in some cases have taken action to limit the availability of the channel in their countries. In 2017, both Saudi Arabia and the UAE <a href="https://money.cnn.com/2017/05/24/media/al-jazeera-blocked-saudi-arabia-uae/" class="pointer" target="_blank" rel="noopener"><u>blocked</u></a> <em>Al Jazeera&rsquo;s</em> website.</p> <p>After the fall of Egypt&rsquo;s President Mubarak in the Arab Spring, Muslim Brotherhood leader Mohammed Morsi was elected President of Egypt. This election was considered by Saudi Arabia and the UAE as a threat and a sign of the expansion of Qatar&rsquo;s regional influence because of Qatar&rsquo;s history of support for the Muslim Brotherhood. However, Morsi was deposed by a military coup on July 3, 2013 led by General Abdel Fattah el-Sisi and taken to military custody. One day after the coup, the military shut down a number of news stations in Egypt, including <em>Al Jazeera Mubasher Misr</em> and <em>Al Jazeera</em>&rsquo;s bureau in Egypt, and <a href="https://www.aljazeera.com/news/2013/7/4/egypts-military-shuts-down-news-channels" class="pointer" target="_blank" rel="noopener"><u>detained five of the staff</u></a>.</p> <p>Although <em>Al Jazeera</em>&rsquo;s Arabic language coverage of uprisings in neighboring Gulf countries, including Bahrain, was generally seen as <a href="https://www.washingtonpost.com/world/al-jazeera-tv-network-draws-criticism-praise-for-coverage-of-arab-revolutions/2011/05/08/AFoHWs2G_story.html" class="pointer" target="_blank" rel="noopener"><u>striking a more muted tone</u></a> than its English language coverage, the channel was still criticized. For example, Bahrain&rsquo;s Foreign Minister <a href="https://twitter.com/khalidalkhalifa/status/99281312271183872" class="pointer" target="_blank" rel="noopener"><u>famously</u></a> tweeted the following about a documentary on the channel: &ldquo;It&rsquo;s clear that in Qatar there are those who don&rsquo;t want anything good for Bahrain. And this film on <em>Al Jazeera</em> English is the best example of this inexplicable hostility.&rdquo;</p> <h2 id="the-attacks" class="lh-solid mb3"><strong>2. The Attacks</strong></h2> <p class="mt0"><em>This section describes the hacking of two reporters&rsquo; phones, Tamer Almisshal and Rania Dridi. They are among the 36 reporters and editors targeted in the attack, most of whom have requested anonymity. Almisshal and Dridi consented to be named in this report and for the Citizen Lab to describe their targeting in detail.</em></p> <h3 id="the-19-july-2020-attack-on-tamer-almisshal" class="lh-solid mb3"><strong>The 19 July 2020 Attack on Tamer Almisshal</strong></h3> <p class="mt0">Tamer Almisshal is a well-known investigative journalist for <em>Al Jazeera</em>&rsquo;s Arabic language channel, where he anchors the &ldquo;<span dir="rtl">&#1605;&#1575; &#1582;&#1601;&#1610; &#1571;&#1593;&#1592;&#1605;</span>&rdquo; program (translated as <em>&ldquo;this is only the tip of the iceberg&rdquo;</em> or <em>&ldquo;what is hidden is more immense&rdquo;</em>). Almisshal&rsquo;s program has reported on a wide variety of politically sensitive topics in the Middle East, including UAE, Saudi, and Bahraini Government involvement in an <a href="https://www.youtube.com/watch?v=rcyP_b435TQ" class="pointer" target="_blank" rel="noopener"><u>attempted 1996 coup</u></a> in Qatar, the Bahrain Government&rsquo;s <a href="https://www.youtube.com/watch?v=BptzscpcCBQ" class="pointer" target="_blank" rel="noopener"><u>hiring</u></a> of a former Al-Qaeda operative for an assassination program, the <a href="https://www.youtube.com/watch?v=SQBxbSYeYAI" class="pointer" target="_blank" rel="noopener"><u>Saudi killing of Jamal Khashoggi</u></a>, and ties between a powerful member of the UAE&rsquo;s Royal Family, Sheikh Mansour Bin Zayed Al-Nahyan, and UAE businessman B.R. Shetty&rsquo;s healthcare empire, which <a href="https://www.youtube.com/watch?v=u1ZFA45hbP4" class="pointer" target="_blank" rel="noopener"><u>collapsed in 2020</u></a> due to alleged fraud and disclosures of hidden debt.</p> <figure class="center mw-100 ba b--light-gray" style="width:1999px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image3.png" class="pointer"><img fetchpriority="high" decoding="async" class="wp-image-74697 size-full" src="https://citizenlab.ca/wp-content/uploads/2020/12/image3.png" alt="Tamer Almisshal (right) interviews an Istanbul taxi driver who was reportedly hired by two members of the team that killed Jamal Khashoggi at the Saudi Consulate in Istanbul." width="1999" height="1042" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 1"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 1:</strong> Tamer Almisshal (right) <a href="https://www.youtube.com/watch?v=snu-0lGABUI" class="pointer" target="_blank" rel="noopener"><u>interviews</u></a> an Istanbul taxi driver who was reportedly hired by two members of the team that killed Jamal Khashoggi at the Saudi Consulate in Istanbul.</figcaption></figure> <p>Almisshal was concerned that his phone might be hacked, so in January 2020, he consented to installing a VPN application for Citizen Lab researchers to monitor metadata associated with his Internet traffic.</p> <figure class="center mw-100 ba b--light-gray" style="width:2968px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/ajtimeline@4x.png" class="pointer"><img decoding="async" class="size-full wp-image-74733" src="https://citizenlab.ca/wp-content/uploads/2020/12/ajtimeline@4x.png" alt="Timeline of 19 July attack on Tamer" width="2968" height="5292" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 2"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 2:</strong> Timeline of 19 July attack on Tamer.</figcaption></figure> <p>While reviewing his VPN logs, we noticed that on 19 July 2020, his phone visited a website that we had detected in our Internet scanning as an <em>Installation Server</em> for NSO Group&rsquo;s Pegasus spyware, which is used in the process of infecting a target with Pegasus.</p> <div class="ba b--black pa2 bg-light-gray"> <div class="f5"><strong>Time:</strong> 19 July 2020, 11:29 &ndash; 11:31 UTC</div> <div class="f5 "><strong>Domain:</strong> <em>9jp1dx8odjw1kbkt.f15fwd322.regularhours.net</em></div> <div class="f5 "><strong>IP:</strong> 178.128.163.233</div> <div class="f5 "><strong>Downloaded:</strong> 1.74MB</div> <div class="f5 "><strong>Uploaded:</strong> 211KB</div> </div> <h4 id="initial-vector-apple-servers" class="lh-solid mb3"><strong>Initial Vector: Apple Servers</strong></h4> <p class="mt0">We conclude that Almisshal&rsquo;s phone reached out to the Pegasus Installation Server due to an apparent exploit delivered through Apple&rsquo;s servers. In the 54 minutes before Almisshal&rsquo;s phone visited the Pegasus Installation Server, we observed an unusual behavior: connections to a large number of <em>iCloud Partitions</em> (<em>p*-content.icloud.com</em>). In the more than 3000 hours that we have been monitoring Almisshal&rsquo;s Internet traffic, we have only seen 258 connections to iCloud Partitions (excluding <em>p20-content.icloud.com</em>, which Almisshal&rsquo;s phone uses for iCloud backups), with 228 of these connections (~88%) occurring during a 54 minute period between 10:32 and 11:28 on 19 July.<a id="fnref1" class="footnote-ref pointer" role="doc-noteref" href="#fn1"><sup>1</sup></a> On 19 July, we saw no matching connections prior to 10:32 or after 11:28. The connections in question were to 18 iCloud partitions (all odd-numbered).</p> <figure class="center mw-100 ba b--light-gray" style="width:1698px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image2-1.png" class="pointer"><img decoding="async" class="size-full wp-image-74698" src="https://citizenlab.ca/wp-content/uploads/2020/12/image2-1.png" alt="Screenshot of a 19 July packet capture from Almisshal&rsquo;s phone showing DNS lookups for iCloud Partitions immediately before a lookup for a Pegasus Installation Server." width="1698" height="436" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 3"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 3:</strong> Screenshot of a 19 July packet capture from Almisshal&rsquo;s phone showing DNS lookups for iCloud Partitions immediately before a lookup for a Pegasus Installation Server.</figcaption></figure> <p>The connections to the iCloud Partitions on 19 July 2020 resulted in a net download of 2.06MB and a net upload of 1.25MB of data. Because these anomalous iCloud connections occurred&mdash;and ceased&mdash;immediately prior to Pegasus installation at 11:29 UTC, we believe they represent the initial vector by which Tamer Almisshal&rsquo;s phone was hacked. Our analysis of an infected device (<strong>Section 3</strong>) indicates that the built-in iOS <code>imagent</code> application was responsible for one of the spyware processes. The <code>imagent</code> application is a background process that appears to be associated with iMessage and FaceTime.</p> <h4 id="exfiltration" class="lh-solid mb3"><strong>Exfiltration</strong></h4> <p class="mt0">Sixteen seconds after the last connection to the Pegasus Installation Server, we observed Almisshal&rsquo;s iPhone communicate for the first time with three additional IPs over the next 16 hours. We never observed his phone communicating with these IPs previously, and have not observed communications since.</p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>Times (UTC)</strong></th> <th><strong>IP</strong></th> <th><strong>Uploaded</strong></th> <th><strong>Downloaded</strong></th> </tr> <tr class="odd striped--light-gray"> <td>7/19/2020 11:31 &ndash; 7/20/2020 03:09</td> <td>45.76.47.218</td> <td>133.06MB</td> <td>7.53MB</td> </tr> <tr class="even striped--light-gray"> <td>7/19/2020 11:31 &ndash; 7/20/2020 03:08</td> <td>212.147.209.236</td> <td>75.94MB</td> <td>4.30MB</td> </tr> <tr class="odd striped--light-gray"> <td>7/19/2020 11:31 &ndash; 7/20/2020 03:09</td> <td>134.122.87.198</td> <td>61.16MB</td> <td>3.32MB</td> </tr> </tbody> </table></figure> <p>Overall, we observed 270.16MB of upload, and 15.15MB of download, and each IP returned a <a href="https://censys.io/certificates/2efca506b8caa6ecafe3ddd1249de8f10ffd977c8ee2d6e30d06691551285b43" class="pointer" target="_blank" rel="noopener"><u>valid TLS certificate for</u> <em><u>bananakick.net</u></em></a>. The phone did <em>not</em> set the SNI in the HTTPS Client Hello message, nor did it perform a DNS lookup for <em>bananakick.net</em>, perhaps an effort to thwart our previously-reported <a href="https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" class="pointer"><u>DNS Cache Probing</u></a> technique to locate infected devices, or an effort to thwart anti-Pegasus countermeasures implemented nationwide in Turkey (<strong>Section 4</strong>), another popular target of Pegasus operators. Because communications with these three servers commenced 16 seconds after the communications with a known Pegasus Installation Server, we suspected that these three IPs were Pegasus command and control (C&amp;C) servers.</p> <h4 id="analysis-of-device-logs" class="lh-solid mb3"><strong>Analysis of Device Logs</strong></h4> <p class="mt0">Almisshal&rsquo;s device shows what appears to be an unusual number of kernel panics (phone crashes) between January and July 2020. While some of the panics may be benign, they may also indicate earlier attempts to exploit vulnerabilities against his device.</p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>Timestamp (UTC)</strong></th> <th><strong>Process</strong></th> <th><strong>Type of Kernel Panic</strong></th> </tr> <tr class="odd striped--light-gray"> <td>2020-01-17 01:32:09</td> <td>fileproviderd</td> <td>Kernel data abort</td> </tr> <tr class="even striped--light-gray"> <td>2020-01-17 05:19:35</td> <td>mediaanalysisd</td> <td>Kernel data abort</td> </tr> <tr class="odd striped--light-gray"> <td>2020-01-31 18:04:47</td> <td>launchd</td> <td>Kernel data abort</td> </tr> <tr class="even striped--light-gray"> <td>2020-02-28 23:18:12</td> <td>locationd</td> <td>Kernel data abort</td> </tr> <tr class="odd striped--light-gray"> <td>2020-03-14 03:47:14</td> <td>com.apple.WebKit</td> <td>Kernel data abort</td> </tr> <tr class="even striped--light-gray"> <td>2020-03-29 13:23:43</td> <td>MobileMail</td> <td>kfree</td> </tr> <tr class="odd striped--light-gray"> <td>2020-06-27 02:04:09</td> <td>exchangesyncd</td> <td>Kernel data abort</td> </tr> <tr class="even striped--light-gray"> <td>2020-07-04 02:32:48</td> <td>kernel_task</td> <td>Kernel data abort</td> </tr> </tbody> </table></figure> <h3 id="a-series-of-attacks-on-rania-dridi" class="lh-solid mb3"><strong>A Series of Attacks on Rania Dridi</strong></h3> <p class="mt0">Rania Dridi is a journalist at London-based <em>Al Araby TV</em>, where she presents the &ldquo;<span dir="rtl">&#1588;&#1576;&#1575;&#1576;&#1610;&#1603;</span>&rdquo; newsmagazine program (translated from Arabic as <em>&ldquo;windows&rdquo;</em>), which covers a variety of current affairs topics.</p> <figure class="center mw-100 ba b--light-gray" style="width:1750px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image4-1.png" class="pointer"><img loading="lazy" decoding="async" class="size-full wp-image-74699" src="https://citizenlab.ca/wp-content/uploads/2020/12/image4-1.png" alt="Rania Dridi reporting on sexual harassment in the Arab world in an episode of &#1588;&#1576;&#1575;&#1576;&#1610;&#1603;." width="1750" height="874" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 4"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 4:</strong> Rania Dridi reporting on sexual harassment in the Arab world in an episode of &#1588;&#1576;&#1575;&#1576;&#1610;&#1603;.</figcaption></figure> <p>While reviewing device logs from Rania Dridi&rsquo;s iPhone Xs Max, we found evidence that her phone was hacked at least six times with NSO Group&rsquo;s Pegasus spyware between 26 October 2019 and 23 July 2020. Two of these instances, on 26 October and 12 July, were likely zero-day exploits, as the phone appears to have been hacked while running the latest available version of iOS. At the other times Dridi&rsquo;s phone was hacked, there was a newer version of iOS available, meaning that there is no evidence one way or the other as to whether the exploits were zero-days.</p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>Approx. Infection Time</strong></th> <th><strong>iOS Version</strong></th> <th><strong>Zero-Day?</strong></th> </tr> <tr class="odd striped--light-gray"> <td>10/26/2019 13:26:26</td> <td>13.1.3</td> <td><strong>Yes</strong></td> </tr> <tr class="even striped--light-gray"> <td>10/29/2019 8:49:44</td> <td>13.1.3</td> <td></td> </tr> <tr class="odd striped--light-gray"> <td>11/25/2019 8:55:41</td> <td>13.1.3</td> <td></td> </tr> <tr class="even striped--light-gray"> <td>12/9/2019 11:15:06</td> <td>13.1.3</td> <td></td> </tr> <tr class="odd striped--light-gray"> <td>7/12/2020 23:35:13</td> <td>13.5.1</td> <td><strong>Yes</strong></td> </tr> <tr class="even striped--light-gray"> <td>7/23/2020 7:14:08</td> <td>13.5.1</td> <td></td> </tr> </tbody> </table></figure> <p>On 26 October 2019, a Pegasus operator apparently successfully deployed a zero-day exploit against Dridi&rsquo;s up-to-date iPhone running iOS 13.1.3 and, on 12 July 2020, a Pegasus operator apparently successfully deployed a zero-day exploit against the same up-to-date phone, running iOS 13.5.1. The 12 July 2020 attack, and another attack on 23 July 2020 appear to have used the <em><strong>KISMET</strong></em> zero-click exploit.</p> <p>Network logs show that Dridi&rsquo;s phone communicated with the following four servers between 13 July 2020 and 23 July 2020 that we attributed to NSO Group operator <em><strong>SNEAKY KESTREL.</strong></em> No communications were observed between 17 July and 22 July 2020.</p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>Times (UTC)</strong></th> <th><strong>IP</strong></th> <th><strong>Uploaded</strong></th> </tr> <tr class="odd striped--light-gray"> <td>07/13/2020 09:13 &ndash; 07/23/2020 16:20</td> <td>31.171.250.241</td> <td>18.31MB</td> </tr> <tr class="even striped--light-gray"> <td>07/13/2020 09:13 &ndash; 07/23/2020 16:19</td> <td>165.22.80.68</td> <td>15.92MB</td> </tr> <tr class="odd striped--light-gray"> <td>07/13/2020 09:13 &ndash; 07/23/2020 16:12</td> <td>159.65.94.105</td> <td>12.42MB</td> </tr> <tr class="even striped--light-gray"> <td>07/13/2020 09:13 &ndash; 07/23/2020 16:09</td> <td>95.179.220.244</td> <td>8.43MB</td> </tr> </tbody> </table></figure> <p>We suspect that the attacks on Dridi&rsquo;s phone in October, November, and December 2019 also used a zero-click exploit, because we saw an NSO Group zero-click exploit deployed against another iPhone target during this timeframe, and because we found no evidence of telltale SMS or WhatsApp messages containing Pegasus spyware links on her phone. Network logs were unavailable for these periods.</p> <h3 id="other-infections-at-al-jazeera" class="lh-solid mb3">4. Other Infections at <em>Al Jazeera</em></h3> <p class="mt0">Working with <em>Al Jazeera</em>&rsquo;s IT team, we identified a total of 36 personal phones inside <em>Al Jazeera</em> that were hacked by four distinct clusters of servers which could be attributable to up to four NSO Group operators. An operator that we call <em><strong>MONARCHY</strong></em> spied on 18 phones, and an operator that we call <em><strong>SNEAKY KESTREL</strong></em> spied on 15 phones, including one of the same phones that <em><strong>MONARCHY</strong></em> spied on. Two other operators, <em><strong>CENTER-1</strong></em> and <em><strong>CENTER-2</strong></em>, spied on 1 and 3 phones, respectively.</p> <p>We conclude with medium confidence that <em><strong>SNEAKY KESTREL</strong></em> acts on behalf of the UAE Government, because this operator appears to target individuals primarily inside the UAE, and because one target hacked by <em><strong>SNEAKY KESTREL</strong></em> previously received Pegasus links via SMS that point to the same domain name used in the <a href="https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" class="pointer"><u>attacks</u></a> on UAE activist Ahmed Mansoor.<a id="fnref2" class="footnote-ref pointer" role="doc-noteref" href="#fn2"><sup>2</sup></a></p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>IPs</strong></th> <th><strong>CN in TLS Certificate</strong></th> </tr> <tr class="odd striped--light-gray"> <td>134.209.23.19</td> <td><em>*.img565vv6.holdmydoor.com</em></td> </tr> <tr class="even striped--light-gray"> <td>31.171.250.241 <p>165.22.80.68</p> <p>95.179.220.244</p> <p>159.65.94.105</p></td> <td><em>*.crashparadox.net</em></td> </tr> </tbody> </table><figcaption class="figcaption pa2 bt b--gray bw2 bg-light-gray"><p class="ma0"><strong>Table 1:</strong> Servers used by SNEAKY KESTREL in <em>Al Jazeera</em> spying.</p></figcaption></figure> <p>We conclude with medium confidence that <em><strong>MONARCHY</strong></em> acts on behalf of the Saudi Government because the operator appears to target individuals primarily inside Saudi Arabia, and because we observed this operator hack a Saudi Arabian activist who was previously targeted by <em><strong>KINGDOM</strong></em>.<a id="fnref3" class="footnote-ref pointer" role="doc-noteref" href="#fn3"><sup>3</sup></a></p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>IPs</strong></th> <th><strong>CN in TLS Certificate</strong></th> </tr> <tr class="odd striped--light-gray"> <td>178.128.163.233</td> <td><em>*.f15fwd322.regularhours.net</em></td> </tr> <tr class="even striped--light-gray"> <td>45.76.47.218 <p>134.122.87.198</p> <p>212.147.209.236</p></td> <td><em>bananakick.net</em></td> </tr> </tbody> </table><figcaption class="figcaption pa2 bt b--gray bw2 bg-light-gray"><p class="ma0"><strong>Table 2:</strong> Servers used by MONARCHY in <em>Al Jazeera</em> spying.</p></figcaption></figure> <p>We considered but view as less likely the hypothesis that <em><strong>MONARCHY</strong></em> and <em><strong>SNEAKY KESTREL</strong></em> are <em>both</em> linked to the UAE. The UAE Government has been <a href="https://www.reuters.com/investigates/special-report/usa-raven-whitehouse/" class="pointer" target="_blank" rel="noopener"><u>known to target</u></a> Saudi activists, and both <em><strong>MONARCHY</strong></em> and <em><strong>SNEAKY KESTREL</strong></em> have been observed operating in concert in two cases: the case of <em>Al Jazeera</em>, and a case in Turkey, where the Turkish Computer Emergency Response Team apparently caught both operators at around the same time (<strong>Section 4</strong>). However, we are aware of only one phone that was targeted by both operators, and we are not aware of any infrastructructure overlap between the two operators. Additionally, each operator seems to primarily target in a different country, <em><strong>MONARCHY</strong></em> in Saudi Arabia and <em><strong>SNEAKY KESTREL</strong></em> in the UAE. Both Saudi Arabia and the UAE are reported to be Pegasus customers.</p> <p>We are not able to determine the identity of <em><strong>CENTER-1</strong></em> and <em><strong>CENTER-2</strong></em>, though both appear to target mainly in the Middle East.</p> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>IPs</strong></th> <th><strong>CN in TLS Certificate</strong></th> </tr> <tr class="odd striped--light-gray"> <td>80.211.37.240 <p>161.35.38.8</p></td> <td><em>stilloak.net</em></td> </tr> </tbody> </table><figcaption class="figcaption pa2 bt b--gray bw2 bg-light-gray"><p class="ma0"><strong>Table 3:</strong> Servers used by <em><strong>CENTER-1</strong></em> in <em>Al Jazeera</em> spying.</p></figcaption></figure> <figure class="center mw-100 table-overflow" style="min-width: 50%"><table border="0" cellspacing="0" class="ba b--light-gray"> <tbody> <tr class="header striped--light-gray"> <th><strong>IPs</strong></th> <th><strong>CN in TLS Certificate</strong></th> </tr> <tr class="odd striped--light-gray"> <td>209.250.230.12 <p>80.211.35.111</p> <p>89.40.115.27</p> <p>134.122.68.221</p></td> <td><em>flowersarrows.com</em></td> </tr> </tbody> </table><figcaption class="figcaption pa2 bt b--gray bw2 bg-light-gray"><p class="ma0"><strong>Table 4: </strong>Servers used by <em><strong>CENTER-2</strong></em> in <em>Al Jazeera</em> spying.</p></figcaption></figure> <p>We did not observe infection attempts for <em><strong>CENTER-1</strong></em> and <em><strong>CENTER-2</strong></em>, so we are unsure which Pegasus Installation Servers were used.</p> <p>The infrastructure used in these attacks included servers located in Germany, France, UK, and Italy using cloud hosting providers Aruba, Choopa, CloudSigma, and DigitalOcean.</p> <h2 id="analysis-of-device-logs-from-a-live-pegasus-infection" class="lh-solid mb3"><strong>3. Analysis of Device Logs from a Live Pegasus Infection</strong></h2> <p class="mt0">We obtained logs from an iPhone 11 device inside <em>Al Jazeera</em> networks while it was infected. Our analysis indicates that the current Pegasus implant has a number of capabilities including: recording audio from the microphone including both ambient &ldquo;hot mic&rdquo; recording and audio of encrypted phone calls, and taking pictures. In addition, we believe the implant can track device location, and access passwords and stored credentials.</p> <figure class="center mw-100 ba b--light-gray" style="width:2968px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/ajcapabilities@4x.png" class="pointer"><img loading="lazy" decoding="async" class="size-full wp-image-74742" src="https://citizenlab.ca/wp-content/uploads/2020/12/ajcapabilities@4x.png" alt="Some Pegasus implant capabilities observed on an infected device." width="2968" height="2376" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 5"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 5:</strong> Some Pegasus implant capabilities observed on an infected device.</figcaption></figure> <p>The phone logs showed a process <code>launchafd</code> on the phone that was communicating with the four <em>*.crashparadox.net</em> IP addresses in <strong>Table 1</strong>, which we linked to <em><strong>SNEAKY KESTREL</strong></em>.</p> <p>The <code>launchafd</code> process was located in flash memory in the <code>com.apple.xpc.roleaccountd.staging</code> folder:</p> <div class="bg-washed-yellow ba b--gray pa2"><code>/private/var/db/com.apple.xpc.roleaccountd.staging/launchafd</code></div> <p>This folder appears to be used for iOS updates, and we suspect that it may not survive iOS updates. It appeared that additional components of the spyware on this device were stored in a folder with a randomly generated name in <code>/private/var/tmp/</code>. The contents of the <code>/private/var/tmp/</code> folder do not persist when the device is rebooted. The parent process of <code>launchafd</code> was listed as <code>rs</code>, and was located in flash memory at:</p> <div class="bg-washed-yellow ba b--gray pa2"><code>/private/var/db/com.apple.xpc.roleaccountd.staging/rs</code></div> <p>The <code>imagent</code> process (part of a built-in Apple app handling iMessage and FaceTime) was listed as the responsible process for <code>rs</code>, indicating possible exploitation involving iMessage or FaceTime. The same <code>rs</code> process was also listed as parent of <code>passd</code>, a built-in Apple app that interfaces with the keychain, as well as <code>natgd</code>, another component of the spyware, which was located in flash memory at:</p> <div class="bg-washed-yellow ba b--gray pa2"><code>/private/var/db/com.apple.xpc.roleaccountd.staging/natgd</code></div> <p>All three processes were running as <code>root</code>. We were unable to retrieve these binaries from flash memory, as we did not have access to a jailbreak for iPhone 11 running iOS 13.5.1.</p> <p>The phone&rsquo;s logs show evidence that the spyware was accessing a variety of frameworks on the phone, including the <em>Celestial.framework</em> and <em>MediaExperience.framework</em> which could be used to record audio data and camera, as well as the <em>LocationSupport.framework</em> and <em>CoreLocation.framework</em> to track the user&rsquo;s location.</p> <h3 id="sharing-findings" class="lh-solid mb3"><strong>Sharing Findings</strong></h3> <p class="mt0">We have shared our findings and technical indicators with Apple Inc. which confirms that it is investigating the issue.</p> <h2 id="turkish-cert-vs.-nso-group" class="lh-solid mb3"><strong>4. Turkish CERT vs. NSO Group</strong></h2> <p class="mt0">In late 2019, Turkey&rsquo;s Government-run Computer Emergency Response Team (USOM) appears to have observed Pegasus attacks involving both <em><strong>MONARCHY</strong></em> and <em><strong>SNEAKY KESTREL</strong></em>, and sinkholed some domain names used by these operators on a national level.</p> <p>USOM publishes a &ldquo;list of malicious links&rdquo; (&ldquo;zararl&#305; ba&#287;lant&#305;lar&rdquo;) <a href="https://www.usom.gov.tr/zararli-baglantilar/1.html" class="pointer" target="_blank" rel="noopener"><u>available on their website</u></a>. The list of indicators includes domain names, URLs, as well as IP addresses. Turkish ISPs generally redirect their subscribers who try to access indicators on this list to a USOM sinkhole IP address (<strong>88.255.216.16</strong>).</p> <figure class="center mw-100 ba b--light-gray" style="width:840px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image5.png" class="pointer"><img loading="lazy" decoding="async" class="size-full wp-image-74702" src="https://citizenlab.ca/wp-content/uploads/2020/12/image5.png" alt="A Sandvine PacketLogic device on Turk Telekom&rsquo;s network injects an HTTP redirect to USOM&rsquo;s sinkhole in response to a request directed at a Pegasus C&amp;C server." width="840" height="74" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 6"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 6:</strong> A Sandvine PacketLogic device on Turk Telekom&rsquo;s network injects an HTTP redirect to USOM&rsquo;s sinkhole in response to a request directed at a Pegasus C&amp;C server.</figcaption></figure> <p>Each ISP appears to implement this sinkholing using the same technique they use to implement website censorship. For example, Turk Telekom appears to use their <a href="https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" class="pointer"><u>Sandvine PacketLogic devices</u></a> to inject HTTP redirects for elements on the USOM list, whereas Vodafone Turkey appears to use its DNS tampering system, returning the USOM IP in response to any request for a domain name on the list.</p> <figure class="center mw-100 ba b--light-gray" style="width:1072px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image7.png" class="pointer"><img loading="lazy" decoding="async" class="size-full wp-image-74703" src="https://citizenlab.ca/wp-content/uploads/2020/12/image7.png" alt="A Vodafone Turkey DNS server responds to our lookup for an unpublished MONARCHY Pegasus C&amp;C domain name with USOM&rsquo;s sinkhole IP address." width="1072" height="234" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 7"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 7:</strong> A Vodafone Turkey DNS server responds to our lookup for an unpublished <em><strong>MONARCHY</strong></em> Pegasus C&amp;C domain name with USOM&rsquo;s sinkhole IP address.</figcaption></figure> <p>It is clear that USOM has a particular interest in Pegasus, as all Pegasus domain names published in <a href="https://www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/" class="pointer" target="_blank" rel="noopener"><u>three</u></a> <a href="https://www.amnesty.org/en/latest/research/2019/10/morocco-human-rights-defenders-targeted-with-nso-groups-spyware/" class="pointer" target="_blank" rel="noopener"><u>Amnesty</u></a> <a href="https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/" class="pointer" target="_blank" rel="noopener"><u>reports</u></a> about Pegasus were added to the USOM list after Amnesty&rsquo;s publication.<a id="fnref4" class="footnote-ref pointer" role="doc-noteref" href="#fn4"><sup>4</sup></a></p> <h3 id="turkish-cert-sinkholes-pegasus-domains" class="lh-solid mb3"><strong>Turkish CERT Sinkholes Pegasus Domains</strong></h3> <p class="mt0">On 5 November 2019, USOM added the following NSO Group Pegasus domain names and IP addresses to their list of malicious links. We attribute these domains and IPs to <em><strong>MONARCHY</strong></em> and <em><strong>SNEAKY KESTREL</strong></em>. These indicators were not previously published in any other location that we can identify, and the USOM list indicates that the source of the domains and IPs was one of Turkey&rsquo;s SOMEs (institutional computer emergency response teams (CERTs) for government agencies and industries).</p> <figure class="center mw-100 ba b--light-gray" style="width:1830px;"><div class="tc pa2 bg-white"><a href="https://citizenlab.ca/wp-content/uploads/2020/12/image1-1.png" class="pointer"><img loading="lazy" decoding="async" class="size-full wp-image-74704" src="https://citizenlab.ca/wp-content/uploads/2020/12/image1-1.png" alt="Pegasus domain names and IP addresses on USOM&rsquo;s list of malicious links." width="1830" height="702" title="The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage &#039;Zero-Click&#039; Exploit 8"></a></div><figcaption class="f5-ns f6 black-70 pa2 bg-light-gray"><strong>Figure 8:</strong> Pegasus domain names and IP addresses on USOM&rsquo;s list of malicious links.</figcaption></figure> <p>We suspect that USOM&rsquo;s information about the Pegasus infrastructure came from observing specific infections, as opposed to a broader compromise of NSO Group, or a broader effort to fingerprint NSO Group traffic within Turkey. Several other operators that appeared to be spying inside Turkey with Pegasus at the time did not have their infrastructure sinkholed.</p> <p>We are not aware which individuals were targeted in the attacks observed by the Turkish Government that triggered the sinkholing. However, a 2019 <a href="https://www.reuters.com/investigates/special-report/usa-spying-karma/" class="pointer" target="_blank" rel="noopener"><em><u>Reuters</u></em> <u>report</u></a> mentions that, in 2016 and 2017, the UAE used the &ldquo;Karma&rdquo; exploit to hack hundreds of individuals around the world, including the Turkish Deputy Prime Minister.<a id="fnref5" class="footnote-ref pointer" role="doc-noteref" href="#fn5"><sup>5</sup></a></p> <p>One of the IP addresses added to the USOM list on 5 November 2019 appears to have been abandoned by NSO Group on 28 October 2019, suggesting that at least some of the attacks observed by Turkey occurred prior to 28 October. Interestingly, despite the fact that <em>regularhours.net</em> and <em>holdmydoor.com</em> appeared on a Turkish CERT list in November 2019, we observed <em><strong>MONARCHY</strong></em> and <em><strong>SNEAKY KESTREL</strong></em> continue to use these domain names in attacks through August 2020.</p> <h2 id="discussion-the-spyware-industry-is-going-dark" class="lh-solid mb3"><strong>5. Discussion: The Spyware Industry is Going Dark</strong></h2> <p class="mt0">When authoritarian governments are enabled by commercial spyware companies like NSO Group, and emboldened by the belief that they are acting in secret, they target critical voices like journalists. Unfortunately, it is increasingly difficult to track such cases.</p> <p>The spyware industry does business in secret, and major spyware sellers invest heavily in fighting regulation and avoiding legal accountability. Yet, certain industry realities and technical limitations have historically made it possible to track infections. For example, for many years all but the most sophisticated commercially available spyware required some user interaction, such as opening a document or clicking a link, to infect a device.</p> <p>The deception involved in tricking a target into becoming a victim left traces even after successful infections. These traces&mdash;especially messages used to seed spyware&mdash;have been an invaluable source of evidence for investigators. Over the years, by gathering and examining the ruses used to deliver spyware, often aided by victims themselves, it has been possible to identify hundreds of victims.</p> <p>The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance. Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators.</p> <p>While it is still possible to identify zero-click attacks&mdash;as we have done here&mdash;the technical effort required to identify cases markedly increases, as does the logistical complexity of investigations. As techniques grow more sophisticated, spyware developers are better able to obfuscate their activities, operate unimpeded in the global surveillance marketplace, and thus facilitate the continued abuse of human rights while evading public accountability.</p> <h3 id="journalists-increasingly-targeted-with-spyware" class="lh-solid mb3">Journalists Increasingly Targeted With Spyware</h3> <p class="mt0">Counting the 36 cases revealed in this report, there are now at least fifty publicly known cases of journalists and others in media targeted with NSO spyware, with attacks observed as recently as August 2020. We have previously <a href="https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/" class="pointer"><u>identified</u></a> over a dozen journalists and civic media targeted with NSO Group&rsquo;s spyware. Amnesty International has identified still more <a href="https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/" class="pointer" target="_blank" rel="noopener"><u>targeting</u></a>, as recently as January 2020.</p> <p>The <em>Al Jazeera</em> attacks are part of an accelerating trend of espionage against journalists and news organizations. The Citizen Lab has documented digital attacks against journalists by threat actors from <a href="https://www.theglobeandmail.com/technology/foreign-journalists-in-china-target-of-computer-attack/article1202851/" class="pointer" target="_blank" rel="noopener"><u>China</u></a>, <a href="https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/" class="pointer"><u>Russia</u></a>, <a href="https://citizenlab.ca/2014/02/hacking-team-targeting-ethiopian-journalists/" class="pointer"><u>Ethiopia</u></a>, <a href="https://citizenlab.ca/2019/03/nso-spyware-slain-journalists-wife/" class="pointer"><u>Mexico</u></a>, the <a href="https://citizenlab.ca/2016/05/stealth-falcon/" class="pointer"><u>UAE</u></a>, and <a href="https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/" class="pointer"><u>Saudi Arabia</u></a>, among others. Other research groups have documented similar trends, which appear to be <a href="https://www.theguardian.com/media/2020/may/28/how-the-free-press-worldwide-is-under-threat" class="pointer" target="_blank" rel="noopener"><u>worsening</u></a> with the COVID-19 pandemic. Often these attacks parallel more <a href="https://cpj.org/reports/2019/09/10-most-censored-eritrea-north-korea-turkmenistan-journalist/" class="pointer" target="_blank" rel="noopener"><u>more traditional</u></a> forms of media control, and in some cases physical violence.</p> <p>The increased targeting of the media is especially concerning given the <a href="https://www.tandfonline.com/doi/full/10.1080/21670811.2020.1777882" class="pointer" target="_blank" rel="noopener"><u>fragmented and often ad-hoc security practices and cultures</u></a> among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms. These concerns are likely particularly acute for independent journalists in authoritarian states who, despite the fact that they play a crucial role in reporting information to the public, may be forced to work in dangerous conditions with even fewer security tools at their disposal than their peers in large news organizations.</p> <h4 id="progress-but-new-perils" class="lh-solid mb3">Progress, But New Perils</h4> <p class="mt0">Journalist security has attracted <a href="https://cltc.berkeley.edu/journosec-guides" class="pointer" target="_blank" rel="noopener"><u>recent</u></a> <a href="https://www.tandfonline.com/doi/full/10.1080/21670811.2020.1777882" class="pointer" target="_blank" rel="noopener"><u>research interest,</u></a> grantmaking, and practice innovation. Progress is showing in many areas. However, the zero-click techniques used against <em>Al Jazeera</em> staff were sophisticated, difficult to detect, and largely focused on the personal devices of reporters. Security awareness and policies are essential, but without substantial investment in security, network analysis, regular security audits and collaboration with researchers like the Citizen Lab these cases would not have been detected.</p> <p>Journalists and media outlets should not be forced to confront this situation on their own. Investments in journalist security and education must be accompanied by efforts to regulate the sale, transfer, and use of surveillance technology. As the anti-detection features of spyware become more sophisticated, the need for effective regulatory and oversight frameworks becomes increasingly urgent. The abuse of NSO Group&rsquo;s zero-click iMessage attack to target journalists reinforces the need for a global moratorium on the sale and transfer of surveillance technology, as <a href="https://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/SR2019ReportToHRC.aspx" class="pointer" target="_blank" rel="noopener"><u>called for by the U.N. Special Rapporteur</u></a> on the promotion and protection of the right to freedom of opinion and expression, <em>&ldquo;until rigorous human rights safeguards are put in place to regulate such practices and guarantee that governments and non-State actors use the tools in legitimate ways</em>.&rdquo;</p> <p>These safeguards should include strengthening and expanding regional and international export controls, enacting national legislation that constrains invasive new surveillance technology such as zero-click spyware, and the expansion of mandatory due diligence requirements for spyware developers and brokers.</p> <div class="ba b--black pa3 bg-light-gray"> <h2 id="update-your-ios-device-immediately" class="lh-solid mb3">Update your iOS Device Immediately</h2> <p class="mt0">We have seen no evidence that the <em><strong>KISMET</strong></em> exploit still functions on iOS 14 and above, although we are basing our observations on a finite sample of observed devices. Apple made many new security improvements with iOS 14 and we suspect that these changes blocked the exploit. Although we believe that NSO Group is constantly working to develop new vectors of infection, <strong>if you own an Apple iOS device you should immediately update to iOS 14.</strong> <a href="https://support.apple.com/en-us/HT204204" class="pointer" target="_blank" rel="noopener"><u>Click here for instructions</u></a>.</p> </div> <h2 id="acknowledgements" class="lh-solid mb3"><strong>Acknowledgements</strong></h2> <p class="mt0">Bill Marczak&rsquo;s work on this report was supported, in part, by the International Computer Science Institute and the Center for Long-Term Cyber Security at the University of California, Berkeley.</p> <p>The authors would like to thank Bahr Abdul Razzak for review and assistance. Special thanks to several other reviewers who wish to remain anonymous as well as TNG.&nbsp; Thanks to Mari Zhou for design and layout assistance.</p> <p>Financial support for this research has been provided by the John D. and Catherine T. MacArthur Foundation, the Ford Foundation, the Hewlett Foundation, Open Societies Foundation, the Oak Foundation, and Sigrid Rausing Trust.</p> <p>Thanks to Al Jazeera and Tamer Almisshal for their investigative work on this project.&nbsp; Thanks to Al Araby and Rania Dridi.</p> <p>Thanks to Team Cymru for providing access to their <em>Pure Signal</em> data.</p> <section class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn1" role="doc-endnote" class="mt2">This analysis excludes connections to <em>p20-content.icloud.com</em>, which Almisshal&rsquo;s phone uses for iCloud backups.<a class="footnote-back pointer" role="doc-backlink" href="#fnref1">&#8617;&#65038;</a></li> <li id="fn2" role="doc-endnote" class="mt2">The target wishes to remain anonymous.<a class="footnote-back pointer" role="doc-backlink" href="#fnref2">&#8617;&#65038;</a></li> <li id="fn3" role="doc-endnote" class="mt2">The target wishes to remain anonymous. The MONARCHY and KINGDOM operators may be the same operator, though we give them different names because we do not see any overlap in indicators of compromise.<a class="footnote-back pointer" role="doc-backlink" href="#fnref3">&#8617;&#65038;</a></li> <li id="fn4" role="doc-endnote" class="mt2">No domains drawn from the Citizen Lab&rsquo;s reporting on NSO Group appear on the list.<a class="footnote-back pointer" role="doc-backlink" href="#fnref4">&#8617;&#65038;</a></li> <li id="fn5" role="doc-endnote" class="mt2">The positions of Prime Minister and Deputy Prime Minister were abolished in 2018.<a class="footnote-back pointer" role="doc-backlink" href="#fnref5">&#8617;&#65038;</a></li> </ol> </section> </section> <footer> </footer> </article> <aside class="social-sidebar"> <div id="social-sidebar" role="complementary" class="w-100"> </div> </aside> </section> </main> </div> <footer role="contentinfo" itemscope itemtype="http://schema.org/WPFooter" class="footer"> <div class="footer__container"> <nav role="navigation" class="footer__nav"> <h2>Research</h2> <div class="footer-links cf"><ul id="menu-research" class="list pa0"><li id="menu-item-29711" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-29711"><a href="https://citizenlab.ca/category/research/targeted-threats/" class="lh-title mb2 db white b no-underline underline-hover">Targeted Threats</a></li> <li id="menu-item-29709" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29709"><a href="https://citizenlab.ca/category/research/free-expression-online/" class="lh-title mb2 db white b no-underline underline-hover">Free Expression Online</a></li> <li id="menu-item-29712" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29712"><a href="https://citizenlab.ca/category/research/transparency/" class="lh-title mb2 db white b no-underline underline-hover">Transparency and Accountability</a></li> <li id="menu-item-29708" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29708"><a href="https://citizenlab.ca/category/research/app-privacy-and-security/" class="lh-title mb2 db white b no-underline underline-hover">App Privacy and Controls</a></li> <li id="menu-item-29710" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29710"><a href="https://citizenlab.ca/category/research/global-research-network/" class="lh-title mb2 db white b no-underline underline-hover">Global Research Network</a></li> <li id="menu-item-72386" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-72386"><a href="https://citizenlab.ca/category/research/tools-resources/" class="lh-title mb2 db white b no-underline underline-hover">Tools &#038; Resources</a></li> <li id="menu-item-29713" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29713"><a href="https://citizenlab.ca/publications/" class="lh-title mb2 db white b no-underline underline-hover">All Publications</a></li> </ul></div> </nav> <nav role="navigation" class="footer__nav"> <h2>News</h2> <div class="footer-links cf"><ul id="menu-news" class="list pa0"><li id="menu-item-29714" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29714"><a href="https://citizenlab.ca/category/lab-news/mentions/" class="lh-title mb2 db white b no-underline underline-hover">In the Media</a></li> <li id="menu-item-29715" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29715"><a href="https://citizenlab.ca/category/lab-news/events/" class="lh-title mb2 db white b no-underline underline-hover">Events</a></li> <li id="menu-item-29716" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-29716"><a href="https://citizenlab.ca/category/lab-news/opportunities/" class="lh-title mb2 db white b no-underline underline-hover">Opportunities</a></li> <li id="menu-item-29717" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29717"><a href="https://citizenlab.ca/newsletter/archives/" class="lh-title mb2 db white b no-underline underline-hover">Newsletter Archives</a></li> </ul></div> </nav> <nav role="navigation" class="footer__nav"> <h2>About</h2> <div class="footer-links cf"><ul id="menu-about" class="list pa0"><li id="menu-item-29718" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29718"><a href="https://citizenlab.ca/about/" class="lh-title mb2 db white b no-underline underline-hover">About The Citizen Lab</a></li> <li id="menu-item-29720" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29720"><a href="https://citizenlab.ca/people/" class="lh-title mb2 db white b no-underline underline-hover">People</a></li> <li id="menu-item-68022" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-68022"><a href="https://citizenlab.ca/media/" class="lh-title mb2 db white b no-underline underline-hover">Media Resources</a></li> <li id="menu-item-29721" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-29721"><a href="https://citizenlab.ca/teaching/" class="lh-title mb2 db white b no-underline underline-hover">Teaching</a></li> <li id="menu-item-68345" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-68345"><a href="https://donate.utoronto.ca/give/show/84" class="lh-title mb2 db white b no-underline underline-hover">Donate</a></li> </ul></div> </nav> </div> <!-- Social Media & Newletter --> <div class="footer__container mt4 relative pt3-ns bt b--gray"> <div class="flex-ns justify-between w-100"> <div class="w-30-ns w-100 mb3 mr3-ns pt3"> <h2 class="ttu mt0 mb2 f4">Connect</h2> <div class="social-media"> <a class="dim" href="https://x.com/citizenlab" aria-label="Visit our Twitter/X account"><span class="fa-brands fa-twitter white" aria-hidden="true"></span></a> <a class="dim" rel="me" href="https://mastodon.social/@citizenlab" aria-label="Follow our Mastodon account"><span class="fa-brands fa-mastodon white" aria-hidden="true"></span></a> <a class="dim" href="https://www.youtube.com/channel/UCf5Aunw7xvt3lAFrLhiCA5w" aria-label="Visit our Youtube page"><span class="fa-brands fa-youtube white" aria-hidden="true"></span></a> <a class="dim" href="/cdn-cgi/l/email-protection#187176696d716a717d6b587b716c71627d7674797a367b79" aria-label="Email us"><span class="fa-solid fa-envelope white" aria-hidden="true"></span></a> <a class="dim" href="https://github.com/citizenlab" aria-label="Visit oour Github"><span class="fa-brands fa-github white" aria-hidden="true"></span></a> </div> </div> <div class="w-60-ns f6 w-100 pt3"> <h2 class="f4 ttu mb2 mt3 mt0-ns">Newsletter</h2> <div id="text-3"> <div class="textwidget"><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script>(function() { window.mc4wp = window.mc4wp || { listeners: [], forms: { on: function(evt, cb) { window.mc4wp.listeners.push( { event : evt, callback: cb } ); } } } })(); </script><!-- Mailchimp for WordPress v4.9.19 - https://wordpress.org/plugins/mailchimp-for-wp/ --><form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-29703" method="post" data-id="29703" data-name="" ><div class="mc4wp-form-fields"><input type="email" name="EMAIL" placeholder="Your email address" required class="dib pv1 mr2 mv1 lh-solid mw4"/><input type="submit" value="Sign up" class="link br1 b--none lh-solid cta-button-orange b pointer"/></div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off" /></label><input type="hidden" name="_mc4wp_timestamp" value="1732472713" /><input type="hidden" name="_mc4wp_form_id" value="29703" /><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1" /><div class="mc4wp-response"></div></form><!-- / Mailchimp for WordPress Plugin --> </div> </div> </div> </div> </div> </footer> <div id="privacy-footer"> <div class="mv0 dib"> <div id="text-5"> <div class="textwidget"><p><a class="db white dim" href="https://citizenlab.ca/privacy/">Privacy Policy</a></p> </div> </div> </div> <div class="mv0 dib ph3-l"> <div id="text-4"> <div class="textwidget"><p>Unless otherwise noted this site and its contents are licensed under a <a class="white dim" href="https://creativecommons.org/licenses/by/2.5/ca/">Creative聽Commons Attribution 2.5 Canada</a> license.</p> </div> </div> </div> <div class="dib mv0 mt2 lh0 mw5"> <a href="http://munkschool.utoronto.ca/" target="blank"> <img src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/images/MunkSchool-WHT.png" alt="Munk School of Global Affairs & Public Policy | University of Toronto" /> </a> </div> </div> <script>(function() {function maybePrefixUrlField () { const value = this.value.trim() if (value !== '' && value.indexOf('http') !== 0) { this.value = 'http://' + value } } const urlFields = document.querySelectorAll('.mc4wp-form input[type="url"]') for (let j = 0; j < urlFields.length; j++) { urlFields[j].addEventListener('blur', maybePrefixUrlField) } })();</script><script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot.js" id="bigfoot-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot.min.js" id="bigfoot-min-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/bigfoot_footnotes/library/bigfoot-function.js" id="bigfoot-function-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/plugins/youtube-embed-plus/scripts/fitvids.min.js" id="__ytprefsfitvids__-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/search-menu.js" id="search-menu-js"></script> <script type="text/javascript" src="https://citizenlab.ca/wp-content/themes/citizenlab-2.1.2/library/js/jquery-details/jquery.details.min.js" id="jquery-details-js"></script> <script type="text/javascript" defer src="https://citizenlab.ca/wp-content/plugins/mailchimp-for-wp/assets/js/forms.js" id="mc4wp-forms-api-js"></script> </body> </html> <!-- end of site. what a ride! --> <!-- Performance optimized by Redis Object Cache. Learn more: https://wprediscache.com Retrieved 2665 objects (1 MB) from Redis using PhpRedis (v6.0.2). -->

Pages: 1 2 3 4 5 6 7 8 9 10