Researchers from Canada-based Citizen Lab revealed that Pegasus spyware, developed by an Israeli tech company called NSO Group, compromised the iPhones of dozens of journalists. Once inside the device, the hackers could access the camera and listen to audio. They could also track the device’s location and scrape passwords.
Zero Day, Zero-Click iMessage Exploit
Government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones, said Citizen Lab researchers in a report that came out on Sunday. The phones belong to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.
Citizen Lab reveals that the hackers used a zero-day, zero-click exploit in iMessage. “Zero-day” refers to the fact that, at the time, the developer (in this case Apple) is unaware that the software vulnerability exists. “Zero-click” means that the hackers can deploy malware without the victim having to click on anything.
The exploit is similar to the one that affected WhatsApp in 2019, which infected approximately 1,400 phones with malware. Facebook is currently taking legal action against NSO Group over that incident. Also in 2019, Reuters reported that a team of intelligence operatives working for the UAE used a zero-click iMessage exploit to monitor hundreds of targets.
Pegasus Spyware Has a Number of Capabilities
Citizen Lab’s analysis indicates that Pegasus has various capabilities. It can be used to obtain photos, take pictures, and record audio. Moreover, the spyware can be used to track the device’s location or harvest passwords and credentials.
The researchers explained that the techniques employed were “sophisticated” and therefore “difficult to detect”. Most targets were completely unaware of anything suspicious going on. According to Citizen Lab, the Al Jazeera attacks are part of “an accelerating trend of espionage against journalists and news organizations”. Other research groups have documented similar trends.
“The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available”, Citizen Lab said.
Likely Linked to Saudi Arabia and UAE
The investigation actually started when a well-known investigative Al Jazeera journalist contacted Citizen Lab. He was concerned that his phone might be hacked when he started receiving death threats on a phone that he used to call ministries and contact persons in the Middle East.
In January 2020, the journalist consented to installing a VPN application on his phone. In the following 6 months, the researchers tracked the spyware. They soon discovered that at least another 35 Al Jazeera staffers were also hacked.
The researchers attributed most attacks – with medium confidence – to threat actors from Saudi Arabia and the United Arab Emirates. Some of the attacks could not be attributed to a specific government. The infrastructure used in the attacks included servers in Germany, France, UK, and Italy. The cloud providers were Aruba, Choopa, CloudSigma, and DigitalOcean.
Nearly All iPhones Prior To iOs 14 Vulnerable
According to the report, the hack would no longer work on iOS 14 or higher, due to stronger security features. However, the malware may still be active on iOS 13.5.1 devices or prior versions. Citizen Lab suspects that the infections they observed are just a fraction of the total cases involving this exploit.
Citizen Lab has shared their findings with Apple. The technology company confirmed that they are looking into the issue and that the vulnerabilities used to target the reporters were fixed in iOS 14, which was released in September.
NSO Group has repeatedly stated that they “create technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe”. The Group claims it doesn’t know how government clients use its hacking tools or who they’re targeting. How its clients use the software they develop is not something they actually monitor.