Citizen Lab researchers claim the spyware was delivered silently through iMessage.
According to the latest report from Citizen Lab, around 36 Al Jazeera journalists had their iPhones infected with the Pegasus spyware. Researchers claim that the spyware was developed by the Israeli NSO Group.
The iPhones were secretly infected with the malware by exploiting a vulnerability in Apple iOS. The attackers installed malware on the journalists’ iOS devices, which exposed their phones to snooping.
Most of the targeted journalists were based in Qatar and Doha. Tamer Almisshal, Al Jazeera’s investigative journalist for its Arabic language channel, firstly detected the infection on his iPhone.
Citizen Lab researcher Bill Marczak explained that the infected devices contained unusual communications with Apple servers, and the spy tools exploited the imagent background process in iOS. Its primary function is to manage push notifications for iMessage and FaceTime.
The NSO Group is a spy tech vendor currently involved in a lawsuit by Facebook over the cyberattacks it carried out against 1,400 WhatsApp users back in 2019.
Citizen Lab researchers suspect that the attacks were carried out via spies based in the UAE and Saudi Arabia using NSO malware. The Pegasus operators included a MONARCHY operator from Saudi Arabia and a SNEAKY KESTREL operator from the UAE.
After the malware was installed, the attackers could record audio from the device’s microphone and extract the audio of encrypted conversations. Moreover, it could capture photos, track the location of the device, and access passwords.
According to the report, government operatives used the Pegasus spyware to hack journalists’ phones between July and August 2020. Their targets didn’t only include journalists but also producers, executives, and anchors at Al Jazeera. A London-based journalist associated with Al Araby TV, Rania Dridi, was also hacked.
The phones were compromised using the KISMET exploit chain that involves an invisible “zero-click exploit in iMessage.” In July 2020, it was a zero-day against iOS 13.5.1, and there is no evidence that it worked against iOS 14 as it includes advanced security protections. It could also hack the iPhone 11.
An analysis of the phone logs revealed that NSO Group customers deployed KISMET or another zero-click, zero-day between Oct and Dec 2019 as well.
Furthermore, Cloud providers CloudSign, Aruba, Choopa, and Digital Ocean, were used in these attacks, which were launched via servers in the UK, France, and Germany.
Researchers urge Apple users to update their devices to the latest iOS version because this seems to be a fraction of the total attacks launched by the NSO Group’s diverse range of customers worldwide.
Al Jazeera refused to respond to the news and will be releasing its own report within a few days.