An NSO Group spokesperson cast doubt on the findings but declined to comment on the specifics of the report, saying they had not seen the details. The United Arab Emirates and Saudi Arabia did not immediately respond to a request for comment.
Dridi was one of two London-based reporters and 36 journalists at Al Jazeera television network in Qatar who were probably targeted by the Saudi and Emirati governments using spyware deployed through an opening in iMessage, according to a report released Sunday by researchers with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy.
Using a “zero-click exploit,” the Pegasus users probably broke into cellphones without any interaction from their targets and without leaving behind obvious evidence of the infiltration, Citizen Lab concluded. Once in, the alleged government operatives would have been able to bypass encryption and monitor and record all activities on the cellphone and listen in to conversations happening around it.
Citizen Lab researchers said they had “medium confidence” in their assessment that the governments of Saudi Arabia and the UAE, both Pegasus customers, were behind the attacks, citing links to the Internet domains involved.
The Pegasus spyware was created by the Israeli firm NSO Group, which has been sued in the United States by WhatsApp and accused of using the encrypted application to spy on journalists and human rights activists around the world.
“CitizenLab continues to publish reports based on speculations, inaccurate assumptions and without a full command of the facts,” an NSO Group spokesperson, who requested anonymity per the group’s protocol, said in a statement.
“CitizenLab apparently does not seem to be aware of the existence of any company in the cyber intelligence field other than NSO, and while we are proud of being a global leading company, we wish to emphasize that not everything associated to us is, in reality, a use of our technology,” the statement said, continuing, “NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, but as stated in the past we do not operate them.”
Bill Marczak, a senior research fellow at Citizen Lab and co-author of the report, said “there was nothing the targets could have done to prevent this.” He called the findings particularly scary because these “products are being sold to some of the world’s most repressive governments.”
“The information that’s gained can be used in ways to silently sabotage journalists’ stories or civil society’s investigations,” he added. “The industry loves to talk about how terrorists and criminals are going dark … but the spy industry itself is going dark in this case.”
One of Pegasus’ signature moves had been to send malicious links through text messages that, once clicked on, gave the spyware access to a target’s device. Citizen Lab has documented cases of the UAE and Saudi Arabia, among other governments, deploying Pegasus against political dissidents, including UAE human rights defender Ahmed Mansoor and Saudi activist Omar Abdulaziz, a confidant of the slain Saudi journalist Jamal Khashoggi.
But as hacking attempts via SMS can be relatively easy to identify and trace, NSO Group has increasingly turned to spyware that can compromise a cellphone without requiring any action by the victim, according to Citizen Lab. In one case in 2019, WhatsApp alerted 1,400 users that they were targeted by spyware sent by an exploit through missed phone calls. That same year, Reuters reported that in 2016, the UAE purchased a zero-click iMessage exploit, which it used to monitor hundreds of targets.
Of the two main operators in the attacks, one server, which Citizen Lab called “Monarchy,” had previously primarily targeted individuals inside Saudi Arabia, in addition to at least one Saudi activist abroad. The other operator, dubbed “Sneaky Kestrel” in the report, had similarly been focused on targets inside the UAE and linked to attacks on Emirati citizens outside the Persian Gulf country.
Saudi Arabia and the UAE have been locked in a geopolitical conflict with Qatar, owner of the Al Jazeera television network, which critics say promotes Qatari interests. Dridi’s channel, Al Araby TV, is owned by a Qatari businessman. She said she suspected she was targeted because of her work and close friendship with a TV presenter also critical of Saudi and Emirati policies.
Citizen Lab researchers learned about the hacks by chance while monitoring Al Jazeera journalist Tamer Almisshal’s phone. Almisshal, fearful that he was a hacking target, had approached Citizen Lab and installed a virtual private network on his phone allowing the research center to observe his Internet activity.
On July 19, Almisshal’s phone registered visiting a website known as an installation server for Pegasus. In the 54 minutes before visiting that website, researchers observed suspicious iCloud connections downloading and uploading data.
Once attuned to the zero-click attacks, Citizen Lab found similarly suspicious activity on the cellphones of 35 other Al Jazeera journalists.
Three months ago, Dridi said her employer alerted her that a journalist at Al Araby had been hacked in a similar way. Then she learned that it was her private cellphone — and that for months, someone had been listening to her private conversations and accessing her camera and photos.
“Since then, I’ve started this new life,” she said. “It’s really, really ridiculous. I feel insecure. … Everything is changed in my life. You felt like you had a private life; now you feel like you don’t.”
Dridi, one of two journalists to go public in the report, is planning to file a lawsuit against the UAE.
Marczak urged iPhone users to, at a minimum, download updates intended to address these kinds of vulnerabilities.
He called the investigation’s findings a “wake-up call for tech companies to very, very carefully go through this code running on people’s phones to make sure that there aren’t these so-called ‘zero click’ vulnerabilities, which are incredibly damaging.”