Three dozen journalists working for Al Jazeera had their iPhones stealthily compromised via a zero-click exploit to install spyware as part of a Middle East cyberespionage campaign.
In a new report published yesterday by University of Toronto's Citizen Lab, researchers said personal phones of 36 journalists, producers, anchors, and executives at Al Jazeera, and a journalist at London-based Al Araby TV were infected with Pegasus malware via a now-fixed flaw in Apple's iMessage.
Pegasus is developed by Israeli private intelligence firm NSO Group and allows an attacker to access sensitive data stored on a target device — all without the victim's knowledge.
"The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected," the researchers said.
"It is more challenging [...] to track these zero-click attacks because targets may not notice anything suspicious on their phone. Even if they do observe something like 'weird' call behavior, the event may be transient and not leave any traces on the device."
The findings came to light after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected his iPhone may have been hacked and consented to have his network traffic monitored by Citizen Lab researchers using a VPN app earlier this January.
The internet watchdog found that the attacks occurred between July and August of this year using an exploit chain it calls KISMET, a zero-day present in iOS 13.5.1 that could be used to break Apple's security protections.
Citizen Lab said the 36 phones in question were hacked by four distinct "clusters" or NSO operators with probable ties to the Saudi and the United Arab Emirates governments.
A review of Almisshal's VPN logs revealed a sudden uptick in anomalous connections to Apple iCloud servers, which the researchers surmise was the initial infection vector to transmit the malicious code, followed by connections to an installation server to fetch the Pegasus spyware.
The implant comes with the capabilities to record audio from microphone and phone calls, take photos using the phone's camera, access the victim's passwords, and track the device's location.
While NSO Group has consistently maintained that its software is only meant to be used by law enforcement agencies to track down terrorists and criminals, this is far from the first time the tool has been abused by various governments to spy on critics, dissidents, politicians, and other individuals of interest.
One of those cases involved the delivery of the hacking tool through a previously undisclosed vulnerability in WhatsApp, which is currently pursuing legal action against the company in a US court.
"The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance," the researchers concluded.
"The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms."