Israel's NSO Group Exploits And Malware Again Being Used To Target Journalists In The Middle East
from the are-we-the-baddies-asked-no-one-at-NSO-ever dept
You’d think the government of a land surrounded by enemies would do more to regulate malware distribution by local companies. It’s one thing to hold your enemies close. It’s quite another to provide them with the tools to ensure your own downfall.
One would think malware purveyors like the Israel’s NSO Group would post photos of countries like Saudi Arabia on its “DO NOT ACCEPT CHECKS FROM THESE GOVERNMENTS” wall at its HQ. But it doesn’t care. It sells to whoever will buy, even if that means subjecting Israeli citizens to surveillance programs run by Israel’s enemies.
This has been part of NSO’s far from illustrious history for years. When not being sued by American companies for leveraging their messaging services to deliver malware, NSO Group has allowed a variety of authoritarian governments to spy on activists, journalists, and dissidents with its toolkit of exploits and scalable attacks.
The latest expose on NSO’s unsavory tactics comes from Citizen Lab, which has been exposing the nastiness of malware purveyors for years. Citizen Lab says NSO is still allowing Israel’s enemies to target critics, making it far more dangerous for them to engage in activities that expose heinous government actions. Unsurprisingly, it’s longtime human rights violators making the most of whatever NSO Group will sell them.
In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.
The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.
Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.
The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
Al Jazeera is one of the only independent news outlets covering Middle East issues. That makes it a popular target for governments that would prefer their own narratives dominate news coverage. NSO’s tools make it easier to undercut competing narratives by compromising independent reporting and intimidating journalists who won’t act as stenographers for government talking heads.
Citizen Lab’s investigation uncovered attacks on journalists’ phones, resulting in exfiltration of data and communications. In addition, it saw evidence of capabilities that are present in NSO’s malware, even if they aren’t being exploited yet. These include taking control of mics on devices to surreptitiously record in-person conversations, as well as accessing audio of encrypted phone conversations. In addition, the malware has the ability to track users’ locations and access their stored credentials.
These are powerful tools. And like all powerful tools, they shouldn’t be allowed to fall into the wrong hands. But NSO Group not only allows them to fall into the wrong hands, it makes its own countrymen and allies targets by actively placing them in the wrong hands. Then it stands back and says it has no control over its customers’ actions, even if it knows certain customers are definitely not going to use these powers for good.