Israel's NSO Group Exploits And Malware Again Being Used To Target Journalists In The Middle East

from the are-we-the-baddies-asked-no-one-at-NSO-ever dept

You’d think the government of a land surrounded by enemies would do more to regulate malware distribution by local companies. It’s one thing to hold your enemies close. It’s quite another to provide them with the tools to ensure your own downfall.

One would think malware purveyors like the Israel’s NSO Group would post photos of countries like Saudi Arabia on its “DO NOT ACCEPT CHECKS FROM THESE GOVERNMENTS” wall at its HQ. But it doesn’t care. It sells to whoever will buy, even if that means subjecting Israeli citizens to surveillance programs run by Israel’s enemies.

This has been part of NSO’s far from illustrious history for years. When not being sued by American companies for leveraging their messaging services to deliver malware, NSO Group has allowed a variety of authoritarian governments to spy on activists, journalists, and dissidents with its toolkit of exploits and scalable attacks.

The latest expose on NSO’s unsavory tactics comes from Citizen Lab, which has been exposing the nastiness of malware purveyors for years. Citizen Lab says NSO is still allowing Israel’s enemies to target critics, making it far more dangerous for them to engage in activities that expose heinous government actions. Unsurprisingly, it’s longtime human rights violators making the most of whatever NSO Group will sell them.

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.

The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.

Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

Al Jazeera is one of the only independent news outlets covering Middle East issues. That makes it a popular target for governments that would prefer their own narratives dominate news coverage. NSO’s tools make it easier to undercut competing narratives by compromising independent reporting and intimidating journalists who won’t act as stenographers for government talking heads.

Citizen Lab’s investigation uncovered attacks on journalists’ phones, resulting in exfiltration of data and communications. In addition, it saw evidence of capabilities that are present in NSO’s malware, even if they aren’t being exploited yet. These include taking control of mics on devices to surreptitiously record in-person conversations, as well as accessing audio of encrypted phone conversations. In addition, the malware has the ability to track users’ locations and access their stored credentials.

These are powerful tools. And like all powerful tools, they shouldn’t be allowed to fall into the wrong hands. But NSO Group not only allows them to fall into the wrong hands, it makes its own countrymen and allies targets by actively placing them in the wrong hands. Then it stands back and says it has no control over its customers’ actions, even if it knows certain customers are definitely not going to use these powers for good.

Filed Under: , , , ,
Companies: al jazeera, nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Israel's NSO Group Exploits And Malware Again Being Used To Target Journalists In The Middle East”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
Ehud Gavron (profile) says:


I’m from Israel and despise what this company does. I understand, as an investor at times, that shareholder value comes from revenue, which comes from sales, which requires customers. As Tim says "do not accept checks from this customer" makes good ethical sense, and good self-defense, but obviously not shareholder value.

This relates 100% to Mike’s and Tim’s many posts about how the creation of a backdoor to encryption (or a zero-day exploit to sell) ends up compromising EVERYTHING. It endangers everyone. Today Israel, tomorrow who knows.

Back doors – bad.
Zero day exploit sales – bad.

Shareholder value should be a valuation of short-term (let’s get our stock price up TODAY) and long term (let’s make our company worth more) goals. It is… an unfortunate effect that the focus is on the former.


Scary Devil Monastery (profile) says:

Re: Ethics

"Today Israel, tomorrow who knows."

Might as well pull the full quote; "Tomorrow, ze world". Irrespective of nationality we already know the usual suspects are at the very least fully in favor of personal security not being a thing. The inevitable mistrust in current governments are just a bonus.

"It is… an unfortunate effect that the focus is on the former."

You would have thought, after Japan bullwhipped the US electronics and auto markets in the 70’s and China ate the manufacturing market in the 2000’s, that long-term thinking would have become priority teaching material for BMA’s. And yet, western corporations just keep focusing on the next quarter or fiscal year exclusively.

I swear, it’s as if we’re being that chessplayer only able to react to the other players moves, and we’re playing against Kasparov.

Anonymous Coward says:

The only way this makes sense to me is if the NSO group has a backdoor in their malware, beyond just a "time based license".

That is, they sell use of the malware (for some set time), and in the process get to learn everything the various users learn … AND everything on the users’ network.

Data exfiltration could be along the same channel as update requests and license authentication.

That is, I suspect that the malware is a Trojan Horse in the strictest sense of the term.

Bill Poser (profile) says:


It isn’t so clear that NSO is helping Israel’s enemies. Al Jazeera is owned by the government of Qater and may not be as independent as you think. Qatar is a strong supporter of Hamas, the genocidal fascist group engaged in a terror war against Israel. The UAE, on the other hand, has been quietly flirting with Israel for some years and has recently normalized relations with Israel. Helping the UAE to spy on journalists working for a Qatari organization may well be in Israel’s best interests.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...