Israel's NSO Group Exploits And Malware Again Being Used To Target Journalists In The Middle East

from the are-we-the-baddies-asked-no-one-at-NSO-ever dept

You'd think the government of a land surrounded by enemies would do more to regulate malware distribution by local companies. It's one thing to hold your enemies close. It's quite another to provide them with the tools to ensure your own downfall.

One would think malware purveyors like the Israel's NSO Group would post photos of countries like Saudi Arabia on its "DO NOT ACCEPT CHECKS FROM THESE GOVERNMENTS" wall at its HQ. But it doesn't care. It sells to whoever will buy, even if that means subjecting Israeli citizens to surveillance programs run by Israel's enemies.

This has been part of NSO's far from illustrious history for years. When not being sued by American companies for leveraging their messaging services to deliver malware, NSO Group has allowed a variety of authoritarian governments to spy on activists, journalists, and dissidents with its toolkit of exploits and scalable attacks.

The latest expose on NSO's unsavory tactics comes from Citizen Lab, which has been exposing the nastiness of malware purveyors for years. Citizen Lab says NSO is still allowing Israel's enemies to target critics, making it far more dangerous for them to engage in activities that expose heinous government actions. Unsurprisingly, it's longtime human rights violators making the most of whatever NSO Group will sell them.

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.

The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.

Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

Al Jazeera is one of the only independent news outlets covering Middle East issues. That makes it a popular target for governments that would prefer their own narratives dominate news coverage. NSO's tools make it easier to undercut competing narratives by compromising independent reporting and intimidating journalists who won't act as stenographers for government talking heads.

Citizen Lab's investigation uncovered attacks on journalists' phones, resulting in exfiltration of data and communications. In addition, it saw evidence of capabilities that are present in NSO's malware, even if they aren't being exploited yet. These include taking control of mics on devices to surreptitiously record in-person conversations, as well as accessing audio of encrypted phone conversations. In addition, the malware has the ability to track users' locations and access their stored credentials.

These are powerful tools. And like all powerful tools, they shouldn't be allowed to fall into the wrong hands. But NSO Group not only allows them to fall into the wrong hands, it makes its own countrymen and allies targets by actively placing them in the wrong hands. Then it stands back and says it has no control over its customers' actions, even if it knows certain customers are definitely not going to use these powers for good.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: exploits, journalists, malware, surveillance, zero day
Companies: al jazeera, nso group


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 21 Dec 2020 @ 2:16pm

    The only way this makes sense to me is if the NSO group has a backdoor in their malware, beyond just a "time based license".

    That is, they sell use of the malware (for some set time), and in the process get to learn everything the various users learn ... AND everything on the users' network.

    Data exfiltration could be along the same channel as update requests and license authentication.

    That is, I suspect that the malware is a Trojan Horse in the strictest sense of the term.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.