The latest report from Citizen Lab -- authored by Ali Abdulemam, Noura Al-Jizawi, Bill Marczak, Siena Anstis, Kristin Berdan, John Scott-Railton and Ron Deibert -- said nine activists from Bahrain had their iPhones hacked with NSO Group's spyware, and some were attacked through zero-click iMessage exploits.
The Bahraini government used the 2020 KISMET exploit and the 2021 FORCEDENTRY exploit to hack into the phones of local human rights activists, political groups, a politician and even Bahraini dissidents living in London.
"At least four of the activists were hacked by LULU, a Pegasus operator that we attribute with high confidence to the government of Bahrain, a well-known abuser of spyware. One of the activists was hacked in 2020 several hours after they revealed during an interview that their phone was hacked with Pegasus in 2019," the report's authors said.
"Two of the hacked activists now reside in London, and at least one was in London when they were hacked. In our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar using Pegasus; never in Europe."
The report notes that the activist in London may have actually been hacked by another Pegasus operator who then passed the information on to the Bahraini government.
Citizen Lab coordinated with Forbidden Stories -- the organization that revealed NSO Group's work -- and confirmed that at least five of the devices hacked into by the Bahraini government were contained on the Pegasus Project's list of potential targets of NSO Group's customers.
Bahrain is a dictatorship that has long crushed dissent and deployed draconian measures to control public discussion online, blackmail government opponents, torture activists and commit other human rights violations.
The report notes that other Western technology companies have in the past faced backlash for helping Bahrain's government censor the internet, disrupt protests and monitor opponents both inside Bahrain and outside of the country.
Canadian company Netsweeper is used by Bahrain to block many websites for Bahraini citizens, and the Ministry of Interior's Cyber Crime Unit, alongside other government arms, have bought spyware from FinFisher, Verint Systems, Cellebrite, Hacking Team, Trovicor GmbH and NSO Group, according to the report.
Citizen Lab researchers discovered that Bahrain's government first bought the Pegasus spyware in 2017 and began using it in Bahrain and Qatar.
The organization saw a spike in usage of Pegasus in July 2020 and coordinated with the government's targets to analyze how they were targeted and how their phones had been hacked.
Moosa Abd-Ali and Yusuf Al-Jamri, two Bahraini activists living outside of Bahrain, agreed to be named in the report. Still, the others who had their phones hacked only wanted to be identified by the organizations they worked for.
Abd-Ali stood out in the report because he previously took FinFisher to court after Bahraini officials used the company's spyware to hack into his computer in 2011. His iPhone 8 was hacked sometime before September 2020.
The report explained that officials tried a number of ways to hack into phones, even using fake DHL package tracking notifications that Citizen Lab traced back to a Bahraini government operator of Pegasus. Sometimes government operators used the zero-click exploit, and in other instances, it required one or two clicks on links to infect a device with the spyware.
"We noted that these three domains were hosted on shared web hosting providers. In other words, the IP addresses that they pointed to had dozens of other innocuous domains also pointing to them. In previous iterations of NSO Group's Pegasus infrastructure, each domain name pointed to a separate IP address," the researchers found.
The government has taken extreme measures to curtail dissent and diminish the influence of activists or protest leaders for decades. Still, efforts have taken a technological turn recently, particularly since the Arab Spring protests began around 2010. The government violently put down the nascent protest movement in 2011, arresting and torturing hundreds of Bahrainis.
Citizen Lab has been monitoring the government's use of spyware for years, tracking their use of ProxySG devices and PacketShaper devices as well as Internet-filtering technology produced by Netsweeper, Inc.
According to Bloomberg, the government eventually bought spyware tools from former Nokia Siemens Networks affiliate Trovicor GmbH in 2011.
In one notable instance, the government used spyware from FinFisher, a UK-German company, to blackmail a well-known Bahraini lawyer. Government officials hacked into his computer and then sent him a CD threatening to release an intimate video of him and his wife if he did not stop defending human rights activists. The video had been obtained through a hidden camera that had been secretly planted in his home.
The government eventually did release the video to the public after the lawyer refused to back down.
Members of the government also have been accused of using other tools to deanonymizing pseudonymous Twitter accounts critical of the government.
The researchers behind the report said it shows that the NSO Group's repeated claims of innocence and human rights work fly in the face of the reality that dictatorships use their tools.
"Despite a half-decade of being implicated in human rights abuses, NSO Group regularly claims that they are, in fact, committed to protecting human rights. However, this purported concern is contradicted by a growing mountain of evidence that authoritarian regimes use its spyware against human rights activists, journalists, and other members of civil society," the report said.
"While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that it is significant, longstanding, and documented evidence of Bahrain's serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group."
The researchers called the Bahraini government's abuse of the spyware "predictable". They said it was "gross negligence in the name of profit" by NSO Group to sell the tool to a government with Bahrain's human rights record.
While the report said the hack victims may have been able to protect their devices by disabling iMessage and FaceTime, it notes that the NSO Group has found other ways to deliver malware through another messaging app, WhatsApp.
Like Comparitech privacy advocate Paul Bischoff, experts said the report was further evidence that there is no real legitimate use for NSO Group's malware.
"Those authorities would not have the same spying capabilities without NSO Group," Bischoff told ZDNet.
"We should immediately declare an international moratorium on private sales of spyware."