At least 36 Al Jazeera journalists, producers, anchors, and executives, along with a journalist at London-based Al Araby TV, had their iPhones hacked using a no-user-interaction zero-day vulnerability in the iOS iMessage app, an academic research group said today.
Citizen Lab, a cybersecurity and human rights abuse research group at the University of Toronto, said the zero-day was part of an exploit chain named Kismet that was created and sold by NSO Group, a well-known vendor of spyware and surveillance products.
Researchers claim NSO sold the Kismet hacking tool to at least four entities, who used it in July and August 2020 to hack the personal iPhones of 36 Al Jazeera reports from all over the globe.
The Citizen Lab team believes it identified two of the four of the buyers in Saudi Arabia and the United Arab Emirates, linking the activity to two groups the organization has been tracking as Monarchy and Sneaky Kestrel.
Subsequent investigations discovered that the attacks had been going on since at least October 2019.
At the time the attacks were discovered, Citizen Lab said the Kismet exploit tool worked against Apple's latest devices (i.e., iPhones 11 running iOS 13.5.1).
The zero-day stopped working this fall when Apple released iOS 14, which shipped with several security feature enhancements.
The academic research group notified Apple of the attacks, and said the OS maker was now investigating the report.
Regional politics and zero-days
Reached for comment today, December 20, an NSO Group spokesperson called the report "speculation" that lacked any evidence "supporting a connection to NSO."
The company said it only sells surveillance tools to law enforcement agencies and that it is unable to determine what its customers do with its tools.
Citizen Lab has previously published multiple reports claiming that NSO-developed hacking tools have been used outside the scope of law enforcement investigations to track political rivals, dissidents, journalists, clergy, and activists in countries such as Morroco, Mexico, Saudi Arabia, Togo, Spain, the UAE, and others.
Al Jazeera, a Qatar-based news agency, is believed to have been targeted due to the strained political relations between Qatar and neighboring countries.
In 2017, four states (Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt) cut off official diplomatic relations with Qatar, and Al Jazeera has published several reports critical of the four countries ever since. Its website is blocked in two of the four states — Saudi Arabia and the UAE.
The full 5,000-word Citizen Lab report on the Kismet exploit chain and iOS zero-day is available here.