Just as we’re about to put a close on an already troubled 2020, news of massive hacking incidents, particularly targeting US government offices, exploded over the Internet. They aren’t, however, the only victims and something equally sinister and serious may be taking place around the Persian Gulf. Al Jazeera, the popular and outspoken Doha-based media organization, was informed that dozens of its journalists may have been spied on by nation-states using an iMessage bug on iPhones running slightly older versions of iOS.
The political situation between Saudi Arabia, UAE, Qatar, and neighboring countries is a complex and delicate one so news about spying between them may not really come as a surprise. Given Al Jazeera’s standing among the government of that region, it is also no surprise that its reporters have become targets of alleged state-sponsored espionage. And, again unsurprisingly, Israeli’s NSO Group is at the center of it all once more.
The NSO Group is credited for spyware used by governments and intelligence sectors, most notably the dreaded Pegasus strain. This time, security researchers from the University of Toronto’s Citizen Lab claimed that the group exploited a bug in iMessage on older versions of iOS, specifically iOS 13.5.1 and earlier, to covertly gain access to the targets’ iPhones. What’s even more frightening is that the bug was referred to as a zero-click exploit, meaning that the victims didn’t even need to click on a malicious link to get infected.
The report indicates that as many as 36 Al Jazeera employees have been hacked using this method. They traced the majority of these, with a “medium” degree of confidence, to agents acting on behalf of Saudi Arabia and the UAE, two nations that have been pushing Qatar to shut Al Jazeera down. The attacks covered a wider range of dates, some going as far back as October 2019 all the way up to July and August this year.
Apple only confirmed that the attacks reported by Citizen Lab did sound like an activity of a nation state but did not confirm the researcher’s findings. The company only said that it always advises its users to stay up-to-date with the latest iOS versions as that zero-click iMessage vulnerability is supposedly already fixed in iOS 14.