Zero-day exploit used to hack iPhones of Al Jazeera employees

Tens of Al Jazeera employees were targeted in a cyber espionage campaign leveraging a zero-click iOS zero-day vulnerability to hack their iPhones.

Researchers from Citizen Lab reported that at least 36 Al Jazeera employees were targeted in a cyber espionage campaign leveraging a zero-click iOS zero-day vulnerability to hack their iPhones.

The attackers used an exploit chain named Kismet that was part of the arsenal of the controversial Pegasus spyware that is sold by the surveillance firm NSO Group.

“In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.” reads the report published by the researchers.

“The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11. Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.”

The KISMET exploit chain doesn’t work against iOS 14 and above because the new mobile iOS implements additional security protections.

Experts believe that the number of targeted individuals is much higher given the global reach of NSO Group’s customer base. The campaign aimed at Al Jazeera ‘s employees is politically motivated, the Qatar-based news agency is a privileged target of hackers working for the neighboring countries due to the tensions between the local governments.

The infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.

According to the Citizen Lab’s report, the Kismet hacking tool was sold at least to four organizations that used it against Al Jazeera employees from all over the world. These surgical attacks took place between July and August 2020, but experts speculate the attack are going on since at least October 2019.

Two of the NSO Group’s customers are in Saudi Arabia and the United Arab Emirates, Citizen Lab associated the attacks to the operations of the APT groups tracked as Monarchy and Sneaky Kestrel.

Citizen Lab has already published several reports unmasking operations that involved the use of the NSO’s surveillance software. -The company always remarked that its software was only sold to government and intelligence agencies and was never sold to government organizations that used them to track political rivals, dissidents, and journalists.

Unfortunately, Citizen Lab found evidence of the NGO software was used in multiple campaigns against journalists, activists, and dissidents in multiple countries, including Morroco, Mexico, Saudi Arabia, and the UAE.

“However, the zero-click techniques used against Al Jazeera staff were sophisticated, difficult to detect, and largely focused on the personal devices of reporters. Security awareness and policies are essential, but without substantial investment in security, network analysis, regular security audits and collaboration with researchers like the Citizen Lab these cases would not have been detected.” concludes the report.

“Journalists and media outlets should not be forced to confront this situation on their own. Investments in journalist security and education must be accompanied by efforts to regulate the sale, transfer, and use of surveillance technology.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Al Jazeera)

[adrotate banner=”5″]

[adrotate banner=”13″]