NYT Journalist’s iPhone infected twice with NSO Group’sPegasus spyware

Threat actors infected the iPhone of New York Times journalist Ben Hubbard with NSO Group’s Pegasus spyware between June 2018 to June 2021.

The iPhone of New York Times journalist Ben Hubbard was repeatedly infected with NSO Group’s Pegasus spyware. The device was compromised two times, in July 2020 and June 2021.

The attacks were documented by the Citizen Lab research team from the University of Toronto, the infections took place while the journalist was wording on a book about Saudi Crown Prince Mohammed bin Salman.

“Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.” reported Citizen Lab. “While we attribute the 2020 and 2021 infections to NSO Group’s Pegasus spyware with high confidence, we are not conclusively attributing this activity to a specific NSO Group customer at this time. However, we believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi activist in 2021.”

Researchers also discovered some forensic artifacts on Hubbard’s iPhone related to the Pegasus spyware as early as April 2018, but it is not clear if they were associated with a genuine infection attempt or some test conducted by the attackers.

The Hubbard’s iPhone was hacked on July 12, 2020 and June 13, 2021, the attackers used the KISMET and FORCEDENTRY zero-click exploits respectively.

The discovery of the attack was possible after another investigation in which the researchers recovered the FORCEDENTRY exploit from a backup of a Saudi activist’s iPhone.

The iMessage account [EMAIL ADDRESS 1] used to deliver to the Saudi activist’s phone the FORCEDENTRY exploit through 31 iMessage attachments was also used to communicate with Hubbard’s phone on June 13, 2021 at 15:45:20 GMT. The researchers noticed that about five minutes before a file was dropped in or deleted from the Library/Caches folder, and at least 41 iMessage attachments were deleted.

“The deleted items all had timestamps greater than June 9, 2021 11:56:46 GMT and less than June 16, 2021 8:46:17 GMT. Based on this pattern of facts, we conclude with high confidence that Hubbard’s iPhone was hacked with NSO Group’s Pegasus spyware on June 13, 2021 15:45:20 GMT.” reads the analysis of the experts.

Experts also reported that Hubbard’s phone logs show the presence of Pegasus infection (aka HIPPOCRENE FACTOR) that took place on July 12, 2020. The initial compromise was introduced onto Hubbard’s phone sometime after January 29, 2020 and before December 14, 2020.

Citizen Lab experts found that Ben Hubbard’s DataUsage.sqlite file showed that process name bh was active on July 13, 2020 16:46:01. This process is associated with Pegasus spyware infections, in this case, attackers likely used the KISMET zero-click iMessage exploit.

“Hubbard was repeatedly subjected to targeted hacking with NSO Group’s Pegasus spyware. The hacking took place after the very public reporting in 2020 by Hubbard and the Citizen Lab that he had been a target. The case starkly illustrates the dissonance between NSO Group’s stated concerns for human rights and oversight, and the reality: it appears that no effective steps were taken by the company to prevent the repeated targeting of a prominent American journalist’s phone.” concludes the report.

The research institute did not attribute the infections to a specific threat actor, NSO Group denied any involvement in the attacks. The New York Times reported a statement from NSO that claims that the journalist “was not a target of Pegasus by any of NSO’s customers.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NSO Group)

[adrotate banner=”5″]

[adrotate banner=”13″]