An academic research group said today that at least 36 Al Jazeera journalists, producers, anchors, and executives, along with a journalist at London-based Al Araby TV, had their iPhones hacked using a zero-day no-user contact vulnerability in the iOS iMessage app.
Citizen Lab, a research group on cybersecurity and human rights violations at the University of Toronto, said the zero-day was part of a Kismet exploit chain created and sold by NSO Group, a well-known seller of spyware and surveillance products.
Researchers say that the Kismet hacking tool was sold by NSO to at least four organizations who used it in July and August 2020 to hack 36 Al Jazeera reports from around the globe on personal iPhones.
The Citizen Lab team claims that two of the four buyers in Saudi Arabia and the United Arab Emirates were identified, linking the activity as Monarchy and Sneaky Kestrel to two groups the organization has been tracking.
Subsequent inquiries found that since at least October 2019, the attacks had been going on.
Citizen Lab said the Kismet exploit tool worked against Apple’s newest devices at the time the attacks were discovered (i.e., iPhones 11 running iOS 13.5.1).
The academic research group notified Apple of the attacks and said the OS maker was now investigating the report.