Citizen Lab Report Links Attempted Hacking to Saudi Group
Source: Adam Jones via Flickr/CC)
A New York Times reporter apparently was targeted with spyware developed by the NSO Group as part of a campaign that may be linked to a Saudi Arabia group, which has previously been accused of hacking attempts against dissidents, journalists and human rights lawyers, according to the think tank Citizen Lab.
The spyware used against the Times reporter likely was Israel-based NSO Group’s Pegasus, which has been used by governments around the world to target journalists, activists and protestors, according to the new Citizen Lab report.
Ben Hubbard, who is the Beirut bureau chief for the Times and has previously reported on Saudi Arabia, says he received a suspicious Arabic text message in June 2018, Citizen Lab says. The text message read: “Ben Hubbard and the story of the Saudi Royal Family,” according to the report.
Hubbard, however, did not click on the link in the text message, and it does not appear that any of his data was taken, according to the report. He eventually handed over his smartphone and the contents of the text message to researchers at Citizen Lab, who concluded that the journalist was likely targeted with Pegasus spyware, the report finds.
Citizen Lab is a think tank at the Munk School of Global Affairs at the University of Toronto that studies surveillance software and attacks and has long raised concerns over the use of spyware against human rights activists and dissidents.
I got a weird SMS.
I didn’t click.
Researchers concluded it was a hacking attempt with Israeli software by hackers linked to Saudi Arabia.
Saudi officials: no comment.
The Israeli company: not all hack attempts use our products.
Be careful out there, kids.https://t.co/IY40RUvlOp
— Ben Hubbard (@NYTBen) January 28, 2020
The Citizen Lab report, however, points out that the attempt against Hubbard is not related to the recent apparent hacking of Amazon CEO Jeff Bezos’ iPhone, which may be tied to Saudi officials. Some security analysts are questioning the veracity of the report on the Bezos incident (see: The Bezos Phone Hack: Narrative Framed by Loose Facts).
In its report, the Citizen Lab analysts note that they were able to trace the hyperlink in the text message sent to Hubbard to a website used by a Pegasus operator that analysts call “Kingdom.”
In a report from 2018, Citizen Lab and Amnesty International researchers linked the activities of Kingdom to other spying attempts against Saudi dissidents and others.
While investigating the link sent to Hubbard, the Citizen Lab analysts found that it led to a website called arabnews365.com, and was sent from a sender who identified himself as “Arabnews,” according to the report.
Malicious message sent to Ben Hubbard of the New York Times (Source: Citizen Lab)
The Arabnews domain is active and belongs to the portion of NSO Group’s Pegasus infrastructure that Citizen Lab analysts have linked to the Kingdom operators, according to Tuesday’s report. The analysts also found command-and-control servers used in previous campaigns that have links to both Pegasus spyware and the Kingdom operators, the report adds.
In previous reports, Citizen Lab analysts have also grouped IP addresses to groups using the Pegasus spyware around the world. Altogether, there are about 36 distinct Pegasus operators, including the Kingdom group, using the spyware at any given time around the world, the report adds.
Other journalists have also been targeted by Pegasus spyware. For instance, Washington Post journalist Jamal Khashoggi may also have been spied on before he was killed in 2018, several security experts and privacy watchdogs found (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
NSO Group Denies Allegations
The NSO Group has repeatedly denied that its tools are designed to spy on journalists and citizens. It says they are intended to fight terrorism and help police investigations.
In response to the new Citizen Lab report, an NSO Group spokesperson told Fortune that the allegations are “unsubstantiated.”