A journalist who was a victim of hacking by Pegasus spyware has revealed their experience in being a target for hacking, including how suspicious messages and "zero-click" exploits led to access to the journalist's smartphone.
An investigation in July highlighted how the NSO Group's Pegasus spyware was used to attack journalists and human rights activists. The spyware, which was intended by NSO Group to only be used for crime prevention and investigative purposes, was misused by some governments to perform surveillance on potentially thousands of activists and journalists.
In a New York Times report, Middle East correspondent Ben Hubbard explains how he became a target, in part due to often speaking to "people who take great risks to share information that their authoritarian rulers want to keep secret." While Hubbard took precautions to protect sources due to the risk of imprisonment or death, he still became a victim of Pegasus hacking.
In working with Citizen Lab, Hubbard found that he had been targeted with a suspicious text message in 2018, thought to have been sent by Saudi Arabia. The publication's tech security team uncovered another hacking attempt from 2018, with a second message sent via WhatsApp, inviting the journalist to a protest at a Saudi Embassy in Washington, complete with a suspicious link.
Neither attempt succeeded, Citizen Lab confirmed, as Hubbard didn't click the links included in each message, though it wasn't the end of the harassment.
Further investigations of Hubbard's device revealed a pair of hacks in 2020 and 2021 that were successful, using a zero-click exploit that didn't require users to click a link to infect. It seems unlikely that the identity of the hacking party will be uncovered, it was discovered that the second hack took place to remove traces left behind from the first.
Pegasus is believed to be used for all of the attacks. NSO Group denied that its products were used in the attacks, that "technical and contractual reasons and restrictions" meant Hubbard couldn't possibly have been a target in the 2020 and 2021 incidents.
The attacks against Hubbard are among a large number using the spyware, which have been condemned by Apple and other organizations around the world.
It is unclear exactly what smartphone Hubbard was using throughout this period, but Pegasus is famous for attacking iPhones, among other devices, taking advantage of various exploits in iOS to defeat on-device security. In September, Apple's release of patches for iOS 14.8 and iOS 12.5.5 plugged security holes that Pegasus abused to take control of a target's iPhone.
A successful infection of Pegasus allowed n attacker practically unlimited access to the iPhone or other device, including being able to extract data, read encrypted messages, enable cameras and microphones, record phone calls, and to track the device's GPS co-ordinates live.
Governments thought to have been NSO clients include Azerbaijan, Kazakhstan, Rwanda, and the UAE, among others considered to have authoritarian regimes. Other more progressive governments have also become customers, including Germany, as was revealed in September.