New Delhi: The New York Times’ Beirut bureau chief Ben Hubbard was allegedly targeted with Israeli firm NSO Group’s spyware Pegasus at least thrice over a three-year period since June 2018, a new report has said. According to the report, two of these attempts were successful.
Hubbard’s phone was allegedly targeted with Pegasus in June 2018, July 2020, and June 2021 while he was “reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman (MBS)”, said a report by The Citizen Lab, a Canada-based digital forensics laboratory.
The 2020 and 2021 attacks were successful, the report said Sunday.
The Citizen Lab is based at the University of Toronto. It has been tracking Pegasus since 2016. It also offered an independent peer review to a global consortium that probed alleged surveillance by government clients using Pegasus. The global expose was called the ‘Pegasus Project’ and released in July this year.
Hubbard wrote a piece Sunday on the alleged hacking and said: “Invasive hacking software sold to countries to fight terrorism is easily abused. Researchers say my phone was hacked twice, probably by Saudi Arabia.”
This is only the latest incident of alleged hacking of private and public individuals via the Israeli spyware to come to light.
The Pegasus Project had revealed that two serving Union ministers, three Opposition leaders, one constitutional authority, current and former heads of security organisations, administrators and 40 senior journalists and activists from India were allegedly among those targeted with snooping attempts through Pegasus.
Also read: Centre refuses to file detailed affidavit in Pegasus row again, SC reserves interim orders
What has Citizen Lab found?
According to the Citizen Lab report, the 2018 attempt to hack Hubbard’s phone hadn’t succeeded since he didn’t click on the links sent to him via SMS and WhatsApp. The messages had allegedly been sent by someone linked to Saudi Arabia.
The 2020 and 2021 attacks occurred after Hubbard “complained” to the NSO Group that he was targeted by “Saudi-linked KINGDOM Pegasus operator in June 2018”.
While the Citizen Lab report attributed the 2020 and 2021 hacks to Pegasus, it couldn’t “conclusively” attribute this activity to a “specific NSO Group customer at this time”.
“However, we believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi activist in 2021,” the report said.
The 2020 and 2021 hacks on Hubbard’s iPhone happened via ‘zero-click’ exploits. This means that Hubbard wasn’t required to click on any link for the spyware to launch on his phone.
The latest hack happened on 13 June 2021 and the zero-click method detected was similar to the one seen on a Saudi activist’s iPhone infected with Pegasus, the lab said. The same malicious iMessage account had communicated with both the activist’s and Hubbard’s phones, the report added.
Apple patched the vulnerability allowing for this particular zero-click method in September this year.
What the NYT journalist has written on precautions
In his NYT piece on 24 October, Hubbard wrote that the NSO Group “denied its products had been involved in the hacks, writing in an email that I ‘was not a target of Pegasus by any of NSO’s customers’”.
The Pegasus spyware can be used to collect messages available on a victim’s phone. It can also be used to turn on the phone’s camera, mic, and track the user’s location.
Noting the vulnerabilities such attacks open people up to, Hubbard wrote that he now takes several precautions including storing “sensitive” contacts offline, not carrying his phone for physical meetings, rebooting the phone (to stop some spyware from starting up on the phone), and using an American phone number (since they are less likely to be hacked).
(Edited by Amit Upadhyaya)
Also read: Hopeful IT panel will take up Pegasus issue going forward, says Shashi Tharoor