{ "id": "b4e95565-c842-4510-b3eb-88a92ac7da57", "created_at": "2026-04-06T00:15:18.296147Z", "updated_at": "2026-04-10T13:11:57.217188Z", "deleted_at": null, "sha1_hash": "682b7d274a46e2daf45fc530d52f69425ff555d1", "title": "Stopping the Press: New York Times Journalist Targeted by Saudi-Linked Pegasus Spyware Operator - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1590312, "plain_text": "Stopping the Press: New York Times Journalist Targeted by Saudi-Linked Pegasus Spyware Operator - The Citizen Lab\r\nArchived: 2026-04-05 13:35:48 UTC\r\nKey Findings\r\nNew York Times journalist Ben Hubbard was targeted with NSO Group’s Pegasus spyware via a June 2018\r\nSMS message promising details about “Ben Hubbard and the story of the Saudi Royal Family.” \r\nThe SMS contained a hyperlink to a website used by a Pegasus operator that we call KINGDOM. We have\r\nlinked KINGDOM to Saudi Arabia. In 2018, KINGDOM also targeted Saudi dissidents including Omar\r\nAbdulaziz, Ghanem al-Masarir1, and Yahya Assiri, as well as a staff member at Amnesty International.\r\nHubbard is among a growing group of journalists targeted with Pegasus spyware. As part of our continued\r\ninvestigation into threats against journalists, Citizen Lab also identified evidence suggesting a Pegasus\r\noperator may have been infecting targets while impersonating the Washington Post in the weeks leading up\r\nto and after Khashoggi’s killing in 2018. There is no overlap between this activity and reported events\r\nsurrounding the mobile phone of Jeff Bezos.\r\n1. Background\r\nPegasus is the name of a mobile phone spyware product made by NSO Group, an Israeli-based company that\r\ndevelops and sells surveillance technology2. Since 2016, researchers have documented the abuse of Pegasus\r\nagainst journalists, human rights defenders, and members of civil society. In one case, Pegasus was used to target\r\nthe wife of a slain journalist in Mexico.\r\nSeveral reports by Citizen Lab and Amnesty International in 2018 showed that a Saudi-linked Pegasus operator\r\nthat we call KINGDOM was targeting dissidents and regime critics. On July 31, 2018, Amnesty International and\r\nCitizen Lab reported that an Amnesty International staffer, as well as a “Saudi activist based abroad” (later\r\nidentified as London-based dissident Yahya Assiri) was targeted with Pegasus. On October 1, 2018, Citizen Lab\r\nreported that Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with Pegasus.\r\nDuring the period when his phone was monitored, Abdulaziz was apparently in close contact with murdered\r\nWashington Post columnist Jamal Khashogghi.\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 1 of 7\n\nOn November 11, 2018, Forbes reported that Saudi dissident, Ghanem al-Masarir, was targeted with Pegasus. If\r\nthe targets had clicked on the links in the text messages they received, the KINGDOM operator would have been\r\nable to closely monitor these individuals’ communications and plans. Abdulaziz filed a lawsuit against NSO\r\nGroup in Israel, and al-Masarir filed a lawsuit against Saudi Arabia in the UK.\r\n2. New York Times Reporter Targeted\r\nBen Hubbard is the Beirut Bureau Chief of the New York Times. Prior to his promotion to that role, Hubbard\r\nreported on Saudi Arabia, including on Crown Prince Mohamed Bin Salman (MbS). In an announcement of his\r\npromotion, the New York Times noted that Hubbard had “turned out deeply revealing reports from a closed society\r\nthat is changing rapidly under a headstrong crown prince,” and had “…peeled back the curtain from the prince’s\r\nrelentless consolidation of power.”\r\n2.1. Pegasus Infection Attempt\r\nOn June 21, 2018, Hubbard received an SMS on his phone stating in Arabic: “Ben Hubbard and the story of the\r\nSaudi Royal Family.” Hubbard provided this message to the Citizen Lab in October 2018 for analysis. With\r\nHubbard’s consent, we are now able to report on this case.\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 2 of 7\n\nThe link sent to Hubbard led to the site arabnews365[.]com, and was sent from a sender that called themselves\r\n“Arabnews.” The full link is:\r\nhttps://arabnews365[.]com/wqbgGdwlk\r\nHubbard recalls that he did not click on the link and we are not able to determine whether his phone was\r\nsuccessfully infected.\r\n2.2. Connection with Pegasus Infrastructure\r\nAt the time the SMS was sent to Hubbard, the arabnews365[.]com domain was active and belonged to the portion\r\nof NSO Group’s Pegasus infrastructure used by the KINGDOM operator. The domain was also \u003cindependently\r\nidentified by Amnesty International as belonging to NSO Group’s infrastructure. In a previous report, we provided\r\na comprehensive technical description of how we identify and scan for Pegasus infrastructure. In this section, we\r\nbriefly summarize this process.\r\nIn 2016, Citizen Lab published the Million Dollar Dissident report, the first public research to identify NSO\r\nGroup’s Pegasus spyware. In Million Dollar Dissident, we reported on an attempted intrusion of United Arab\r\nEmirates (UAE) activist Ahmed Mansoor’s phone using a text message with a malicious link promising “New\r\nsecrets about torture of Emiratis in state prisons.”\r\nOur investigation included scanning the Internet to find Command \u0026 Control (C\u0026C) servers that behaved\r\nsimilarly to the ones communicating with the spyware sent to Mansoor. While the Pegasus servers we found were\r\npulled offline even before we published Million Dollar Dissident, we continued to monitor them in case some of\r\nthem might come back online. In the weeks after our report, we noticed a small number of Pegasus servers that\r\ncame back online, but the servers no longer matched our fingerprint. We built a new fingerprint based on this\r\nbehaviour, and began conducting regular Internet scans to find servers matching this new fingerprint.\r\nIn September 2018, Citizen Lab published Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations\r\nin 45 Countries, which described the results of this follow-up scanning, conducted between August 2016 and\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 3 of 7\n\nAugust 2018. In these scans, we detected 1,091 IP addresses and 1,041 domain names matching our new\r\nfingerprint. We further grouped these IPs and domains into 36 distinct Pegasus operators using a technique we\r\ndeveloped and named Athena. We also devised a new way to conduct DNS Cache Probing, and used this method\r\nto find likely infections, by identifying Internet Service Providers (ISPs) where one or more user was repeatedly\r\nlooking up domain names associated with Pegasus C\u0026C servers.\r\n3. Commercial Spyware Harms Democracy, Press Freedom\r\nAs anti-democratic, authoritarian forces are on the rise in many countries, journalists are increasingly targets for\r\nsurveillance and physical harm. Products like NSO Group’s Pegasus spyware provide government clients with a\r\npowerful tool to surreptitiously monitor journalists, their sources, and the stories on which they are reporting.\r\nMany of NSO Group’s clients appear to lack rigorous oversight over their security services, and have a track\r\nrecord of human rights abuses, including threats against journalists.\r\n3.1. A Growing List of Journalists Targeted with Pegasus\r\nSince 2016, investigations conducted by Citizen Lab and other researchers have now identified at least 13\r\njournalists and civic media actors targeted with Pegasus spyware (Figure 4). In Mexico alone, we have\r\ndocumented at least nine journalists targeted with Pegasus. Azam Ahmed of The New York Times believes he may\r\nhave received an infection attempt while working in Mexico, but the message was deleted before Citizen Lab was\r\nable to analyze it.\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 4 of 7\n\nTroublingly, in both Mexico and Saudi Arabia, spyware infection attempts have been linked to or associated with\r\ntargeted killings. For example, our report into Saudi surveillance of Omar Abdulaziz was published October 1,\r\n2018. The following day, Jamal Khashoggi—Abdulaziz’s confidant with whom he had been communicating with\r\nfor months—was executed. Similarly, two days after Mexican investigative journalist Javier Valdez Cárdenas was\r\ngunned down in a cartel-linked murder, his wife and colleagues received SMS messages designed to install\r\nPegasus on their phones. These links between murders and attempts of targeted surveillance are echoed by recent\r\ninvestigative reporting in the Financial Times detailing targeting against the Rwandan diaspora, including\r\nopposition activists and other exiles threatened by Rwandan death squads.\r\n3.2. An NSO Operator May Have Masqueraded as the Washington Post\r\nCitizen Lab has also identified evidence suggesting that a Pegasus operator may have been masquerading as the\r\nWashington Post to infect targets in the weeks before and after the October 2018 killing of Jamal Khashoggi.\r\nWhile the timing overlaps with the killing, the two are not necessarily related. We have very recently shared some\r\ntechnical details with the Post’s information security team, and there are no indications that this targeting affected\r\nanyone at the Washington Post. We also note that there is no overlap between the timeline of this activity and\r\nrecently reported events surrounding the mobile phone of Jeff Bezos.\r\n3.3. Commercial Spyware Used to Hack Journalists\r\nNSO Group’s Pegasus spyware is not the only commercial surveillance technology on the market, nor is\r\ncommercial spyware the only means by which abusive surveillance of journalists can be carried out.\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 5 of 7\n\nPrior Citizen Lab research has identified targeted espionage against Ethiopian journalists linked to the Ethiopian\r\ngovernment, and using spyware sold by Hacking Team (now known as Memento Labs) and Cyberbit (an Israeli-based spyware vendor). Our Stealth Falcon report detailed a targeted digital espionage campaign against UK-based journalist Rori Donaghy using bespoke spyware linked in media reports to UAE-based cybersecurity firm\r\nDark Matter. Likewise, our research has documented numerous cases of targeted digital espionage against\r\njournalists and news organizations covering Russia, Tibet, and China, dating back to 2009.\r\nAcademic research on journalist security show that journalists do not share the same digital security practices and\r\nperceptions across the profession. For example, a study found that a common mindset for journalists is to only\r\nprioritise digital security if they perceive the stories they are working on as sensitive enough to attract the\r\nattention of government authorities.\r\nEchoing these findings, ongoing research by the Citizen Lab finds that investigative reporters tend to take digital\r\nsecurity more seriously than their peers who work on non-investigative beats, and have higher familiarity with\r\ndigital security tools and practices. \r\nAs an investigative reporter covering a sensitive topic, Ben Hubbard was wary of suspicious messages and chose\r\nto share the one he received with us for analysis. Yet, not all targeted journalists are working on a topic where the\r\nrisk of surveillance may be so obvious.\r\nSome studies show that differences in education and training, alongside other variables such as financial\r\nincentives and institutional culture, may play a key role in closing or compounding gaps in digital security\r\npractices. For example, a peer-reviewed study that interviewed journalists in the US and France found journalists,\r\neditors, and technical staff may conceptualise and prioritise security issues differently, to the effect that reporters\r\nmay resist and resent top down efforts to change security practices, or may see security as important, but struggle\r\nto get institutional support towards its implementation. Another such study involving US-based journalists found a\r\ngeneral lack of security culture in journalism and conflict between journalists and IT professionals within news\r\norganisations as among the key barriers to journalists adopting secure tools and practices.\r\nThe Citizen Lab recently conducted a survey of 124 journalism schools across the US and Canada to probe what\r\ndigital security courses they offered. Only half of the schools surveyed offered some form of digital security\r\ntraining, and only a quarter required it. Among programs that offered training, the majority devoted less than two\r\nhours to the subject.\r\nTaken together, this body of research shows that more action is needed to prepare journalists for the digital threats\r\nthey face. We believe that reports—such as this one—that continue to expose real cases of digital threats faced by\r\njournalists may help motivate those agitating for more methodical attention to digital security in journalism\r\nschools and news organizations.\r\n4. Conclusion\r\nThe targeting of yet another journalist—in this case at the New York Times—makes it clear that the current\r\nregulatory regime for the spyware industry is not working. Absent strong regulation and control, the industry will\r\ncontinue to bolster authoritarianism by helping powerful elites invisibly thwart the work of journalists seeking to\r\nhold them to account.\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 6 of 7\n\nIn 2019, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and\r\nexpression concluded that existing legal frameworks are insufficient, and called for a moratorium on the export,\r\nsale, transfer, use, or servicing of privately developed surveillance tools until a human rights-compliant safeguards\r\nregime is in place.\r\nUnfortunately, states have not acted—leading victims to take accountability into their own hands. In 2019 alone,\r\nseveral lawsuits were filed against spyware companies and their government clients, with plaintiffs including\r\nspyware targets, a human rights organization, and a major tech company. While these lawsuits may be the best\r\noption in the short-term, this piecemeal approach cannot provide the same benefits as comprehensive regulation of\r\nthe industry. Until there is action on this front, the media and other institutions that protect us all are vulnerable\r\nlike never before.\r\nAcknowledgements\r\nWe thank Ben Hubbard for sharing his suspicious message with us, along with the many other journalists who\r\nhave participated in our previous investigations. Special thanks to Sharly Chan, Miles Kenyon, and Adam Senft\r\nfor copy editing and additional assistance.\r\nResearch Ethics\r\nAll research involving human subjects conducted at the Citizen Lab is governed under research ethics protocols\r\nreviewed and approved by the University of Toronto’s Research Ethics Board. The Citizen Lab does not take\r\ngeneral or unsolicited inquiries related to individual concerns regarding information security and cannot provide\r\nindividual assistance with security concerns.\r\nSource: https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nhttps://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/" ], "report_names": [ "stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd084d2f-4233-49b1-b0e6-c7011178dae0", "created_at": "2022-10-25T15:50:23.544316Z", "updated_at": "2026-04-10T02:00:05.325921Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "Stealth Falcon" ], "source_name": "MITRE:Stealth Falcon", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/682b7d274a46e2daf45fc530d52f69425ff555d1.pdf", "text": "https://archive.orkl.eu/682b7d274a46e2daf45fc530d52f69425ff555d1.txt", "img": "https://archive.orkl.eu/682b7d274a46e2daf45fc530d52f69425ff555d1.jpg" } }