{ "id": "b76341ca-751b-4af8-9aa5-82efba2cf785", "created_at": "2026-04-06T00:09:05.572323Z", "updated_at": "2026-04-10T03:31:30.320012Z", "deleted_at": null, "sha1_hash": "ce3c4e74fe32cd5505b334ca1cd2b43757fcd2bf", "title": "From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10658046, "plain_text": "From Pearl to Pegasus: Bahraini Government Hacks Activists with\r\nNSO Group Zero-Click iPhone Exploits - The Citizen Lab\r\nArchived: 2026-04-05 14:49:29 UTC\r\nSummary \u0026 Key Findings\r\nWe identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus\r\nspyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click\r\niMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.\r\nThe hacked activists included three members of Waad (a secular Bahraini political society), three members\r\nof the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a\r\nShiite Bahraini political society).\r\nAt least four of the activists were hacked by LULU, a Pegasus operator that we attribute with high\r\nconfidence to the government of Bahrain, a well-known abuser of spyware. One of the activists was hacked\r\nin 2020 several hours after they revealed during an interview that their phone was hacked with Pegasus in\r\n2019.\r\nTwo of the hacked activists now reside in London, and at least one was in London when they were hacked.\r\nIn our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar using\r\nPegasus; never in Europe. Thus, the Bahraini activist in London may have been hacked by a Pegasus\r\noperator associated with a different government.\r\nWe shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that\r\nnumbers associated with five of the hacked devices were contained on the Pegasus Project’s list of\r\npotential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International\r\ndescribe as dating from 2016 up to several years ago.\r\n1. Human Rights in Bahrain: A History of Brutal Repression\r\nBahrain is a constitutional monarchy on paper, though in practice, all key power is concentrated in the\r\nhands of the ruling Al-Khalifa family. Bahrain’s legislature consists of an upper house (Shura Council)\r\nappointed by the king, and a lower house (National Assembly) elected from districts of unequal population,\r\ndrawn to ensure the opposition cannot attain a majority. Bahrain has a long history of political movements\r\nseeking greater democratic political reform. More details.\r\nBahrain has a history of brutal repression of dissent. After King Hamad came to power as Emir in 1999,\r\nthe political and human rights situation briefly improved. The king allowed the formation of civil society\r\norganizations, including human rights groups, independent newspapers, and political parties. However,\r\nthese reforms were gradually undone, and by 2010, Bahrain had reverted to its long pattern of arrests,\r\ntorture, and aggressive silencing of political opposition. Little vestige of Bahraini civil society remains\r\ntoday. More details.\r\nBahrain employs a number of methods to block or suppress Internet content. Bahrain’s government\r\nimplements Internet censorship using website-blocking technology from a Canadian company, Netsweeper,\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 1 of 24\n\nand also employs targeted Internet disruptions in order to stymie protests. Bahrainis who have posted\r\ncritical content online have been pursued by the Ministry of Interior’s Cyber Crime Unit and arrested.\r\nMore details.\r\nBahrain surveils human rights activists, dissidents, and members of the political opposition. The\r\ngovernment increasingly uses Internet controls and spyware, targeting individuals inside Bahrain and\r\noutside the country. Since 2010, Bahrain has purchased spyware from FinFisher, Hacking Team, and NSO\r\nGroup. More details.\r\n2. Pegasus Hacking of Bahraini Activists\r\nThe government of Bahrain appears to have purchased NSO Group’s Pegasus spyware in 2017. Our Hide and\r\nSeek report identified a Pegasus operator spying entirely in Bahrain and Qatar that we referred to as PEARL,\r\nwhich had been active since July 2017.\r\nWe observed a massive global spike in Pegasus activity in July 2020, and began conducting research in a number\r\nof country contexts, including Bahrain. We hunted for Pegasus in Bahrain by instructing targets to forward us their\r\nphone logs for analysis, and by setting up VPNs for key targets to monitor their Internet traffic. We analyzed the\r\nphone logs using our forensic process, and found that nine devices belonging to nine Bahraini activists had been\r\nhacked. In three cases, our forensic analysis concluded that the phones were hacked, but we were unable to\r\nestablish an approximate date of the hacking. Analysis is ongoing in these cases to see if a more precise date can\r\nbe identified. In the remaining six cases, our analysis established some precise dates when Pegasus was active on\r\nthe phones.\r\nThe two targets we identified in London consented to be named, though all of the targets in Bahrain wished to be\r\nreferred to by their affiliations only.\r\nTarget Description Date(s) of Hacking\r\nMoosa Abd-Ali\r\n*\r\n(Sometime before September\r\n2020)\r\nYusuf Al-Jamri\r\n(Sometime before September\r\n2019)\r\nActivist A September 16, 2020\r\nActivist B *\r\nMember of Waad, Labor Law\r\nResearcher\r\nJune 3, 2020\r\nJuly 12, 2020\r\nJuly 19, 2020\r\nJuly 24, 2020\r\nAugust 6, 2020\r\nSeptember 15, 2020\r\nActivist C Member of Waad September 14, 2020\r\nActivist D* Member of BCHR September 14, 2020\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 2 of 24\n\nTarget Description Date(s) of Hacking\r\nActivist E Member of BCHR February 10, 2021\r\nActivist F* Member of BCHR\r\nJuly 11, 2020\r\nJuly 15, 2020\r\nJuly 22, 2020\r\nOctober 13, 2020\r\nActivist G* Member of Al Wefaq (Sometime before October 2019)\r\n(*) = Forbidden Stories confirmed that the phone number currently associated with the device is on\r\nthe Pegasus Project list, indicating that it was previously a potential target of NSO Group’s\r\ncustomers.\r\nBahraini Targets\r\nThis section describes the Bahraini targets hacked with Pegasus that we identified.\r\nWaad\r\nThree targets are members of Waad, a center-left secular political society in Bahrain. Political parties are illegal in\r\nBahrain, but “political societies,” which perform many of the functions of political parties, have been allowed\r\nsince 2001.\r\nThe Bahraini government banned Waad and seized its assets amidst a wave of repression in early 2017. The\r\ngovernment claimed that Waad had “support[ed] terrorism and sanction[ed] violence,” despite the fact that Waad\r\nhas never used violence, and has always committed itself to peaceful methods. Before it was banned, Waad’s\r\nheadquarters was twice subjected to arson, and was defaced by pro-government protesters in 2011 who wrote\r\n“Down with Iran” and slogans against Bahrain’s Shia muslims.\r\nBahrain Center for Human Rights\r\nThree targets are members of the Bahrain Center for Human Rights, a Bahraini NGO formed in 2002, and banned\r\nsince 2004, when the Center’s then-President blamed Bahrain’s Prime Minister for failing to address citizens’\r\neconomic concerns. Nevertheless, the organization has continued to operate without government approval, and\r\nwas awarded the 2013 Rafto Prize.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 3 of 24\n\nAl Wefaq\r\nOne target is a member of Al Wefaq, Bahrain’s largest opposition political society. All of the Al Wefaq members\r\nof Bahrain’s National Assembly resigned en masse in 2011 in protest of the government’s violent repression of\r\npeaceful protesters. A Bahrain-based news channel Al-Arab was shut down less than 24 hours after it was\r\nlaunched in February 2015 because the channel aired an interview with the Secretary General of Al Wefaq. In July\r\n2016, the Bahraini government dissolved Al Wefaq and seized its assets. Also in 2016, the Bahraini government\r\nrevoked the citizenship of Al Wefaq’s de-facto spiritual leader Sheikh Isa Qassim, a Bahraini by birth.\r\nThe Bahrain government has clumsily attempted to link Al Wefaq to terrorism and violence for a number of years.\r\nDuring the height of the protests in Bahrain in 2011, state television aired a forced confession read by a detainee\r\nwho had earlier died under torture. In the forced confession, the detainee said that Matar Matar, a moderate\r\nmember of Al Wefaq, had ordered him to murder policemen. Matar had earlier called for the establishment of a\r\nsecular democracy in Bahrain, and had condemned the arrest of doctors that had treated protesters.\r\nLondon Targets\r\nTwo of the targets, Moosa Abd-Ali and Yusuf Al-Jamri, are Bahrainis currently living in exile in London.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 4 of 24\n\nAl-Jamri was granted asylum by the UK Home Office in 2018, based on his reports that he was tortured in 2017\r\nwhile in the custody of Bahrain’s main intelligence agency, the National Security Apparatus (الوطين األمن جهاز(.\r\nBahrain’s National Security Apparatus (NSA) is infamous for torturing to death journalist Karim Fakhrawi in\r\n2011, according to the findings of an independent inquiry (para. 877) that Bahrain’s king ordered under\r\ninternational pressure. After recommendations from the same commission of inquiry, Bahrain’s king in 2012\r\nrevoked the NSA’s law enforcement powers, though he restored these powers in a January 2017 Royal Decree. A\r\nRoyal Decree in 2020 changed the name of the NSA to the National Intelligence Service (الوطين المخابرات جهاز(.\r\nAl-Jamri’s iPhone 7 appears to have been hacked with Pegasus at some point prior to September 2019. We were\r\nunable to determine whether he was hacked while in Bahrain or London. Further forensic analysis may be able to\r\nestablish a more precise date of hacking.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 5 of 24\n\nMoosa Abd-Ali is a Bahraini activist living in exile in London. He sued FinFisher, another spyware company, for\r\nsupplying the Bahraini government with spyware that was used to hack his personal computer in 2011. The spying\r\nagainst Moosa’s computer was first revealed in data leaked from FinFisher. Abd-Ali’s iPhone 8 appears to have\r\nbeen hacked with Pegasus at some point prior to September 2020. Further forensic analysis may be able to\r\nestablish a more precise date of the hacking.\r\nLULU: A Bahrain Government Operator\r\nWe attributed the hacking of Activists A-D (three members of Waad, and one member of BCHR) to a Bahrain\r\ngovernment operator of Pegasus that we call LULU. Like PEARL, LULU appeared to be spying exclusively in\r\nBahrain and Qatar. The LULU operator may in fact be the same operator as PEARL, which we identified in 2017\r\nand 2018. While we did not identify any IP addresses or domain names in common between LULU and PEARL,\r\nwe would not necessarily expect to identify any infrastructure in common, as NSO Group registered servers with\r\nnew domain names and new IP addresses for all its clients following 2018 reports by Citizen Lab and Amnesty\r\nTech. We have never observed more than one Bahrain government operator active at a time.\r\nThe Pegasus spyware installed on the phones of Activists A-D used four IP addresses for command-and-control.\r\nEach IP address returned a TLS certificate for hooklevel[.]com, though no DNS lookups were performed for this\r\ndomain, and the spyware’s TLS Client Hello message did not contain an SNI. The infection server used was\r\n*.api1r3f4.redirectweburl[.]com.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 6 of 24\n\nIPs CN in TLS Certificate\r\n172.105.89.243 *.api1r3f4.redirectweburl[.]com\r\n64.227.121.213\r\n206.189.31.108\r\n195.181.213.122 hooklevel[.]com\r\n80.211.231.5\r\nTable 1\r\nServers that LULU used to spy on Bahraini activists.\r\nOur forensic analysis has not yet established which Pegasus operator hacked the remaining five devices. Because\r\nwe have never observed the Bahrain government successfully hack a target outside of Bahrain or Qatar with\r\nPegasus, we suspect that Moosa Abd-Ali was hacked by a second Pegasus operator. That a foreign government\r\nmay have been responsible for the hacking does not preclude the possibility that the ultimate recipient of the\r\nhacked data was the Bahraini government.\r\nMechanisms of Hacking\r\nThis section provides a high-level overview of the mechanisms by which the Bahraini targets were hacked. This\r\nsection involves synthesis of data from multiple phones, including phones belonging to non-Bahraini targets.\r\nJuly – September 2020: KISMET iMessage Zero-Click\r\nWhen the KISMET exploit was being fired at one of the devices running iOS 13.5.1, the log showed crashes\r\nassociated with IMTranscoderAgent, which is responsible for transcoding and previewing images in iMessages.\r\nSpecifically, the crashes were segfaults in the com.apple.IMTranscoderPreviewGenerationQueue thread while\r\napparently parsing ICC color profile data in a JPEG image received via iMessage. Unfortunately, we were only\r\nable to locate crash summaries with abbreviated stack traces in the system logs.\r\nAfter the crashes, IMTranscoderAgent then invoked WebKit to download and render items from the Pegasus\r\ninfection server. The rendering triggered a memory pressure warning in JavaScriptCore, and also triggered a\r\nMetal shader compilation.\r\nWe believe that KISMET was used as a zero-day exploit against at least iOS 13.5.1 and 13.7.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 7 of 24\n\nSeptember 2020: Back to One-Click Exploits\r\nShortly after Activist B upgraded to iOS 14 in September 2020, they received an SMS link to Pegasus from\r\n“MailExpress,” indicating that the KISMET exploit was not supported on iOS 14.\r\nThe message was a fake DHL package tracking notification. The target may have accidentally previewed the link\r\nin the message while attempting to copy the message to send it to us. The target’s VPN recorded that the link in\r\nthe message was opened, and redirected to a unique subdomain of api1r3f4.redirectweburl[.]com, confirming that\r\nit was a Pegasus link connected to the Bahraini government operator of Pegasus, LULU. This action did not result\r\nin the infection of the phone; it is possible that the target closed the preview before the exploit ran.\r\nNSO Group may have temporarily switched back to one-click iOS exploits due to the new BlastDoor security\r\nfeature implemented by Apple. The BlastDoor feature was designed to make zero-click exploitation via iMessage\r\nharder.\r\nFebruary – July 2021: FORCEDENTRY iMessage Zero-Click\r\nStarting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that\r\ncircumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY, because of its ability to\r\ncircumvent BlastDoor. Amnesty Tech also observed zero-click iMessage exploitation activity around the same\r\ntime, and referred to the activity they observed as “Megalodon.” We confirmed with Amnesty Tech that the\r\n“Megalodon” activity they observed matches the characteristics of the FORCEDENTRY exploit that we\r\nobserved.\r\nWhen the FORCEDENTRY exploit was being fired at a device, the device logs showed crashes associated with\r\nIMTranscoderAgent. The crashes appeared to be segfaults generated by invoking the\r\ncopyGifFromPath:toDestinationPath:error function on files received via iMessage.\r\nThe crashes appeared to be of two types. Type one crashes indicate that the chain of events set off by invoking\r\ncopyGifFromPath:toDestinationPath:error ultimately crashed while apparently invoking ImageIO’s functionality\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 8 of 24\n\nfor rendering Adobe Photoshop PSD data.\r\nType two crashes indicate that the chain of events set off by invoking copyGifFromPath:toDestinationPath:error\r\nultimately crashed while invoking CoreGraphics’ functionality for decoding JBIG2-encoded data in a PDF file.\r\nAfter the IMTranscoderAgent crashes, we noticed that the Apple thermal monitoring daemon, thermalmonitord,\r\nreturned a series of errors:\r\nException caught during decoding of reply to message ‘propertiesOfPath:handler:’, dropping incoming message\r\nand calling failure block.\r\nThen, thermalmonitord invoked the tailspin process three times. The tailspin process caused two segfaults, but we\r\nultimately found an invocation of tailspin running alongside the spyware:\r\n/usr/bin/tailspin test-symbolicate 1234567\r\nPhone logs indicated that the “responsible process” for the spyware was amfid, the Apple mobile file integrity\r\ndaemon.\r\nWe saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day.\r\nWith the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and\r\nFORCEDENTRY with Apple, Inc., which confirmed they were investigating.\r\n3. Hacked Again After Going Public\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 9 of 24\n\nActivist D, a member of the Bahrain Center for Human Rights, was additionally targeted with Pegasus in March\r\n2019 with a Pegasus SMS message from “BatelcoEsvc.” Activist D discussed the 2019 incident in a 2020\r\ninterview in which Activist D was interviewed alongside one of the authors of this report. The Bahraini\r\ngoverment’s LULU operator hacked Activist D with Pegasus using the KISMET zero-click exploit approximately\r\nsix hours after the interview first aired. This case highlights the risks inherent in going public with instances of\r\nhacking.\r\nThe 2019 Pegasus SMS appeared in a thread with legitimate messages from Activist D’s mobile provider,\r\nBatelco. The target was curious about the message, and contacted Batelco, who told them that the message was\r\nnot of a type sent by Batelco.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 10 of 24\n\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 11 of 24\n\nThe link unshortens to a website on info-update[.]org, which redirected to the legitimate Batelco e-services\r\nwebsite (https://e.batelco.com/eservices/Login) when submitted to VirusTotal. When we checked it, the link\r\nreturned a 404.\r\nThe info-update[.]org website is connected to the Pegasus spyware, as we show below.\r\nDecoy Page Reveals 2019 Pegasus Sites\r\nNSO Group has occasionally made use of visible decoy pages, perhaps in an effort to make their Pegasus\r\ninfrastructure appear as innocuous servers. We found an interesting server, start-anew[.]net, which displayed an\r\nopen directory listing that contained a decoy page.\r\nThe directory contained a file, 1, which contained HTML source code for a website maintenance decoy page. The\r\npage was entitled “While maintenance:” and contained the text “Working hard to create a new website design.\r\nStay in touch!”\r\nThe title “While maintenance:” and the text “Working hard to create a new website design. Stay in touch!”\r\nexactly matched pages returned by two Pegasus servers that matched a fingerprint we used in our Hide and Seek\r\nreport. These two servers were part of a group of Pegasus servers that were spun up in 2018 after Amnesty Tech\r\nand Citizen Lab published reports about the targeting of an Amnesty International staffer with Pegasus, but before\r\nCitizen Lab’s Hide and Seek report.\r\nIP Domain\r\nDates Matching\r\nDecoy Page1\r\nDates Matching Hide and\r\nSeek Fingerprint2\r\n209.250.237.55 youneedjelly[.]net\r\n8/28/2018 –\r\n10/14/2018\r\n8/31/2018 – 9/6/2018\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 12 of 24\n\nIP Domain\r\nDates Matching\r\nDecoy Page1\r\nDates Matching Hide and\r\nSeek Fingerprint2\r\n92.222.71.144 visiblereminder[.]net\r\n8/28/2018 –\r\n9/11/2018\r\n8/31/2018 – 9/6/2018\r\nFrom the contents of start-anew[.]net, we surmised that the following websites were part of the new Pegasus\r\ninfrastructure:\r\nreunionlove[.]net\r\nnews-now[.]co\r\nhelpusfind[.]biz\r\nScanning Shared Web Hosters\r\nWe noted that these three domains were hosted on shared web hosting providers. In other words, the IP addresses\r\nthat they pointed to had dozens of other innocuous domains also pointing to them. In previous iterations of NSO\r\nGroup’s Pegasus infrastructure, each domain name pointed to a separate IP address.\r\nScanning websites on shared web hosting required us to adjust our scanning infrastructure to use domain names\r\nrather than IP addresses. The usage of shared hosting providers appears to have begun after we published our\r\nHide and Seek report in September 2018. We disclose our fingerprinting and scanning pipeline below, because it is\r\nno longer capable of detecting Pegasus servers.\r\nStep Description\r\nApprox. #\r\nDomains\r\nS1\r\nGenerate a list of interesting domain names to scan using TLS\r\ncertificates from specific issuers.\r\n~6 million\r\nS2\r\nFor all domains above, send a GET request for /robots.txt, and check\r\nwhether the response status line is 404 Not Found with a Content-Type\r\nheader mentioning text/html, but with no response body. We also\r\nexcluded any responses with an ETag or a Set-Cookie header.\r\n~500\r\nS3\r\nFor matching domains above, send a GET request for / and check\r\nwhether the response is the same as above.\r\n~175\r\nWe devised these scanning steps based on the configuration of the three domain names found on start-anew[.]net.\r\nA Window into 2019 Pegasus SMS Infection Infrastructure\r\nOur scan results comprise 175 domain names, and included the domain name info-update[.]org from the SMS sent\r\nto Activist D. Our scan results also include one domain name that appears to be directly related to human rights\r\n(human-rights-news[.]com), as well as domain names that indicate potential targeting in the USA (washington-https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 13 of 24\n\ntoday[.]com, breakingnewyork[.]info), as well as apparent targeting in relation to the Bahraini elections (i-election-online[.]com).\r\nWe also found several interesting websites linked to Azerbaijan, including siyasimehbus[.]com (“political\r\nprisoners”) and mitinq23fevral[.]info, which is a reference to “Rally 23rd February,” a protest planned by the\r\nopposition Popular Front Party on February 23, 2019. The protest was not authorized by authorities.\r\n4. Historical Context\r\nBahrain: One Monarchy, Two Constitutions\r\nThe Kingdom of Bahrain is an archipelago situated off the east coast of the Kingdom of Saudi Arabia. From the\r\nsixteenth century until the nineteenth century, Bahrain was occupied by a succession of ruling powers, until\r\nSheikh Ahmed Bin Mohammed Al Khalifa (known in Bahrain as “Ahmed the Conqueror”) seized control of\r\nBahrain in 1783. The rule of the Al Khalifa family has persisted until the present day, despite numerous internal\r\nand external challenges to their authority, including during the period from 1820 to 1971 when Bahrain was a\r\nBritish protectorate under the General Maritime Treaty of 1820.\r\nBahrain declared independence from Britain on August 15, 1971, after the withdrawal of British troops. Six\r\nmonths later, Bahrain’s then-Emir, Sheikh Isa bin Salman Al-Khalifa, decreed that a constituent assembly would\r\ndraft a new constitution. In 1973, the assembly issued their constitution, which provided for an elected unicameral\r\nparliament with an advisory, rather than legislative role. However, after Bahrain’s first parliament saw a\r\ncontentious debate on a state security decree, the Emir dissolved the parliament in 1975, and suspended the\r\nConstitution.\r\nBetween 1975 and 2001, the Bahraini government engaged in numerous forms of repression. Human Rights\r\nWatch described abuses in the country during this time as “wide-ranging” and covering a broad spectrum of\r\noffences, including arbitrary detention, the psychological abuse of detainees, and the “broad denial of fundamental\r\npolitical and civil liberties.”\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 14 of 24\n\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 15 of 24\n\nSheikh Isa was succeeded by his son Sheikh Hamad Bin Isa Al Khalifa in 1999. Sheikh Hamad’s rule began with\r\nreform measures including the release of political prisoners. Sheikh Hamad also appointed a committee to draft a\r\n“National Action Charter” to address political grievances. On February 14, 2001, Bahrainis approved the Charter\r\nwith 98.4% of the vote. The next year, Sheikh Hamad declared Bahrain a Kingdom and promulgated a new\r\nconstitution that broke one of the Charter’s key vows. While the Charter called for a bicameral parliament with\r\nsole legislative power vested in an elected lower house, Bahrain’s 2002 constitution allowed the parliament’s\r\nappointed upper house to exercise a de-facto veto over legislation passed by the lower house. As a result, several\r\npolitical societies in Bahrain boycotted the first elections under the new constitution in 2002.\r\nAdditionally, electoral districts for the parliament’s lower house were drawn to be of unequal sizes, in order to\r\ndiminish the opposition’s political power. For example, in Bahrain’s 2012 parliamentary elections, the voting\r\npower of an individual in a pro-government district was roughly 21 times the voting power of an individual in an\r\nopposition stronghold.\r\nA Brutal History of Repression\r\nSince 1938, organized political movements have demanded greater popular representation in Bahrain. However,\r\nthe government has responded with repression and violence that continues to the present day. Bahrain saw a brief\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 16 of 24\n\nperiod of improvement in human rights following Sheikh Hamad’s reforms, though as is often the case in Bahrain,\r\nperceived challenges to the monarchy led to the rollback of reforms.\r\nIn 2010, prior to the Arab Spring, the Haq Movement, the Islamic Wafa Movement, and the Bahrain Freedom\r\nMovement called for a boycott of parliamentary elections that were scheduled to take place on October 23, 2010.\r\nIn response, immediately before the elections, the government cracked down on opposition activists.\r\nAs part of the Arab Spring uprising, Bahrainis took to the streets on the tenth anniversary of the National Action\r\nCharter’s approval (February 14, 2011) demanding democratic political reform, freedom, justice, and equal\r\ndistribution of wealth and power. The pace of protests increased as security forces targeted and killed protesters.\r\nDrawing inspiration from Egypt’s Tahrir Square, Bahraini demonstrators quickly occupied the Pearl Roundabout,\r\na major traffic circle located that contained a towering monument of six sails holding up a giant pearl. The pearl\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 17 of 24\n\nmonument quickly became an opposition symbol. On March 18, 2011, Bahraini forces, backed by troops from\r\nSaudi Arabia and the United Arab Emirates, forcibly evicted the protesters. Security forces arrested and tortured\r\nhundreds of Bahrainis. The government also began a campaign to expunge the Pearl Roundabout and its symbolic\r\nmonument from Bahrain. The government demolished the monument, paved over the roundabout, and even\r\nrecalled coinage featuring the monument.\r\nUnder international pressure following the killings of dozens of protesters and detainees by security forces,\r\nBahrain’s king formed the Bahrain Independent Commission of Inquiry to investigate the events of February to\r\nMarch 2011. The Commission’s report, issued on November 23, 2011, concluded that the authorities were\r\nresponsible for “grave violations of human rights, including the arbitrary deprivation of life, torture, and arbitrary\r\ndetention.”\r\nIn 2016, the Bahraini authorities expanded their efforts to ban and dismantle opposition movements. The\r\ngovernment dissolved Al-Wefaq and jailed its leader Ali Salman for life. The government also stripped the\r\ncitizenship of Sheikh Isa Qassim, a natural born Bahraini and prominent Shia cleric regarded as the spiritual leader\r\nof Al-Wefaq. Bahrain stepped up repression measures in 2017. The government reinstituted the death penalty and\r\nauthorities continued to employ arbitrary revocation of citizenship as a new means of repression. Hundreds of\r\nactivists were stripped of their citizenship and remain stateless.\r\nIn March 2017, the Bahraini Justice Ministry dissolved and then charged Waad with “advocating violence,\r\nsupporting terrorism and incitement to encourage crimes and lawlessness” after the political group issued a\r\nstatement on the anniversary of the 2011 uprising saying that Bahrain was suffering from a “constitutional\r\npolitical crisis.” This event was followed by the permanent suspension of Al Wasat newspaper in June 2017. At the\r\ntime, Al Wasat was Bahrain’s only independent newspaper, and had been briefly suspended several times since its\r\ninception in 2002.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 18 of 24\n\nRecent events suggest that the government of Bahrain will continue its repressive policies. Under the pretext of\r\naddressing COVID-19, the Bahraini government has imposed further restrictions on freedom of expression.\r\nFurther, while Bahrain released a number of prisoners in March 2020 due to COVID-19, authorities excluded\r\npolitical prisoners from that release.\r\nBahrain’s Internet Censorship\r\nFreedom of expression is enshrined in Articles 23, 24, and 26 of the 2002 Bahraini Constitution. Despite this\r\nveneer of legal protection, Bahrain ranks 168 out of 180 countries on the 2021 World Press Freedom Index. The\r\nBahraini government maintains tight control over the Internet by requiring all websites hosted in Bahrain to be\r\nregistered with the Information Affairs Authority (IAA). The government imposes strict filtering policies.\r\nOne of the first instances of website censorship in Bahrain was the 2002 blocking of popular online forum\r\nBahrainOnline.org. The website, which was hosted outside of Bahrain, was central in facilitating public debate\r\nand discussion critical of the Bahraini government, from planning for the February 2011 protests to sharing videos\r\nand photos of human rights violations and protests.\r\nBahrain formalized its Internet censorship regulations in 2009, when the Ministry of Culture and Information\r\nissued a resolution requiring all ISPs to install website blocking software chosen by the Ministry, and to comply\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 19 of 24\n\nwith requests from the Ministry to block specific websites. The websites of political opposition, human rights\r\norganizations, and online newspapers were blocked in 2009. The same policies have been applied to social media\r\nplatforms. In late 2010, the authorities blocked the Facebook page of Abdul Wahab Hussien, a Bahraini opposition\r\nleader.\r\nAfter the uprising in 2011, the Bahraini authorities expanded Internet controls in the country by targeting political\r\nand religious and human rights content. Websites, live-streaming platforms, and some social media sites were\r\ncensored.\r\nIn 2013, the Citizen Lab documented the presence of censorship and surveillance technology (namely, ProxySG\r\ndevices and PacketShaper devices) produced by Blue Coat Systems in Bahrain. In 2016, the Citizen Lab reported\r\nthat Internet-filtering technology produced by Netsweeper, Inc. was present on the networks of nine Bahrain-based ISPs. Testing on the ISP Batelco showed that at least one of these Netsweeper installations was being used\r\nto filter political content, including content related to human rights, opposition political websites, Shiite websites,\r\nand local and regional news sources.\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 20 of 24\n\nAlso in 2016, a nightly Internet disruption was reported in the Bahraini village of Duraz. The disruption coincided\r\nwith peaceful nightly protests outside the house of Al Wefaq’s de-facto spiritual leader, Isa Qassim, that started\r\nwhen the Bahraini government revoked his citizenship. An investigation by Bahrain Watch found that both\r\nlandline and mobile Internet services were disrupted. Landline connections were disrupted by artificially\r\nintroducing astronomical latency and packet loss between specific hours (Figure 21) on IP addresses assigned to\r\nsubscribers in Duraz. During the same hours, all data services on cell towers serving Duraz were disabled. Outside\r\nof the disrupted hours, the Internet in Duraz appeared to function normally.\r\nAs of 2020, Bahrain continues to be categorized as “Not Free” by Freedom House. In its most recent Freedom on\r\nthe Net report, Freedom House states “numerous websites continued to be blocked, social media users were\r\ncontinuously interrogated at the security department and were pressured to remove content, and citizens were\r\narrested and jailed for content posted online,” among other developments.\r\nSurveillance of Bahraini Dissidents\r\nIn addition to the authorities expanding Internet controls in Bahrain, there have been numerous reports regarding\r\nBahrain’s use of surveillance technology against human rights activists, dissidents, and members of the political\r\nopposition, domestically and transnationally.\r\nIn 2011, Bloomberg reported that Trovicor GmbH (previously related to Nokia Siemens Networks) sold\r\ninterception equipment to Bahrain, which the authorities then used to spy on dissidents’ communications. One\r\nsuch target was Abdul Ghani Al Khanjar, a Bahraini activist, who publicly described how he was confronted with\r\ntranscripts of his SMS text messages while being detained and tortured by the authorities between August 2010\r\nand February 2011. The transcripts of Al Khanjar’s text messages were reportedly obtained from Trovicor’s\r\nsystem.\r\nIn 2012, the Citizen Lab released a report describing the targeting of Bahraini activists and human rights\r\ndefenders, using surveillance malware from a UK-German company, FinFisher. A subsequent leak of files from\r\nFinFisher indicated that the Bahraini government used FinFisher’s spyware to spy on large swathes of the\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 21 of 24\n\nopposition at home and abroad. A leaked target list showed that the computer of a prominent Bahraini lawyer was\r\nhacked on the same day as a blackmail attempt against him. The lawyer received a CD containing instructions that\r\nthe lawyer should stop defending activists, otherwise a video included on the CD would be publicized. The lawyer\r\nviewed the CD on his computer, and found that it contained a private video of him with his wife, recorded from a\r\nhidden camera installed in the ceiling of his house. A copy of the video was ultimately published when the lawyer\r\nrefused to accede to the blackmail.\r\nA 2013 report by Bahrain Watch documented how the Ministry of Interior’s Cyber Crime Unit was\r\ndeanonymizing pseudonymous Twitter activists by sending them IP logger links, and then requesting subscriber\r\ndata from local ISPs for the IP address that clicked on the link. Activists who clicked were arrested or fired from\r\ntheir jobs. For example, a high school student allegedly clicked on the IP logger link in the Facebook chat message\r\nin Figure 23 that was sent from the account of an arrested activist. The student was sentenced by a Bahraini court\r\nto one year in prison because the account to which the IP logger link was sent had earlier published tweets deemed\r\noffensive to Bahrain’s king.\r\nLeaked documents and investigations have revealed a number of additional surveillance contracts between\r\nBahrain’s government and foreign companies. In 2013, Bahrain’s Ministry of Interior acquired Hacking Team’s\r\nspyware in 2013, though no Bahraini targets of Hacking Team’s spyware were ever publicly identified. A 2016\r\ninvestigation by Bahrain Watch and The Intercept that reviewed Bahraini court documents showed that the\r\nBahraini government was using phone forensics technology sold by Cellebrite to extract private data from arrested\r\nactivists’ phones. Finally, a 2018 investigation by Haaretz revealed that Verint Systems Inc. provided Bahrain with\r\ntechnology for social media monitoring.\r\n5. Conclusion\r\nDespite a half-decade of being implicated in human rights abuses, NSO Group regularly claims that they are, in\r\nfact, committed to protecting human rights. The company has even published a “Human Rights Policy,” a\r\n“Transparency and Responsibility Report,” and claimed to subscribe to the United Nations Guiding Principles on\r\nBusiness and Human Rights. However, this purported concern is contradicted by a growing mountain of evidence\r\nthat its spyware is used by authoritarian regimes against human rights activists, journalists, and other members of\r\ncivil society.\r\nMost recently, the Pegasus Project, a collaboration between Amnesty International and the Forbidden Stories\r\ncollective, has revealed that a wide range of countries have leveraged Pegasus spyware to target and infect\r\nmembers of civil society, and their friends and family members, around the globe. In the context of this report, we\r\nshared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 22 of 24\n\nassociated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO\r\nGroup’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to\r\nseveral years ago.\r\nBahraini Misuse of NSO Spyware was Tragically Predictable\r\nWhile NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious\r\nmisusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that\r\nthere is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products\r\nincluding Trovicor, FinFisher, Cellebrite, and, now, NSO Group.\r\nAs highlighted in this report, Bahrain’s human rights track record is equally notorious:\r\nAccording to Freedom House, Bahrain “has become one of the Middle East’s most repressive states,” and\r\nhas “systematically eliminated a broad range of political rights and civil liberties, dismantled the political\r\nopposition, and cracked down harshly on persistent dissent in the Shiite population.”\r\nIn 2019, Human Rights Watch said that Bahrain’s authorities had engaged in “unabated repression,” and\r\nwere “virtually eliminating all opposition.”\r\nIn 2017, the UN High Commissioner for Human Rights, Zeid Ra’ad Al Hussein, remarked that “the\r\ngovernment of Bahrain has imposed severe restrictions on civil society and political activism through\r\narrests, intimidation, travel bans and closure orders, with increasing reports of torture by the security\r\nauthorities,” adding that “the democratic space in the country has essentially been shut down.”\r\nBahraini human rights advocates are imprisoned, monitored, and intimidated at home, and those in exile\r\nare also subjected to digital and traditional means of repression.\r\nThese human rights abuses and prior sales of surveillance technologies are all a matter of public record. These\r\ndocumented abuses should have been obvious “red flags” if NSO Group was genuinely concerned about\r\nundertaking proper due diligence of its clients. The fact that Bahrain used NSO Group’s spyware to target political\r\nopposition and activists, given the country’s track record, was predictable. For NSO Group to sell Pegasus to\r\nBahrain in light of this evidence is gross negligence in the name of profit.\r\nProtecting Against Zero-Click Attacks Involves Tradeoffs\r\nWe believe that the specific attacks we mention in this report could have been prevented by disabling iMessage\r\nand FaceTime. However, NSO Group has successfully exploited other messaging apps in the past to deliver\r\nmalware, such as WhatsApp. Thus, disabling iMessage and FaceTime would not offer complete protection from\r\nzero-click attacks or spyware. Additionally, disabling iMessage means that messages exchanged via Apple’s built-in Messages app would be sent unencrypted (i.e., “green messages” instead of “blue messages”), making them\r\ntrivial for an attacker to intercept.\r\n6. Acknowledgements\r\nAli Abdulemam’s work on this project was supported by Access Now. Financial support for this research has been\r\nprovided by the John D. and Catherine T. MacArthur Foundation, the Ford Foundation, Open Societies\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 23 of 24\n\nFoundation, the Oak Foundation, and Sigrid Rausing Trust. Thanks to Miles Kenyon and Mari Zhou for\r\ncommunications, graphics, and editing support, and Adam Senft and Bahr Abdul Razzak for editorial review.\r\nSource: https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nhttps://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/\r\nPage 24 of 24\n\n https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/ \nFoundation, the Oak Foundation, and Sigrid Rausing Trust. Thanks to Miles Kenyon and Mari Zhou for\ncommunications, graphics, and editing support, and Adam Senft and Bahr Abdul Razzak for editorial review.\nSource: https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/ \n Page 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/" ], "report_names": [ "bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434145, "ts_updated_at": 1775791890, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce3c4e74fe32cd5505b334ca1cd2b43757fcd2bf.pdf", "text": "https://archive.orkl.eu/ce3c4e74fe32cd5505b334ca1cd2b43757fcd2bf.txt", "img": "https://archive.orkl.eu/ce3c4e74fe32cd5505b334ca1cd2b43757fcd2bf.jpg" } }