{
	"id": "2c813a68-23a6-4db2-baea-aa653fbd2153",
	"created_at": "2026-04-06T00:10:54.160362Z",
	"updated_at": "2026-04-10T13:12:44.678343Z",
	"deleted_at": null,
	"sha1_hash": "deb9f1aafb01b4feba1d7da75e10f354e96b9888",
	"title": "The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4989953,
	"plain_text": "The Great iPwn: Journalists Hacked with Suspected NSO Group\r\niMessage 'Zero-Click' Exploit - The Citizen Lab\r\nArchived: 2026-04-02 12:08:00 UTC\r\nSummary \u0026 Key Findings\r\nIn July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal\r\nphones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a\r\njournalist at London-based Al Araby TV was also hacked.\r\nThe phones were compromised using an exploit chain that we call KISMET, which appears to involve an\r\ninvisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1\r\nand could hack Apple’s then-latest iPhone 11.\r\nBased on logs from compromised phones, we believe that NSO Group customers also successfully\r\ndeployed KISMET or a related zero-click, zero-day exploit between October and December 2019.\r\nThe journalists were hacked by four Pegasus operators, including one operator MONARCHY that we\r\nattribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab\r\nEmirates.\r\nWe do not believe that KISMET works against iOS 14 and above, which includes new security protections.\r\nAll iOS device owners should immediately update to the latest version of the operating system.\r\nGiven the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone\r\ndevices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule\r\nfraction of the total attacks leveraging this exploit.\r\nInfrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud\r\nproviders Aruba, Choopa, CloudSigma, and DigitalOcean.\r\nWe have shared our findings with Apple and they have confirmed to us they are looking into the issue.\r\n1. Background\r\nNSO Group’s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit\r\nand monitor devices. The company is a prolific seller of surveillance technology to governments around the world,\r\nand its products have been regularly linked to surveillance abuses.\r\nPegasus became known for the telltale malicious links sent to targets via SMS for many years. This method was\r\nused by NSO Group customers to target Ahmed Mansoor, dozens of members of civil society in Mexico, and\r\npolitical dissidents targeted by Saudi Arabia, among others. The use of malicious links in SMSes made it possible\r\nfor investigators and targets to quickly identify evidence of past targeting. Targets could not only notice these\r\nsuspicious messages, but they could also search their message history to detect evidence of hacking attempts.\r\nMore recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its\r\ngovernment clients to break into phones without any interaction from the target, and without leaving any visible\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 1 of 15\n\ntraces. The 2019 WhatsApp breach, where at least 1,400 phones were targeted via an exploit sent through a missed\r\nvoice call, is one example of such a shift. Fortunately, in this case, WhatsApp notified targets. However, it is more\r\nchallenging for researchers to track these zero-click attacks because targets may not notice anything suspicious on\r\ntheir phone. Even if they do observe something like “weird” call behavior, the event may be transient and not\r\nleave any traces on the device.\r\nThe shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the\r\nlikelihood of abuse going undetected. Nevertheless, we continue to develop new technical means to track\r\nsurveillance abuses, such as new techniques of network and device analysis.\r\niMessage Emerges as a Zero-Click Vector\r\nSince at least 2016, spyware vendors appear to have successfully deployed zero-click exploits against iPhone\r\ntargets at a global scale. Several of these attempts have been reported to be through Apple’s iMessage app, which\r\nis installed by default on every iPhone, Mac, and iPad. Threat actors may have been aided in their iMessage\r\nattacks by the fact that certain components of iMessage have historically not been sandboxed in the same way as\r\nother apps on the iPhone.\r\nFor example, Reuters reported that United Arab Emirates (UAE) cybersecurity company DarkMatter, operating on\r\nbehalf of the UAE Government, purchased a zero-click iMessage exploit in 2016 that they referred to as “Karma,”\r\nwhich worked during several periods in 2016 and 2017. The UAE reportedly used Karma to break into the phones\r\nof hundreds of targets, including the chairmen of Al Jazeera and Al Araby TV.\r\nA 2018 Vice Motherboard report about a Pegasus product presentation mentioned that NSO Group demonstrated a\r\nzero-click method for breaking into an iPhone. While the specific vulnerable app in that case was not reported, a\r\n2019 Haaretz report interviewed “Yaniv,” a pseudonym used by a vulnerability researcher working in Israel’s\r\noffensive cyber industry, who seemed to indicate that spyware was sometimes deployed to iPhones via Apple’s\r\nPush Notification Service (APNs), the protocol upon which iMessage is based:\r\n“An espionage program can impersonate an application you’ve downloaded to your phone that sends\r\npush notifications via Apple’s servers. If the impersonating program sends a push notification and\r\nApple doesn’t know that a weakness was exploited and that it’s not the app, it transmits the espionage\r\nprogram to the device.”\r\nThe Gulf Cooperation Council: A Booming Spyware Market\r\nThe Gulf Cooperation Council (GCC) countries is one of the most significant customer bases for the commercial\r\nsurveillance industry, with governments reportedly paying hefty premiums to companies that provide them special\r\nservices, including analysis of intelligence that they capture with the spyware. The UAE apparently became an\r\nNSO Group customer in 2013, in what was described as the “next big deal” for NSO Group after its first\r\ncustomer, Mexico. In 2017, Saudi Arabia (which the Citizen Lab calls KINGDOM) and Bahrain (PEARL) appear\r\nto have also become customers of NSO Group. Haaretz has also reported that Oman is an NSO Group customer,\r\nand that the Israeli Government prohibits NSO Group from doing business with Qatar.\r\nAl Jazeera and the Middle East Crisis\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 2 of 15\n\nThe relationship between Saudi Arabia, UAE, Bahrain, Egypt (jointly, “the four countries”) and Qatar is fractious.\r\nThe four countries often claim that Qatar shelters dissidents from the four countries and supports political Islamist\r\ngroups, including the Muslim Brotherhood, whom they view as the most serious challenge to the existing political\r\norder in the Middle East.\r\nIn March 2014, Saudi Arabia, UAE and Bahrain withdrew their ambassadors and froze relations with Qatar for\r\neight months. A second crisis occurred on June 5, 2017, when the four countries cut off diplomatic relations and\r\nclosed their borders with Qatar. The crisis was ostensibly precipitated by a fake story planted on the state-run\r\nQatar News Agency (QNA) by hackers, which misquoted Qatar’s Emir referring to Iran as “an Islamic power,”\r\nand praising Hamas. According to US intelligence officials speaking with The Washington Post, senior UAE\r\nGovernment officials approved the QNA hacking operation.\r\nOn June 23, 2017, the four countries issued a joint statement which outlined 13 demands to Qatar, including\r\nclosing a Turkish military base in Qatar, scaling down ties with Iran, and shutting down Al Jazeera and its affiliate\r\nstations and news outlets.\r\nAl Jazeera: Targeted by Criticism, Hacking \u0026 Blocking by Neighbouring Countries\r\nAl Jazeera is somewhat distinctive in the Middle East in terms of its media coverage. On many issues, it presents\r\nalternative viewpoints not available from largely state-run media outlets in the region. Several other attempts at\r\nbuilding credible media channels in the GCC have been met with less success, including Prince Al-Waleed bin\r\nTalal’s highly publicized Bahrain-based Al Arab channel, which was permanently shut down by local authorities\r\non its first day of operations after airing an interview with a member of Bahrain’s opposition Al Wefaq political\r\nsociety.\r\nAl Jazeera’s reporting featured prominently in the Arab Spring, where its extensive, real-time coverage of protests\r\nin Tunisia, Egypt, Yemen and Libya “helped propel insurgent emotions from one capital to the next.” Leaders of\r\ncountries neighboring Qatar regularly express deep concerns about its coverage and in some cases have taken\r\naction to limit the availability of the channel in their countries. In 2017, both Saudi Arabia and the UAE blocked\r\nAl Jazeera’s website.\r\nAfter the fall of Egypt’s President Mubarak in the Arab Spring, Muslim Brotherhood leader Mohammed Morsi\r\nwas elected President of Egypt. This election was considered by Saudi Arabia and the UAE as a threat and a sign\r\nof the expansion of Qatar’s regional influence because of Qatar’s history of support for the Muslim Brotherhood.\r\nHowever, Morsi was deposed by a military coup on July 3, 2013 led by General Abdel Fattah el-Sisi and taken to\r\nmilitary custody. One day after the coup, the military shut down a number of news stations in Egypt, including Al\r\nJazeera Mubasher Misr and Al Jazeera’s bureau in Egypt, and detained five of the staff.\r\nAlthough Al Jazeera’s Arabic language coverage of uprisings in neighboring Gulf countries, including Bahrain,\r\nwas generally seen as striking a more muted tone than its English language coverage, the channel was still\r\ncriticized. For example, Bahrain’s Foreign Minister famously tweeted the following about a documentary on the\r\nchannel: “It’s clear that in Qatar there are those who don’t want anything good for Bahrain. And this film on Al\r\nJazeera English is the best example of this inexplicable hostility.”\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 3 of 15\n\n2. The Attacks\r\nThis section describes the hacking of two reporters’ phones, Tamer Almisshal and Rania Dridi. They are among\r\nthe 36 reporters and editors targeted in the attack, most of whom have requested anonymity. Almisshal and Dridi\r\nconsented to be named in this report and for the Citizen Lab to describe their targeting in detail.\r\nThe 19 July 2020 Attack on Tamer Almisshal\r\nTamer Almisshal is a well-known investigative journalist for Al Jazeera’s Arabic language channel, where he\r\nanchors the “أعظم خفي ما “program (translated as “this is only the tip of the iceberg” or “what is hidden is more\r\nimmense”). Almisshal’s program has reported on a wide variety of politically sensitive topics in the Middle East,\r\nincluding UAE, Saudi, and Bahraini Government involvement in an attempted 1996 coup in Qatar, the Bahrain\r\nGovernment’s hiring of a former Al-Qaeda operative for an assassination program, the Saudi killing of Jamal\r\nKhashoggi, and ties between a powerful member of the UAE’s Royal Family, Sheikh Mansour Bin Zayed Al-Nahyan, and UAE businessman B.R. Shetty’s healthcare empire, which collapsed in 2020 due to alleged fraud and\r\ndisclosures of hidden debt.\r\nAlmisshal was concerned that his phone might be hacked, so in January 2020, he consented to installing a VPN\r\napplication for Citizen Lab researchers to monitor metadata associated with his Internet traffic.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 4 of 15\n\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 5 of 15\n\nWhile reviewing his VPN logs, we noticed that on 19 July 2020, his phone visited a website that we had detected\r\nin our Internet scanning as an Installation Server for NSO Group’s Pegasus spyware, which is used in the process\r\nof infecting a target with Pegasus.\r\nTime: 19 July 2020, 11:29 – 11:31 UTC\r\nDomain: 9jp1dx8odjw1kbkt.f15fwd322.regularhours.net\r\nIP: 178.128.163.233\r\nDownloaded: 1.74MB\r\nUploaded: 211KB\r\nInitial Vector: Apple Servers\r\nWe conclude that Almisshal’s phone reached out to the Pegasus Installation Server due to an apparent exploit\r\ndelivered through Apple’s servers. In the 54 minutes before Almisshal’s phone visited the Pegasus Installation\r\nServer, we observed an unusual behavior: connections to a large number of iCloud Partitions (p*-\r\ncontent.icloud.com). In the more than 3000 hours that we have been monitoring Almisshal’s Internet traffic, we\r\nhave only seen 258 connections to iCloud Partitions (excluding p20-content.icloud.com, which Almisshal’s phone\r\nuses for iCloud backups), with 228 of these connections (~88%) occurring during a 54 minute period between\r\n10:32 and 11:28 on 19 July.\r\n1\r\n On 19 July, we saw no matching connections prior to 10:32 or after 11:28. The\r\nconnections in question were to 18 iCloud partitions (all odd-numbered).\r\nThe connections to the iCloud Partitions on 19 July 2020 resulted in a net download of 2.06MB and a net upload\r\nof 1.25MB of data. Because these anomalous iCloud connections occurred—and ceased—immediately prior to\r\nPegasus installation at 11:29 UTC, we believe they represent the initial vector by which Tamer Almisshal’s phone\r\nwas hacked. Our analysis of an infected device (Section 3) indicates that the built-in iOS imagent application\r\nwas responsible for one of the spyware processes. The imagent application is a background process that appears\r\nto be associated with iMessage and FaceTime.\r\nExfiltration\r\nSixteen seconds after the last connection to the Pegasus Installation Server, we observed Almisshal’s iPhone\r\ncommunicate for the first time with three additional IPs over the next 16 hours. We never observed his phone\r\ncommunicating with these IPs previously, and have not observed communications since.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 6 of 15\n\nTimes (UTC) IP Uploaded Downloaded\r\n7/19/2020 11:31 – 7/20/2020 03:09 45.76.47.218 133.06MB 7.53MB\r\n7/19/2020 11:31 – 7/20/2020 03:08 212.147.209.236 75.94MB 4.30MB\r\n7/19/2020 11:31 – 7/20/2020 03:09 134.122.87.198 61.16MB 3.32MB\r\nOverall, we observed 270.16MB of upload, and 15.15MB of download, and each IP returned a valid TLS\r\ncertificate for bananakick.net. The phone did not set the SNI in the HTTPS Client Hello message, nor did it\r\nperform a DNS lookup for bananakick.net, perhaps an effort to thwart our previously-reported DNS Cache\r\nProbing technique to locate infected devices, or an effort to thwart anti-Pegasus countermeasures implemented\r\nnationwide in Turkey (Section 4), another popular target of Pegasus operators. Because communications with\r\nthese three servers commenced 16 seconds after the communications with a known Pegasus Installation Server,\r\nwe suspected that these three IPs were Pegasus command and control (C\u0026C) servers.\r\nAnalysis of Device Logs\r\nAlmisshal’s device shows what appears to be an unusual number of kernel panics (phone crashes) between\r\nJanuary and July 2020. While some of the panics may be benign, they may also indicate earlier attempts to exploit\r\nvulnerabilities against his device.\r\nTimestamp (UTC) Process Type of Kernel Panic\r\n2020-01-17 01:32:09 fileproviderd Kernel data abort\r\n2020-01-17 05:19:35 mediaanalysisd Kernel data abort\r\n2020-01-31 18:04:47 launchd Kernel data abort\r\n2020-02-28 23:18:12 locationd Kernel data abort\r\n2020-03-14 03:47:14 com.apple.WebKit Kernel data abort\r\n2020-03-29 13:23:43 MobileMail kfree\r\n2020-06-27 02:04:09 exchangesyncd Kernel data abort\r\n2020-07-04 02:32:48 kernel_task Kernel data abort\r\nA Series of Attacks on Rania Dridi\r\nRania Dridi is a journalist at London-based Al Araby TV, where she presents the “شبابيك “newsmagazine program\r\n(translated from Arabic as “windows”), which covers a variety of current affairs topics.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 7 of 15\n\nWhile reviewing device logs from Rania Dridi’s iPhone Xs Max, we found evidence that her phone was hacked at\r\nleast six times with NSO Group’s Pegasus spyware between 26 October 2019 and 23 July 2020. Two of these\r\ninstances, on 26 October and 12 July, were likely zero-day exploits, as the phone appears to have been hacked\r\nwhile running the latest available version of iOS. At the other times Dridi’s phone was hacked, there was a newer\r\nversion of iOS available, meaning that there is no evidence one way or the other as to whether the exploits were\r\nzero-days.\r\nApprox. Infection Time iOS Version Zero-Day?\r\n10/26/2019 13:26:26 13.1.3 Yes\r\n10/29/2019 8:49:44 13.1.3  \r\n11/25/2019 8:55:41 13.1.3  \r\n12/9/2019 11:15:06 13.1.3  \r\n7/12/2020 23:35:13 13.5.1 Yes\r\n7/23/2020 7:14:08 13.5.1  \r\nOn 26 October 2019, a Pegasus operator apparently successfully deployed a zero-day exploit against Dridi’s up-to-date iPhone running iOS 13.1.3 and, on 12 July 2020, a Pegasus operator apparently successfully deployed a\r\nzero-day exploit against the same up-to-date phone, running iOS 13.5.1. The 12 July 2020 attack, and another\r\nattack on 23 July 2020 appear to have used the KISMET zero-click exploit.\r\nNetwork logs show that Dridi’s phone communicated with the following four servers between 13 July 2020 and\r\n23 July 2020 that we attributed to NSO Group operator SNEAKY KESTREL. No communications were observed\r\nbetween 17 July and 22 July 2020.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 8 of 15\n\nTimes (UTC) IP Uploaded\r\n07/13/2020 09:13 – 07/23/2020 16:20 31.171.250.241 18.31MB\r\n07/13/2020 09:13 – 07/23/2020 16:19 165.22.80.68 15.92MB\r\n07/13/2020 09:13 – 07/23/2020 16:12 159.65.94.105 12.42MB\r\n07/13/2020 09:13 – 07/23/2020 16:09 95.179.220.244 8.43MB\r\nWe suspect that the attacks on Dridi’s phone in October, November, and December 2019 also used a zero-click\r\nexploit, because we saw an NSO Group zero-click exploit deployed against another iPhone target during this\r\ntimeframe, and because we found no evidence of telltale SMS or WhatsApp messages containing Pegasus\r\nspyware links on her phone. Network logs were unavailable for these periods.\r\n4. Other Infections at Al Jazeera\r\nWorking with Al Jazeera’s IT team, we identified a total of 36 personal phones inside Al Jazeera that were hacked\r\nby four distinct clusters of servers which could be attributable to up to four NSO Group operators. An operator\r\nthat we call MONARCHY spied on 18 phones, and an operator that we call SNEAKY KESTREL spied on 15\r\nphones, including one of the same phones that MONARCHY spied on. Two other operators, CENTER-1 and\r\nCENTER-2, spied on 1 and 3 phones, respectively.\r\nWe conclude with medium confidence that SNEAKY KESTREL acts on behalf of the UAE Government, because\r\nthis operator appears to target individuals primarily inside the UAE, and because one target hacked by SNEAKY\r\nKESTREL previously received Pegasus links via SMS that point to the same domain name used in the attacks on\r\nUAE activist Ahmed Mansoor.\r\n2\r\nIPs CN in TLS Certificate\r\n134.209.23.19 *.img565vv6.holdmydoor.com\r\n31.171.250.241\r\n165.22.80.68\r\n95.179.220.244\r\n159.65.94.105\r\n*.crashparadox.net\r\nTable 1\r\nServers used by SNEAKY KESTREL in Al Jazeera spying.\r\nWe conclude with medium confidence that MONARCHY acts on behalf of the Saudi Government because the\r\noperator appears to target individuals primarily inside Saudi Arabia, and because we observed this operator hack a\r\nSaudi Arabian activist who was previously targeted by KINGDOM.\r\n3\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 9 of 15\n\nIPs CN in TLS Certificate\r\n178.128.163.233 *.f15fwd322.regularhours.net\r\n45.76.47.218\r\n134.122.87.198\r\n212.147.209.236\r\nbananakick.net\r\nTable 2\r\nServers used by MONARCHY in Al Jazeera spying.\r\nWe considered but view as less likely the hypothesis that MONARCHY and SNEAKY KESTREL are both linked\r\nto the UAE. The UAE Government has been known to target Saudi activists, and both MONARCHY and\r\nSNEAKY KESTREL have been observed operating in concert in two cases: the case of Al Jazeera, and a case in\r\nTurkey, where the Turkish Computer Emergency Response Team apparently caught both operators at around the\r\nsame time (Section 4). However, we are aware of only one phone that was targeted by both operators, and we are\r\nnot aware of any infrastructructure overlap between the two operators. Additionally, each operator seems to\r\nprimarily target in a different country, MONARCHY in Saudi Arabia and SNEAKY KESTREL in the UAE. Both\r\nSaudi Arabia and the UAE are reported to be Pegasus customers.\r\nWe are not able to determine the identity of CENTER-1 and CENTER-2, though both appear to target mainly in\r\nthe Middle East.\r\nIPs CN in TLS Certificate\r\n80.211.37.240\r\n161.35.38.8\r\nstilloak.net\r\nTable 3\r\nServers used by CENTER-1 in Al Jazeera spying.\r\nIPs CN in TLS Certificate\r\n209.250.230.12\r\n80.211.35.111\r\n89.40.115.27\r\n134.122.68.221\r\nflowersarrows.com\r\nTable 4\r\nServers used by CENTER-2 in Al Jazeera spying.\r\nWe did not observe infection attempts for CENTER-1 and CENTER-2, so we are unsure which Pegasus\r\nInstallation Servers were used.\r\nThe infrastructure used in these attacks included servers located in Germany, France, UK, and Italy using cloud\r\nhosting providers Aruba, Choopa, CloudSigma, and DigitalOcean.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 10 of 15\n\n3. Analysis of Device Logs from a Live Pegasus Infection\r\nWe obtained logs from an iPhone 11 device inside Al Jazeera networks while it was infected. Our analysis\r\nindicates that the current Pegasus implant has a number of capabilities including: recording audio from the\r\nmicrophone including both ambient “hot mic” recording and audio of encrypted phone calls, and taking pictures.\r\nIn addition, we believe the implant can track device location, and access passwords and stored credentials.\r\nThe phone logs showed a process launchafd on the phone that was communicating with the four\r\n*.crashparadox.net IP addresses in Table 1, which we linked to SNEAKY KESTREL.\r\nThe launchafd process was located in flash memory in the com.apple.xpc.roleaccountd.staging folder:\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/launchafd\r\nThis folder appears to be used for iOS updates, and we suspect that it may not survive iOS updates. It appeared\r\nthat additional components of the spyware on this device were stored in a folder with a randomly generated name\r\nin /private/var/tmp/ . The contents of the /private/var/tmp/ folder do not persist when the device is\r\nrebooted. The parent process of launchafd was listed as rs , and was located in flash memory at:\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/rs\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 11 of 15\n\nThe imagent process (part of a built-in Apple app handling iMessage and FaceTime) was listed as the\r\nresponsible process for rs , indicating possible exploitation involving iMessage or FaceTime. The same rs\r\nprocess was also listed as parent of passd , a built-in Apple app that interfaces with the keychain, as well as\r\nnatgd , another component of the spyware, which was located in flash memory at:\r\n/private/var/db/com.apple.xpc.roleaccountd.staging/natgd\r\nAll three processes were running as root . We were unable to retrieve these binaries from flash memory, as we\r\ndid not have access to a jailbreak for iPhone 11 running iOS 13.5.1.\r\nThe phone’s logs show evidence that the spyware was accessing a variety of frameworks on the phone, including\r\nthe Celestial.framework and MediaExperience.framework which could be used to record audio data and camera,\r\nas well as the LocationSupport.framework and CoreLocation.framework to track the user’s location.\r\nSharing Findings\r\nWe have shared our findings and technical indicators with Apple Inc. which confirms that it is investigating the\r\nissue.\r\n4. Turkish CERT vs. NSO Group\r\nIn late 2019, Turkey’s Government-run Computer Emergency Response Team (USOM) appears to have observed\r\nPegasus attacks involving both MONARCHY and SNEAKY KESTREL, and sinkholed some domain names used\r\nby these operators on a national level.\r\nUSOM publishes a “list of malicious links” (“zararlı bağlantılar”) available on their website. The list of indicators\r\nincludes domain names, URLs, as well as IP addresses. Turkish ISPs generally redirect their subscribers who try\r\nto access indicators on this list to a USOM sinkhole IP address (88.255.216.16).\r\nEach ISP appears to implement this sinkholing using the same technique they use to implement website\r\ncensorship. For example, Turk Telekom appears to use their Sandvine PacketLogic devices to inject HTTP\r\nredirects for elements on the USOM list, whereas Vodafone Turkey appears to use its DNS tampering system,\r\nreturning the USOM IP in response to any request for a domain name on the list.\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 12 of 15\n\nIt is clear that USOM has a particular interest in Pegasus, as all Pegasus domain names published in three\r\nAmnesty reports about Pegasus were added to the USOM list after Amnesty’s publication.4\r\nTurkish CERT Sinkholes Pegasus Domains\r\nOn 5 November 2019, USOM added the following NSO Group Pegasus domain names and IP addresses to their\r\nlist of malicious links. We attribute these domains and IPs to MONARCHY and SNEAKY KESTREL. These\r\nindicators were not previously published in any other location that we can identify, and the USOM list indicates\r\nthat the source of the domains and IPs was one of Turkey’s SOMEs (institutional computer emergency response\r\nteams (CERTs) for government agencies and industries).\r\nWe suspect that USOM’s information about the Pegasus infrastructure came from observing specific infections, as\r\nopposed to a broader compromise of NSO Group, or a broader effort to fingerprint NSO Group traffic within\r\nTurkey. Several other operators that appeared to be spying inside Turkey with Pegasus at the time did not have\r\ntheir infrastructure sinkholed.\r\nWe are not aware which individuals were targeted in the attacks observed by the Turkish Government that\r\ntriggered the sinkholing. However, a 2019 Reuters report mentions that, in 2016 and 2017, the UAE used the\r\n“Karma” exploit to hack hundreds of individuals around the world, including the Turkish Deputy Prime Minister.\r\n5\r\nOne of the IP addresses added to the USOM list on 5 November 2019 appears to have been abandoned by NSO\r\nGroup on 28 October 2019, suggesting that at least some of the attacks observed by Turkey occurred prior to 28\r\nOctober. Interestingly, despite the fact that regularhours.net and holdmydoor.com appeared on a Turkish CERT list\r\nin November 2019, we observed MONARCHY and SNEAKY KESTREL continue to use these domain names in\r\nattacks through August 2020.\r\n5. Discussion: The Spyware Industry is Going Dark\r\nWhen authoritarian governments are enabled by commercial spyware companies like NSO Group, and\r\nemboldened by the belief that they are acting in secret, they target critical voices like journalists. Unfortunately, it\r\nis increasingly difficult to track such cases.\r\nThe spyware industry does business in secret, and major spyware sellers invest heavily in fighting regulation and\r\navoiding legal accountability. Yet, certain industry realities and technical limitations have historically made it\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 13 of 15\n\npossible to track infections. For example, for many years all but the most sophisticated commercially available\r\nspyware required some user interaction, such as opening a document or clicking a link, to infect a device.\r\nThe deception involved in tricking a target into becoming a victim left traces even after successful infections.\r\nThese traces—especially messages used to seed spyware—have been an invaluable source of evidence for\r\ninvestigators. Over the years, by gathering and examining the ruses used to deliver spyware, often aided by\r\nvictims themselves, it has been possible to identify hundreds of victims.\r\nThe current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a\r\nbroader industry-wide shift towards more sophisticated, less detectable means of surveillance. Although this is a\r\npredictable technological evolution, it increases the technological challenges facing both network administrators\r\nand investigators.\r\nWhile it is still possible to identify zero-click attacks—as we have done here—the technical effort required to\r\nidentify cases markedly increases, as does the logistical complexity of investigations. As techniques grow more\r\nsophisticated, spyware developers are better able to obfuscate their activities, operate unimpeded in the global\r\nsurveillance marketplace, and thus facilitate the continued abuse of human rights while evading public\r\naccountability.\r\nJournalists Increasingly Targeted With Spyware\r\nCounting the 36 cases revealed in this report, there are now at least fifty publicly known cases of journalists and\r\nothers in media targeted with NSO spyware, with attacks observed as recently as August 2020. We have\r\npreviously identified over a dozen journalists and civic media targeted with NSO Group’s spyware. Amnesty\r\nInternational has identified still more targeting, as recently as January 2020.\r\nThe Al Jazeera attacks are part of an accelerating trend of espionage against journalists and news organizations.\r\nThe Citizen Lab has documented digital attacks against journalists by threat actors from China, Russia, Ethiopia,\r\nMexico, the UAE, and Saudi Arabia, among others. Other research groups have documented similar trends, which\r\nappear to be worsening with the COVID-19 pandemic. Often these attacks parallel more more traditional forms of\r\nmedia control, and in some cases physical violence.\r\nThe increased targeting of the media is especially concerning given the fragmented and often ad-hoc security\r\npractices and cultures among journalists and media outlets, and the gap between the scale of threats and the\r\nsecurity resources made available to reporters and newsrooms. These concerns are likely particularly acute for\r\nindependent journalists in authoritarian states who, despite the fact that they play a crucial role in reporting\r\ninformation to the public, may be forced to work in dangerous conditions with even fewer security tools at their\r\ndisposal than their peers in large news organizations.\r\nProgress, But New Perils\r\nJournalist security has attracted recent research interest, grantmaking, and practice innovation. Progress is\r\nshowing in many areas. However, the zero-click techniques used against Al Jazeera staff were sophisticated,\r\ndifficult to detect, and largely focused on the personal devices of reporters. Security awareness and policies are\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 14 of 15\n\nessential, but without substantial investment in security, network analysis, regular security audits and collaboration\r\nwith researchers like the Citizen Lab these cases would not have been detected.\r\nJournalists and media outlets should not be forced to confront this situation on their own. Investments in journalist\r\nsecurity and education must be accompanied by efforts to regulate the sale, transfer, and use of surveillance\r\ntechnology. As the anti-detection features of spyware become more sophisticated, the need for effective regulatory\r\nand oversight frameworks becomes increasingly urgent. The abuse of NSO Group’s zero-click iMessage attack to\r\ntarget journalists reinforces the need for a global moratorium on the sale and transfer of surveillance technology,\r\nas called for by the U.N. Special Rapporteur on the promotion and protection of the right to freedom of opinion\r\nand expression, “until rigorous human rights safeguards are put in place to regulate such practices and guarantee\r\nthat governments and non-State actors use the tools in legitimate ways.”\r\nThese safeguards should include strengthening and expanding regional and international export controls, enacting\r\nnational legislation that constrains invasive new surveillance technology such as zero-click spyware, and the\r\nexpansion of mandatory due diligence requirements for spyware developers and brokers.\r\nUpdate your iOS Device Immediately\r\nWe have seen no evidence that the KISMET exploit still functions on iOS 14 and above, although we are basing\r\nour observations on a finite sample of observed devices. Apple made many new security improvements with iOS\r\n14 and we suspect that these changes blocked the exploit. Although we believe that NSO Group is constantly\r\nworking to develop new vectors of infection, if you own an Apple iOS device you should immediately update\r\nto iOS 14. \r\nAcknowledgements\r\nBill Marczak’s work on this report was supported, in part, by the International Computer Science Institute and the\r\nCenter for Long-Term Cyber Security at the University of California, Berkeley.\r\nThe authors would like to thank Bahr Abdul Razzak for review and assistance. Special thanks to several other\r\nreviewers who wish to remain anonymous as well as TNG.  Thanks to Mari Zhou for design and layout assistance.\r\nFinancial support for this research has been provided by the John D. and Catherine T. MacArthur Foundation, the\r\nFord Foundation, the Hewlett Foundation, Open Societies Foundation, the Oak Foundation, and Sigrid Rausing\r\nTrust.\r\nThanks to Al Jazeera and Tamer Almisshal for their investigative work on this project.  Thanks to Al Araby and\r\nRania Dridi.\r\nThanks to Team Cymru for providing access to their Pure Signal data.\r\nSource: https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nhttps://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/"
	],
	"report_names": [
		"the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit"
	],
	"threat_actors": [
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deb9f1aafb01b4feba1d7da75e10f354e96b9888.pdf",
		"text": "https://archive.orkl.eu/deb9f1aafb01b4feba1d7da75e10f354e96b9888.txt",
		"img": "https://archive.orkl.eu/deb9f1aafb01b4feba1d7da75e10f354e96b9888.jpg"
	}
}