I am a Senior Research Fellow at Citizen Lab, a co-founder of Bahrain Watch, and a Postdoctoral Researcher at UC Berkeley, where I received my PhD in Computer Science under the advisorship of Vern Paxson. My work focuses on novel technological threats to Internet freedom, including new censorship and surveillance tools. My expertise is in Internet scanning and conducting digital investigations. Coverage of my work has been featured in Vanity Fair, the New York Times, the Washington Post, on CNN, and on Larry King.
While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.
لقد حددنا تسعة نشطاء بحرينيين تم اختراق أجهزتهم الآيفون باستخدام برنامج تجسس “Pegasus” من NSO Group في الفترة ما بين يونيو 2020 و فبراير 2021. بعض النشطاء قد تم اختراقهم باستغلال ثغرتين zero-click في iMessage, كنا قد سمينا الثغرتين التي تم اكتشافها في 2020 ب KISMET، أما الثغرة المستخدمة في 2021 فنسميها FORCEDENTRY
We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).
Forbidden Stories and Amnesty International requested that the Citizen Lab undertake an independent peer review of a sample of their forensic evidence and their general forensic methodology. We were provided with iTunes backups of several devices and a separate methodology brief, and independently validated that Amnesty International’s forensic methodology correctly identified infections with NSO’s Pegasus spyware.
Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
في شهري يوليو وأغسطس 2020 استخدم عملاءٌ حكوميون برنامج التجسس بيغاسوس “Pegasus” من مجموعة “NSO” لاختراق 36 هاتفاً شخصياً لصحفيين ومنتجين ومراسلين و مدراء تنفيذيين في قناة الجزيرة. كما تم اختراق هاتف صحفية في قناة العربي، التي مقرها لندن.
Government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
Circles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe, and is affiliated with NSO Group, which develops the oft-abused Pegasus spyware. Using Internet scanning, we found a unique signature associated with the hostnames of Check Point firewalls used in Circles deployments, enabling us to identify Circles deployments in at least 25 countries.
Amidst calls for reform in Togo, NSO Group’s spyware was used to target voices for change including a bishop, priest, and opposition politicians.
Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities.
