Pearl 2 Pegasus: Bahraini Activists Hacked with Pegasus Just Days after a Report Confirming Other Victims
Our forensic analysis confirms that phones belonging to three individuals in Bahrain were hacked in 2021 with NSO Group’s Pegasus spyware.
John Scott-Railton
John Scott-Railton is a Senior Researcher at The Citizen Lab. His work focuses on technological threats civil society, including targeted malware operations, cyber militias, and online disinformation. His greatest hits include a collaboration with colleague Bill Marczak that uncovered the the systematic use of Pegasus spyware to target civil society in several countries, including Mexico and the UAE. Pegasus is developed by the Israeli cyber-warfare company NSO Group and sold exclusively to governments. That investigation also uncovered the first iPhone zero-day and remote jailbreak seen in the wild. Other investigations with Citizen Lab colleagues include the first report of ISIS-led malware operations, China's "Great Cannon," the Government of China's nation-scale DDoS attack, and the 'tainted leaks' disinformation campaigns strongly linked to the Russian Government. These investigations, and others, have served as the basis for criminal investigations and lawsuits. John has also investigated the manipulation of news aggregators such as Google News, and privacy and security issues with fitness trackers. Recently, John was a fellow at Google Ideas and Jigsaw at Alphabet. John has undergraduate degrees from the University of Chicago and a Masters from the University of Michigan. He is completing a PhD at UCLA. Previously he founded The Voices Projects, collaborative information feeds that bypassed internet shutdowns in Libya and Egypt. John's work has been covered by Time Magazine, BBC, CNN, The Washington Post, and the New York Times. He can be reached at jsr [at] citizenlab.ca
Articles
Proyecto Torogoz: Hackeo extensivo de los medios de comunicación y la sociedad civil en El Salvador con el programa espía Pegasus
El Citizen Lab y Access Now han confirmado 35 casos de periodistas y miembros de la sociedad civil salvadoreña cuyos teléfonos fueron infectados con el programa espía Pegasus del NSO entre julio del 2020 y noviembre del 2021. Hemos compartido una muestra de nuestros datos forenses con el Laboratorio de Seguridad de Amnistía Internacional, el cual confirma de forma independiente los hallazgos.
Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware
The Citizen Lab and Access Now have confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International’s Security Lab which independently confirms the findings.
بيغاسوس PEGASUS ضد بريداتور PREDATOR: الاستهداف المضاعف لجهاز الآيفون الخاص بمعارض يكشف عن برنامج التجسس المأجور من Cytrox
بواسطة: بيل مارزاك، جون سكوت-رايلتون، بحر عبد الرزاق، نورا الجيزاوي، سيينا أنستيس، كريستين بردان، ورون ديبرت. النتائج الرئيسية تم اختراق معارضَين مصريين في المنفى؛ وهما السياسي أيمن نور، ومقدم برنامج شهير (والذي يرغب بألا يفصح عن هويته). تم الاختراق بواسطة برنامج التجسس بريداتور (Predator)، والذي تم تطويره وبيعه بواسطة Cytrox لتطوير برامج التجسس المرتزقة، وهي… Read more »
Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware
Two Egyptians—exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)—were hacked with Predator spyware, built and sold by the previously little-known mercenary spyware developer Cytrox. The phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different government clients.
Breaking the News: New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts
Our forensic analysis of two iPhones belonging to Hubbard found evidence of Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard reported in January 2020 that we found that he was targeted in 2018 by the Saudi Arabia-linked Pegasus operator that we call KINGDOM.
FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild
While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.
من اللؤلؤة إلى بيغاسوس: الحكومة البحرينية تخترق نشطاء عبر استغلال ثغرة “Zero-Click” من “NSO Group”
لقد حددنا تسعة نشطاء بحرينيين تم اختراق أجهزتهم الآيفون باستخدام برنامج تجسس “Pegasus” من NSO Group في الفترة ما بين يونيو 2020 و فبراير 2021. بعض النشطاء قد تم اختراقهم باستغلال ثغرتين zero-click في iMessage, كنا قد سمينا الثغرتين التي تم اكتشافها في 2020 ب KISMET، أما الثغرة المستخدمة في 2021 فنسميها FORCEDENTRY
From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits
We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).
Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware
Forbidden Stories and Amnesty International requested that the Citizen Lab undertake an independent peer review of a sample of their forensic evidence and their general forensic methodology. We were provided with iTunes backups of several devices and a separate methodology brief, and independently validated that Amnesty International’s forensic methodology correctly identified infections with NSO’s Pegasus spyware.