A New York Times journalist was sent spyware linked to Saudi Arabia and embedded in a 2018 text message to his cellphone — the first American journalist known to have been targeted by such malware in what appears to be a growing global threat to journalists, dissidents and human rights activists, according to a new report.
The journalist, Ben Hubbard, learned about the attempted hack of his phone in October 2018, while covering a story about a Saudi dissident in Canada targeted by the same Pegasus spyware, according to Citizen Lab at the University of Toronto’s Munk School, which wrote the report.
The malware was created by an Israeli firm, NSO Group, which is the focus of heightened scrutiny over the alleged use of its products by authoritarian governments to target opponents, the report said.
“The targeting of yet another journalist — in this case at The New York Times — makes it clear that the current regulatory regime for the spyware industry is not working,” the report concludes.
Separately, Citizen Lab, a research organization, identified evidence suggesting that someone deploying NSO Group malware may have been infecting targets while employing a sham Washington Post website in the weeks leading up to and after the killing of Post columnist Jamal Khashoggi in October 2018 at the Saudi consulate in Istanbul. While the timing overlaps with the killing, the two are not necessarily related, the report states.
“The Washington Post takes digital security seriously, and we work vigilantly and invest heavily to protect our systems and employees,” Kris Coratti, The Post’s vice president of communications, said in a statement.
The Saudi Embassy in Washington did not respond to a request for comment. NSO Group said in a statement that the firm last year “worked closely” with Hubbard on the matter and shared “conclusive results” with him, suggesting the spyware was not Pegasus. NSO Group called Hubbard’s and Citizen Lab’s claims “unsubstantiated.” In a statement, New York Times spokeswoman Danielle Rhoades Ha said NSO Group did not tell Hubbard “how it had come to this conclusion” or state for the record “whether its technology had been used” to target Hubbard’s phone.
The news comes in the wake of a U.N. report that asserted with “medium to high confidence” that the smartphone of Washington Post owner and Amazon founder Jeff Bezos had been hacked after he received a link to an encrypted video via WhatsApp from Mohammed bin Salman, the crown prince of Saudi Arabia.
Citizen Lab noted “there is no overlap” between the timeline of the digital impersonation of The Post and the reported hack of Bezos’ phone.
The surveillance technology in question is allegedly sold exclusively to governments for investigations into crime and terrorism, said Ron Deibert, Citizen Lab director. “What we have found is that companies either are unwilling or unable to control how their government clients use it.”
Hubbard, now the Times’ Beirut bureau chief, had written a number of stories about the Saudi government in 2018, revealing in March its use of coercion and abuse to seize the wealth of the kingdom’s business elite.
“Efforts to intimidate journalists and potential sources should be of concern to everyone,” Rhoades Ha said in a separate statement. “We will stay focused on our mission to seek the truth and help people understand the world.”
In June 2018, Hubbard received a text message that read, “Ben Hubbard and the story of the Saudi royal family,” with a link for a website, Arabnews365.com. That was a month after the malware was sent to Bezos’ phone.
In an article in the Times Tuesday, Hubbard said he thought the link was “fishy,” so he refrained from clicking. In October 2018, he shared an image of the link with the Citizen Lab. “We are not able to determine whether his phone was successfully infected,” the researchers said in their report.
According to Hubbard, “An examination of my phone turned up no indications that it had been compromised.” He noted that Citizen Lab researchers concluded he was “targeted with powerful software sold by NSO Group … and deployed by hackers working for Saudi Arabia.”
At the time the text message was sent to Hubbard, the Arabnews365 website was active and was housed on a server known to deploy Pegasus software, and that server was used by an operator the researchers dubbed “Kingdom,” the report said. Citizen Lab has concluded through earlier investigations that Kingdom is linked to Saudi Arabia.
Citizen Lab revealed in October 2018 that the cellphone of Saudi dissident Omar Abulaziz, who lives in asylum in Canada, was hacked with Pegasus spyware. The tool is powerful, giving access to the victim’s phone camera, text messages, emails and location information. The day after the report was issued, Khashoggi was killed.
Abdulaziz was working on several sensitive projects with Khashoggi, including one to build an online “army” called “the bees” inside Saudi Arabia to challenge pro-government trolls on the internet, The Post reported at the time. Abdulaziz suspected that the Saudis used access to his phone to learn about these activities. “They had everything,” he told The Post. “They saw the messages between us. They listened to the calls.”
Abdulaziz is among several individuals and organizations that have sued NSO Group. Abdulaziz charges that the company allowed its product to be used to spy on him. Amnesty International filed suit in Israel asking the defense ministry to halt the sale of NSO spyware. Another Saudi dissident targeted with Pegasus, Ghanem al-Masarir, has also sued.
Facebook, which owns WhatsApp, sued the firm in October, alleging the company violated federal anti-hacking law when its malware was deployed on more than 1,400 cellphones last year. Citizen Lab, which helped WhatsApp in its analysis, found that of the devices targeted, at least 100 belonged to human rights advocates, journalists and other members of civil society around the world.