Dozens of media staffers’ iPhones hacked with NSO ‘zero-click’ spyware

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal iPhones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.

The phones were compromised using an exploit chain that Citizen Lab calls KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.

Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis, and Ron Deibert for Citizen Lab:

bitsBased on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system.

Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit.

Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.

We have shared our findings with Apple and they have confirmed to us they are looking into the issue.

MacDailyNews Note: To repeat, Citizen Lab does not believe that KISMET works against iOS 14.x, as Apple’s latest iOS version includes new security protections.


  1. It would be good to understand how this exploit works. Does “invisible zero-click exploit in iMessage” mean that the user never had to click on link to get infected? That is pretty scary especially for iPhones. I also think Apple needs to be more transparent with these exploits to really drive home that the updates are very important to instal and alert users of the risk if it is out there.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.