Key Findings

  • New York Times journalist Ben Hubbard was targeted with NSO Group’s Pegasus spyware via a June 2018 SMS message promising details about “Ben Hubbard and the story of the Saudi Royal Family.” 
  • The SMS contained a hyperlink to a website used by a Pegasus operator that we call KINGDOM. We have linked KINGDOM to Saudi Arabia. In 2018, KINGDOM also targeted Saudi dissidents including Omar Abdulaziz, Ghanem al-Masarir1, and Yahya Assiri, as well as a staff member at Amnesty International.
  • Hubbard is among a growing group of journalists targeted with Pegasus spyware. As part of our continued investigation into threats against journalists, Citizen Lab also identified evidence suggesting a Pegasus operator may have been infecting targets while impersonating the Washington Post in the weeks leading up to and after Khashoggi’s killing in 2018. There is no overlap between this activity and reported events surrounding the mobile phone of Jeff Bezos.

1. Background

Pegasus is the name of a mobile phone spyware product made by NSO Group, an Israeli-based company that develops and sells surveillance technology.2 Since 2016, researchers have documented the abuse of Pegasus against journalists, human rights defenders, and members of civil society. In one case, Pegasus was used to target the wife of a slain journalist in Mexico.
Several reports by Citizen Lab and Amnesty International in 2018 showed that a Saudi-linked Pegasus operator that we call KINGDOM was targeting dissidents and regime critics. On July 31, 2018, Amnesty International and Citizen Lab reported that an Amnesty International staffer, as well as a “Saudi activist based abroad” (later identified as London-based dissident Yahya Assiri) was targeted with Pegasus. On October 1, 2018, Citizen Lab reported that Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with Pegasus. During the period when his phone was monitored, Abdulaziz was apparently in close contact with murdered Washington Post columnist Jamal Khashogghi.
Figure 1: Graphic showing locations of likely Pegasus infections linked to the KINGDOM operator in 2018.
On November 11, 2018, Forbes reported that Saudi dissident, Ghanem al-Masarir, was targeted with Pegasus. If the targets had clicked on the links in the text messages they received, the KINGDOM operator would have been able to closely monitor these individuals’ communications and plans. Abdulaziz filed a lawsuit against NSO Group in Israel, and al-Masarir filed a lawsuit against Saudi Arabia in the UK.

2. New York Times Reporter Targeted

Ben Hubbard is the Beirut Bureau Chief of the New York Times. Prior to his promotion to that role, Hubbard reported on Saudi Arabia, including on Crown Prince Mohamed Bin Salman (MbS). In an announcement of his promotion, the New York Times noted that Hubbard had “turned out deeply revealing reports from a closed society that is changing rapidly under a headstrong crown prince,” and had “…peeled back the curtain from the prince’s relentless consolidation of power.”

2.1. Pegasus Infection Attempt

On June 21, 2018, Hubbard received an SMS on his phone stating in Arabic: “Ben Hubbard and the story of the Saudi Royal Family.” Hubbard provided this message to the Citizen Lab in October 2018 for analysis. With Hubbard’s consent, we are now able to report on this case.
Figure 2: Pegasus infection attempt received by New York Times journalist Ben Hubbard on June 21, 2018 (screenshots courtesy of Ben Hubbard).
The link sent to Hubbard led to the site arabnews365[.]com, and was sent from a sender that called themselves “Arabnews.” The full link is:
https://arabnews365[.]com/wqbgGdwlk
Hubbard recalls that he did not click on the link and we are not able to determine whether his phone was successfully infected.

2.2. Connection with Pegasus Infrastructure

At the time the SMS was sent to Hubbard, the arabnews365[.]com domain was active and belonged to the portion of NSO Group’s Pegasus infrastructure used by the KINGDOM operator. The domain was also independently identified by Amnesty International as belonging to NSO Group’s infrastructure. In a previous report, we provided a comprehensive technical description of how we identify and scan for Pegasus infrastructure. In this section, we briefly summarize this process.
In 2016, Citizen Lab published the Million Dollar Dissident report, the first public research to identify NSO Group’s Pegasus spyware. In Million Dollar Dissident, we reported on an attempted intrusion of United Arab Emirates (UAE) activist Ahmed Mansoor’s phone using a text message with a malicious link promising “New secrets about torture of Emiratis in state prisons.”
Our investigation included scanning the Internet to find Command & Control (C&C) servers that behaved similarly to the ones communicating with the spyware sent to Mansoor. While the Pegasus servers we found were pulled offline even before we published Million Dollar Dissident, we continued to monitor them in case some of them might come back online. In the weeks after our report, we noticed a small number of Pegasus servers that came back online, but the servers no longer matched our fingerprint. We built a new fingerprint based on this behaviour, and began conducting regular Internet scans to find servers matching this new fingerprint.
In September 2018, Citizen Lab published Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries, which described the results of this follow-up scanning, conducted between August 2016 and August 2018. In these scans, we detected 1,091 IP addresses and 1,041 domain names matching our new fingerprint. We further grouped these IPs and domains into 36 distinct Pegasus operators using a technique we developed and named Athena. We also devised a new way to conduct DNS Cache Probing, and used this method to find likely infections, by identifying Internet Service Providers (ISPs) where one or more user was repeatedly looking up domain names associated with Pegasus C&C servers.
Figure 3: Locations of ISPs where we identified likely infections with Pegasus spyware (source: Hide and Seek report).

3. Commercial Spyware Harms Democracy, Press Freedom

As anti-democratic, authoritarian forces are on the rise in many countries, journalists are increasingly targets for surveillance and physical harm. Products like NSO Group’s Pegasus spyware provide government clients with a powerful tool to surreptitiously monitor journalists, their sources, and the stories on which they are reporting. Many of NSO Group’s clients appear to lack rigorous oversight over their security services, and have a track record of human rights abuses, including threats against journalists.