A journalist was told he would be made “the new Jamal Khashoggi” while others had photos on their phones stolen and posted on the internet in a suspected blackmail attempt after a TV station was hacked.
Al-Jazeera documentary filmmaker Tamer Almisshal and 36 others were targeted with spyware believed to have been sent by the governments of Saudi Arabia and the United Arab Emirates.
The television station is based in rival Qatar which has been subjected to a regional boycott for more than three years, with demands that Al Jazeera is closed down.
iPhones belonging to the staff, including TV anchors and executives, is believed to have been targeted using spyware developed by the Israeli firm NSO Group.
It was used by Saudi Arabia to track the movements of Khashoggi by infecting one of his close associates in Canada, called Omar Abdulaziz.
When told by Abdulaziz that he had been the victim of a hack the former Washington Post journalist replied: “God help us”.
Khashoggi was murdered and his body dismembered when he visited the Saudi consulate in Istanbul to pick up some paperwork in October 2018.
The software, known as Pegasus, is able to track location, access passwords, listen to conversations and even take pictures via the phone’s camera.
Almisshal raised the alarm after death threats were left on a device he used to call ministries in the UAE for a story in July.
Unlike previous Pegasus attacks where phone users would have to click on a link sent over iMessage, researchers at Citizen Lab in Toronto discovered this time software called Kismet was used whereby victims would not have do anything, in what is called a “zero-click” attack.
Almishal said: “They threatened to make me the new Jamal Khashoggi. This hacking was done by so-called zero-click technique where they can access cameras and track the device. They also found operators in the UAE and Saudi Arabia were behind this hacking.
“We tracked the spyware for six months and found that at least 36 Al Jazeera staffers were hacked. They have used some of the content they stole from the phones to blackmail journalists by posting private photos on the internet.”
Citizen Lab linked the attacks ‘with medium confidence’ to Saudi Arabia and the UAE, based on their previous targeting of dissidents with the spyware.
A spokesman said: “We believe that (at a minimum) this version of the Pegasus spyware has the ability to track location, access passwords and stored credentials on the phone, record audio from the microphone including both ambient ‘hot mic’ recording and audio of encrypted calls, and take pictures via the phone’s camera.”
Apple said it was working to improve security of its devices and urged customers to download the latest version of the software to protect themselves and their data.
NSO Group claimed its products are for tackling “serious organised crime and counter-terrorism” and said it would investigate any breaches of its policies.
A spokesman added: “As we have repeatedly stated we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on.”