NYT reporter says hackers used a ‘zero-click’ tool to get inside his phone: ‘It’s like being robbed by a ghost’

Women use cell phones to detect cybersecurity security
  • Hackers targeted the iPhone of NYT reporter Ben Hubbard four times in three years.
  • Cybersecurity researchers found that a government-surveillance software was likely used.
  • Governments sometimes use anti-terrorism spyware to target journalists and dissidents instead.

Ben Hubbard is the Beirut bureau chief for The New York Times and the author of a book about Saudi crown prince Mohammed bin Salman. His work brings him into contact with sources that governments – particularly the Saudi government – would prefer he not talk to.

Though Hubbard takes the appropriate safety measures to protect his sources, he says he was surprised to learn that his iPhone had been hacked – again.

Last year, Hubbard wrote about how he dodged what looked like a phishing attempt in 2018, and this week he revealed that his iPhone had been targeted in a “zero-click” attack that did not require any action from him to allow intruders into his device.

“It’s like being robbed by a ghost,” Hubbard said.

Working with Citizen Lab researchers at the Munk School of Global Affairs at the University of Toronto, Hubbard discovered that the attack had likely been perpetrated by hackers connected to the Saudi Arabian government using an anti-terror spyware tool called Pegasus.

Israel-based NSO Group, which develops and sells Pegasus to government agencies, denied to the team that its software had been used.

“Mr. Hubbard was not a target of Pegasus by any of NSO’s customers,” the company said in a statement to Insider.

Citizen Lab researchers said that the attack took place in two phases in 2020 and 2021, where the second intrusion was apparently intended to cover the digital tracks left by the first. There’s no way of knowing what, if anything, was taken during the attack, and definitively identifying the hackers is virtually impossible in situations like this, cybersecurity experts told Hubbard.

The NSO Group pushed back on Hubbard and Citizen Labs’ account, saying that “technical and contractual reasons and restrictions would have prevented Mr. Hubbard from being a target of Pegasus” in the latest pair of attacks and called on Citizen Lab to share its forensics linking the software to the attack.

The zero-click attacks are, according to New York Times’ digital espionage reporter Nicole Perlroth, “the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone’s device without tipping the victim off.”

When news broke last month of iPhones’ then-vulnerability to these “zero-click” attacks, Apple issued an emergency update of its operating system to block the Pegasus software from gaining entry.

But various iterations of the Pegasus tool have had a way of appearing on the devices of activists, lawyers, doctors, and even children, going all the way back to 2016.

“The extensive and routine abuse of Pegasus spyware to hack journalists is a direct threat to press freedom worldwide, and is contributing to a growing chilling climate for investigative journalism,” the Citizen Lab researchers wrote in their summary of findings.

“NSO Group has a zero-tolerance policy when it comes to misuse of its technologies, including and especially towards journalists, and we take very seriously any allegation in this matter,” the NSO Group said.