New York Times journalist Ben Hubbard was repeatedly targeted with Israel-based NSO Group's Pegasus spyware over a three-year period from June 2018 to June 2021, according to a new report by University of Toronto's Citizen Lab that studies spyware on Sunday.
The attempts took place when he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman, the report said. "I was hacked. The spyware used against me makes us all vulnerable," Hubbard wrote in an article on NYT. He said while the news was not surprising, it was still "unnerving".
Hubbard was first targeted with a suspicious text message in 2018, which the Citizen Lab determined to be likely sent by Saudi Arabia using NSO group's software called Pegasus.
A similar hacking attempt, the same year, came via an Arabic-language WhatsApp message that invited Hubbard by name to a protest at the Saudi Embassy in Washington. Both attempts did not succeed as he did not click on the links.
His phone was again hacked twice in 2020 and 2021, "with so-called 'zero-click' exploits, which allowed the hacker to get inside my phone without my clicking on any links. It's like being robbed by a ghost", Hubbard said.
Although "it was nearly impossible to definitively identify the culprits", but "based on code found" in his phone that resembled other cases, tech security experts said they had "high confidence that Pegasus had been used all four times".
According to Hubbard, the two attempts in 2018 were from Saudi Arabia "because they came from servers run by an operator who had previously targeted a number of Saudi activists".
While it was not clear which country was responsible for the 2020 hacks, the 2021 attempt "came from an account that had been used to hack a Saudi activist". The Citizen Lab report said that "some forensic artifacts" connected to NSO Group are present on Hubbard's device as early as April 2018."
However, the researchers were "unable to confirm whether this represents a genuine infection attempt or a feasibility test". Moreover, they also reportedly found a phone number belonging to Hubbard appearing on the Pegasus Project list in July 2019. "Unfortunately, forensic evidence is not available for this timeframe," the report said.
"As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret," Hubbard wrote in the NYT article.
He added that he takes "many precautions to protect the sources" to save them from "jail" and "death". "But in a world where we store so much of our personal and professional lives in the devices we carry in our pockets, and where surveillance software continues to become ever more sophisticated, we are all increasingly vulnerable."