Journalists attacked by cyber offensive firms like Candiru and NSO Group

The cyber espionage campaigns by state-sponsored hackers across the Middle East have created a dangerous and hostile environment for journalists. According to Proofpoint, “cyber attacks and hacking attempts on journalists are used for spying or gaining insight into the inner working style of media organizations of interest to the hackers”. In addition, the account of journalists might also be used for spreading fake news, disinformation campaign, and pro-state propaganda.

A large number of cyber attacks took place in Lebanon (Asia). In this hacking campaign, multiple attacks were deployed by the Israeli hack-for-hire spyware firm to target users in Lebanon, Turkey, Yemen, and Palestine. The attackers utilize a website to inject malicious JavaScript code from an actor-controlled domain which is responsible for redirecting potential victims to an exploit server.

Journalists attacked by cyber offensive firms like Candiru and NSO Group

On 5th April 2022, the report of Citizen Lab and Human rights group Front Line Defenders unveil the hacking campaign operated to spy on Suhair Jaradat (Jordan-based human rights defender and journalist). At least 180 journalists across the globe were targeted using Pegasus spyware of Israeli-based NSO Group. The Pegasus software grants access of the infected phones’ camera, microphone, emails, applications, text messages, and call logs to the hackers and also allows them to get unlimited amounts of the target’s data.

Talking about Israel-based offensive spyware firms, most recently Israeli-based spyware vendor “Candiru” was found using a zero-day vulnerability in Google Chrome to spy on journalists and other high-interest individuals in the Middle East with the ‘DevilsTongue’ spyware.

According to a report in July 2021 by CitizenLab, Candiru’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia, Qatar, Singapore, and the United Arab Emirates. Gulf Investment Fund and the sovereign Qatar Investment Authority was the major stakeholder in Candiru’s investment.

On 18th July 2021, news came in limelight regarding the hacking campaign operated by Israel-based notorious spyware firm NSO group targeting activists, politicians, and journalists from different media organizations including Al Jazeera (an international English language news channel headquartered in Doha, Qatar).

A total of 37 smartphones were hacked by attackers using Pegasus software in this hacking campaign. According to the report of The Washington Post, the list of targeted reporters also includes journalists from the media organizations — The Wall Street Journal, Agence France-Presse, France 24, CNN, the New York Times, Radio Free Europe, Mediapart, the Associated Press, El País, Le Monde, Bloomberg, the Economist, Reuters, and Voice of America.

In 2019 also, a state-owned Investment Corporate of Abu Dhabi “Mubadala Capital” had been invested in NSO Group. Around $243 bn fund chaired by Sheikh Mohammed bin Zayed al-Nahyan (Abu Dhabi’s Crown Prince) had done an investment in NSO Group suggesting that the allegations of attacks are true.

According to researchers, the methodology utilized in the cyber attacks on journalists typically involved social engineering in order to gently persuade the targets to download and execute various malicious payloads onto their personal digital devices. The messages were sent onto various social media platforms of journalists on topics related to their area of concern mainly focusing on politics.

In some cyber-attacks, the hackers deployed post malware infections in order to gain persistence on a network of the recipient and conduct lateral network reconnaissance and propagate additional malware infections within the target’s network. The second trick involves spying on journalists through surveillance web beacon planted on journalists’ devices.

Nowadays, cyber-attacks on journalists and Human rights activists become very much common, as Software like Pegasus, developed in a way that can be covertly installed on smartphones and running most versions of iOS and Android helps state-sponsored hackers to deploy the malware easily and efficiently on their targets and steal important information.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store