The iPhone of New York Times journalist Ben Hubbard was repeatedly hacked with NSO Group’s Pegasus spyware tool over a three-year period stretching between June 2018 to June 2021, resulting in infections twice in July 2020 and June 2021.

The University of Toronto’s Citizen Lab, which publicized the findings on Sunday, said the “targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.” The research institute did not attribute the infiltrations to a specific government.

In a statement shared with Hubbard, the Israeli company denied its involvement in the hacks and dismissed the findings as “speculation,” while noting that the journalist was not “a target of Pegasus by any of NSO’s customers.”

To date, NSO Group is believed to have leveraged at least three different iOS exploits — namely an iMessage zero-click exploit in December 2019, a KISMET exploit targeting iOS 13.5.1 and iOS 13.7 starting July 2020, and a FORCEDENTRY exploit aimed at iOS 14.x until 14.7.1 since February 2021.

It’s worth pointing out that Apple’s iOS 14 update includes a BlastDoor Framework that’s designed to make zero-click exploitation more difficult, although FORCEDENTRY expressly undermines that very security feature built into the operating system, prompting Apple to issue an update to remediate the shortcoming in September 2021.

FORCEDENTRY exploit on the phone of the Saudi activist

Forensic investigation into the campaign has revealed that Hubbard’s iPhone was successfully hacked with the surveillance software twice on July 12, 2020 and June 13, 2021, once each via the KISMET and FORCEDENTRY zero-click iMessage exploits, after making two earlier unsuccessful attempts via SMS and WhatsApp in 2018.

The disclosure is the latest in a long list of documented cases of activists, journalists, and heads of state being targeted or hacked using the company’s “military-grade spyware.” Earlier revelations in July laid bare an extensive abuse of the tool by several authoritarian governments to facilitate human rights violations around the world.

The findings are also particularly significant in light of a new interim rule passed by the U.S. government that requires that companies dabbling in intrusion software acquire a license from the Commerce Department before exporting such “cybersecurity items” to countries of “national security or weapons of mass destruction concern.”

“As long as we store our lives on devices that have vulnerabilities, and surveillance companies can earn millions of dollars selling ways to exploit them, our defenses are limited, especially if a government decides it wants our data,” Hubbard wrote in the New York Times.

“Now, I limit the information I keep on my phone. I reboot my phone often, which can kick out (but not keep off) some spy programs. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face,” Hubbard added.