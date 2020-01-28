Times Insider It explains who we are and what we do, and offers behind-the-scenes information on how our journalism joins.
BEIRUT, Lebanon: On June 21, 2018, I received an Arabic text message on my cell phone that said: "Ben Hubbard and the history of the Saudi royal family," with a link to a website, arabnews365.com.
I had been writing extensively about Saudi Arabia, including his royal family, and at first glance the link seemed to be Saudi news about my coverage, a topic that would normally get my attention.
But I also found it suspicious, so I refrained from clicking and decided to investigate. That led me to the booming market among governments to hack technologies and a lesson on the ease with which the most intimate information on our phones [chats, contacts, passwords and photos] could become a goal.
This type of piracy made headlines last week in connection with a forensic report commissioned by Jeff Bezos, the owner of The Washington Post, who said with "medium to high confidence,quot; Mr. Bezos's phone was hacked after receiving an encrypted video via WhatsApp of Mohammed bin Salman, the crown prince of Saudi Arabia.
Other technology researchers have questioned the findings of the report, but two United Nations experts gave it their stamp of approval, saying that the hack was intended to "influence, if not silence,quot; the critical coverage of the Post kingdom.
The attempt on my phone, a month after Mr. Bezos' hacking, was less dramatic, but no less frightening in its implications. An examination of my phone showed no indication that I had been compromised, but the technology researchers who inspected the message I received concluded that I was attacked with powerful software sold by the NSO Group, an Israeli company, and deployed by hackers working for Saudi Arabia.
A spokesman for the Saudi Arabian Embassy in Washington did not respond to requests for comment.
When asked if their products had been used to attack my phone, an NSO Group spokesman said in a statement that it was "completely misleading,quot; to suggest that their technology was responsible for all phone hacking attempts, as other companies offered similar tools.
The researchers, in the Citizen Lab of the Munk School of the University of Toronto, have identified in recent years 36 operators who have used the technology of the NSO Group in hundreds of objectives in 45 countries. These objectives include four people that the researchers were able to identify by name and were able to confirm that they were hacked by operators who appeared to be working for Saudi Arabia.
I was the fifth, and the The first case the group discovered about the technology used against an American journalist.
As people began to lead more and more of their personal and professional lives on their phones, an industry emerged to sell tools to obtain that information. Many of the companies that sell the technology say they market only to governments for use in police and anti-terrorism operations.
But critics, such as Citizen Lab researchers, say the lack of regulation of such technologies allows companies often authoritative customers to use the software against dissidents, activists, journalists and others.
The attempt on my phone came after covering Saudi Arabia for five years, most recently with a focus on Prince Mohammed, who had shot to power after his father became king in 2015.
Prince Mohammed was a lightning rod. His supporters praised him for weakening the feared religious police of the kingdom, promising to diversify the economy away from oil and lifting restrictions on women, while critics accused him of taking strong measures against dissidents, forcing the resignation of the prime minister of the Lebanon and block hundreds of princes and businessmen in Riyadh Ritz-Carlton over allegations of corruption.
I had written on all those topics when my phone rang one night and I read the suspicious text message.
To determine if it was malware, I first searched the web for the title of the message and discovered that the article did not exist.
Then I asked the editor of the real Arab News, an English newspaper in Saudi Arabia, if you use arabnews365.com.
"It's not us," he replied.
The first technology security experts I consulted did not know what the message was, but they agreed that it seemed suspicious and warned me not to open the link. So I went ahead, although I wondered what it was, who had sent it and why.
I received a clue a few months later when Citizen Lab published a report on Omar Abdulaziz, a Saudi dissident in Canada whose phone had been hacked with a text message similar to the one he had received.
Abdulaziz had political asylum in Canada and was known in Saudi Arabia for criticizing its leaders in social networks. He was also a friend of Jamal Khashoggi, the dissident Saudi writer and columnist for the Washington Post who was killed and dismembered by Saudi agents in Istanbul in October 2018.
The report on Mr. Abdulaziz contained a table with domain names used by an operator that the investigators had determined was linked to Saudi Arabia. It included arabnews365.com.
I sent the message to Citizen Lab, whose researchers drew two conclusions.
First, as they had previously obtained a copy of the NSO Group software, they were able to use it to scan the Internet for connected servers and compile lists of web domains used by several operators, including 20 that had pursued objectives related to Saudi Arabia. One of these domains was arabnews365.com.
"We know with certainty that the domain that was in the text was part of that command and control infrastructure that is connected to the NSO Group," said Ron Deibert, director of Citizen Lab.
But determining who had used the software to send the message was more difficult, he said, and based on circumstantial evidence.
"They don't leave business cards when they do this kind of thing," Deibert said. "This is something that is designed precisely to prevent detection."
Citizen Lab concluded that this operator was connected to Saudi Arabia through a combination of the web addresses it used, some of which employed a language that pointed to Saudi Arabia, and who were its known objectives, said Bill Marczak, senior researcher at Citizen Lab
So far, Citizen Lab has identified five people who were attacked by this operator. The five were attacked in May and June 2018, and participated in activities related to Saudi Arabia: Yahya Asiri, chief of a Saudi human rights organization based in Great Britain; an unnamed researcher from Amnesty International; Ghanem al-Masarir, a Saudi dissident with a sarcastic YouTube show; Mr. Abdulaziz, the Saudi dissident in Canada; and me.
"If the proposal is that an operator tried to hack all these people, what do they have in common?" Marczak asked. “The Saudi angle is. There really is nothing else. "
Although the reported hacking of Mr. Bezos's phone occurred during this same period, he used a different technology: an encrypted video sent by WhatsApp, not a web address sent by SMS.
In his statement, the NSO Group spokesman said he authorized his technology to law enforcement and intelligence agencies "under strict protocols and government for an operation provided for the sole purpose of preventing and investigating terrorism and crime."
"When it is alleged that misuse has occurred, we will take and take measures to investigate and suspend capabilities," the statement concluded.
Human rights experts and activists argue that piracy technologies have become so powerful that government regulation is necessary to ensure that they are used ethically.
"We are facing a technology that is very difficult to track, extremely powerful and effective, and completely deregulated," said Agnes Callamard, United Nations Special Rapporteur on summary executions and extrajudicial executions, after Mr. Bezos' phone hacking. "That to me is incredible, that we have a technology that we cannot control or track."
He added that Mr. Bezos' case should sound alarming because it took months for experts hired by one of the world's richest men to investigate what happened, a luxury that most people don't have. "It basically means that we are all extremely vulnerable," Callamard said.