IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Bahrain targets activists with NSO's Pegasus spyware

The spyware reportedly employed two exploits targeting Apple's iMessage system

The government of Bahrain has once again used spyware from Israeli surveillance company NSO to target activists' smartphones, according to a Citizen Lab report,

The spyware employed two exploits targeting Apple's iMessage system, including a new one first spotted in June. 

The report tracked the targeting of nine Bahraini activists using the NSO software. The investigation ties the infection servers to NSO's Pegasus spyware, and tracked the spyware's use of multiple vulnerabilities in iMessage. 

Citizen Lab researchers noted that a Bahrain government operator codenamed LULU compromised iPhones using Pegasus via a zero-click iMessage exploit known as KISMET between July and September 2020. This simply required the phone to receive a message, enabling the spyware to compromise the operating system and monitor its internet traffic. 

KISMET compromised iOS versions until at least version 13.7, according to the Citizen Lab. At that point, Apple updated iOS with the BlastDoor security feature that defended against zero-click iMessage attacks. NSO's Pegasus spyware then resorted to a single-click attack, requiring victims to follow a link in an iMessage. 

Pegasus returned to zero-click attacks from February 2021 with a more recent exploit Citizen Lab called FORCEDENTRY. 

Related Resource

Challenging the rules of security

Protecting data and simplifying IT management with Chrome OS

Whitepaper front coverFree download

FORCEDENTRY appears to be the same as Megalodon, an attack Amnesty International identified in June. It is a zero-click attack that could compromise phones without any user interaction. Amnesty confirmed it had compromised iPhones running iOS 14.6 in June, and Apple told the organization it was investigating the issue. At the time of writing, the latest version of iOS is 14.7. 

Freedom House, a non-profit that promotes democracy worldwide, classified Bahrain as “Not Free,” and gives it a freedom score of 29% due to heavy restrictions on internet use and strong censorship practices. The country arrests internet users for discussing forbidden topics online and engages in online surveillance practices, including spyware. 

Citizen Lab first documented Bahrain Pegasus use in 2018 via a government operator that it called PEARL. It posited that LULU may be the same state surveillance team. 

NSO continues to face challenges as it sells spyware to countries with oppressive histories, including Bahrain. Amazon Web Services shut down NSO infrastructure running on its servers last month, and United Nations human rights experts renewed calls for an international moratorium on the sale of spyware. 

The Citizen Lab cited tools from other companies the Bahrain government used for online surveillance, including Cellebrite, FinFisher, Netsweeper, Trovicor, and Verint. 

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
MSI to release securer BIOS settings after critical flaw discovered
vulnerability

MSI to release securer BIOS settings after critical flaw discovered

20 Jan 2023
China-backed hackers take down Amnesty International Canada for three weeks
Security

China-backed hackers take down Amnesty International Canada for three weeks

7 Dec 2022
'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023