New York Times reporter writing a bin Salman book was targeted with NSO Group spyware, report says

Jack Guez via Getty Images

A New York Times reporter was targeted with spyware designed to infect his phone, cybersecurity researchers say, news that comes just days after the United Nations declared that the phone belonging to Amazon CEO Jeff Bezos was also targeted with a spyware attack.

While instances of smartphone spyware aimed at journalists, human rights workers, and even public figures are on the rise, this the first public accusation that the software was used to target an American journalist.

In a detailed report released Tuesday, Citizen Lab, a University of Toronto-based cybersecurity research laboratory, writes that a link texted to Ben Hubbard, the Times’s Beirut Bureau Chief, led to a site used to infect phones that was also used against multiple critics of the Saudi government.

CitizenLab concluded that it was part of a campaign that uses software created by Israel’s NSO Group, likely the world’s most infamous spyware-for-hire company. Hubbard has authored an upcoming book about Saudi Crown Prince Mohammed bin Salman.

NSO markets its phone-hacking capabilities to “legitimate” government agencies to help law enforcement and fight terrorism. In the past, the company has declined to comment on specific cases where its software was allegedly used, citing terms of its contracts, but Citizen Lab says its analysis has found the software deployed against journalists and civil rights lawyers in Mexico.

In a statement sent to Fortune, NSO says CitizenLab’s report was “unsubstantiated.” According to the company, the software is designed to not operate on Americans’ phone numbers, and therefore by definition couldn’t be used against Bezos. While Hubbard is American, the phone that received the spyware message is not U.S. phone number, a person familiar with the incident said.

NSO adds Hubbard “seems to have forgotten, or has deliberately concealed the fact that we worked closely with him,” noting the Egypt-based journalist had previously let the company analyze his claims.

A Times spokesperson tells Fortune that Hubbard had insisted his conversations with NSO at the time would be conducted off the record. But since NSO spoke to Fortune on the topic, “we have been released from that agreement,” the spokesperson says. 

According to the Times, the NSO did not inspect Hubbard’s phone; it was provided with a screenshot of the suspicious text message. “Off the record only, it told Mr. Hubbard that its software had not been used to target his phone,” the spokesperson says. “NSO had multiple opportunities to say on the record how it had come to this conclusion and to state for the record whether its technology had been used to target Mr. Hubbard’s phone. It did not, nor did it address this issue in its most recent statement.”

Citizen Lab’s director, Ron Deibert, defends his group’s research. “We present detailed, peer-reviewed evidence,” he tells Fortune. “For their part, they provide dubious claims and never directly address our evidence.”

Notably, Citizen Lab’s report does not list any connection to the alleged hack on Bezos’s phone. On Wednesday, U.N. investigators looking into the murder of Saudi dissident Jamal Khashoggi released a statement that did openly suggest NSO was likely responsible: “Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group’s Pegasus,” it said.

Citizen Lab’s claims rely on a report by the US firm FTI Consulting, which found that Bezos’s phone was hacked when he received a poisoned video file over WhatsApp, sent by bin Salman’s own phone after the two men traded phone numbers at a dinner. The Saudi embassy has denied that claim.

In the Bezos case, NSO responded with a much stronger denial that it was involved, writing on its website that the company “is shocked and appalled by the story that has been published with respect to the alleged hacking of the phone of Mr. Jeff Bezos.” The company pledged to help with any investigation.

More must-read stories from Fortune:

—The long ocean voyage that helped find the flaws in GPS
Atari-themed hotel deal punctuates the gaming pioneer’s turnaround
—Into the ‘crucible’: How the government responds when GPS goes down
—This tech giant says A.I. has already helped it save $1 billion
—What is tech doing to protect the whistleblower’s identity? Not much

Catch up with Data Sheet, Fortune’s daily digest on the business of tech.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward