Between October 2019 and July 2020, the personal iPhones of 36 journalists, producers,
anchors, and executives at Al Jazeera-Qatar’s flagship international news
network-were compromised using NSO Group’s Pegasus spyware. The infections were
discovered and disclosed in December 2020 by the University of Toronto’s Citizen Lab,
which identified a zero-click exploit chain dubbed “KISMET” that targeted Apple’s
iMessage service without requiring any user interaction.
Citizen Lab attributed the attacks to four distinct Pegasus operators, with two identified as
linked to Saudi Arabia (codenamed “MONARCHY”) and the UAE (codenamed “SNEAKY
KESTREL”). In one documented case, 270 megabytes of data were exfiltrated from a single
journalist’s device in just 16 hours, including emails, messages, photographs, location
data, and microphone recordings.
## Key Facts
- .**What:** NSO Pegasus spyware deployed via zero-click iMessage exploits against Al Jazeera.
- .**Who:** 36 Al Jazeera journalists, producers, anchors, and executives were compromised.
- .**Data Exposed:** Messages, emails, GPS locations, photos, microphone recordings, and source contacts.
- .**Outcome:** Attacks attributed to Saudi and UAE operators; prompted Apple Lockdown Mode creation.
## What Was Exposed
- .Complete contents of encrypted messaging applications including iMessage, WhatsApp,
Signal, and Telegram conversations on 36 compromised devices
- .Email archives from personal and professional accounts accessible on the
infected devices, including correspondence with confidential sources
- .Real-time GPS location tracking data for each compromised journalist, creating
a continuous surveillance record of their physical movements
- .Photographs and videos stored on device, including unpublished journalistic
material and personal content
- .Live microphone and camera activation capability, enabling real-time audio and
visual surveillance of the journalists and their surroundings
- .Contact lists, call logs, and social network mapping data revealing the
journalists’ professional networks and confidential sources
- .Passwords, authentication tokens, and credentials stored on or transmitted
through the compromised devices
- .Calendar entries, notes, and draft documents including unpublished stories
and editorial planning materials
The KISMET exploit chain was exceptionally sophisticated. It exploited a then-unknown
vulnerability in Apple’s iMessage processing stack that allowed code execution
without any user interaction. The target received no visible message, notification, or
alert. The exploit was delivered as an invisible iMessage that triggered the vulnerability
automatically upon receipt, installing the full Pegasus implant without the journalist
ever touching their device. This zero-click capability rendered standard security
advice-don’t click suspicious links, don’t open unknown attachments
-completely irrelevant.
Once installed, Pegasus provided the operators with near-total access to the device.
The spyware could read all messages across all applications, including those using
end-to-end encryption, because it operated at the device level rather than intercepting
communications in transit. It could silently activate the microphone and camera, track
GPS location in real time, extract stored files and credentials, and transmit all
collected data to operator-controlled infrastructure.
The case of Al Jazeera journalist Tamer Almisshal, who cooperated with Citizen Lab’s
investigation, illustrated the scale of data exfiltration. Network analysis of Almisshal’s
device traffic revealed that 270 megabytes of data were uploaded to Pegasus infrastructure
in a single 16-hour period. For context, 270 megabytes could contain tens of thousands of
text messages, hundreds of high-resolution photographs, hours of compressed audio recordings,
and extensive document archives. This volume of exfiltration from a single device suggests
a comprehensive harvesting operation rather than targeted collection of specific intelligence.
The attribution to Saudi and UAE government operators was based on Citizen Lab’s
extensive infrastructure mapping of Pegasus command-and-control servers. The MONARCHY
operator, attributed to Saudi Arabia, had been previously linked to the targeting of
Saudi dissidents and human rights activists. SNEAKY KESTREL, attributed to the UAE,
had been connected to previous surveillance operations against UAE-based activists
and journalists. Two additional operators were identified but not publicly attributed
to specific governments.
The targeting of Al Jazeera journalists must be understood in the context of the
Gulf diplomatic crisis that began in June 2017. Saudi Arabia and the UAE had listed
the closure of Al Jazeera as one of their 13 demands for lifting the Qatar blockade.
The surveillance campaign against Al Jazeera journalists, conducted during the
blockade period, served dual purposes: intelligence collection on the network’s
editorial operations and sources, and the potential gathering of compromising material
that could be used to discredit the organization or individual journalists.
## Regulatory Analysis
The Pegasus campaign against Al Jazeera presents a regulatory scenario that exists
at the intersection of data protection law, press freedom protections, and
international law governing state-sponsored surveillance. Qatar’s domestic
legal framework provides some protections, but the cross-border, state-sponsored
nature of the attack exposes the limitations of national data protection regimes
when confronted with nation-state adversaries.
Qatar’s Law No. 13 of 2016, Article 7 requires appropriate technical measures
to protect personal data against unauthorized access. However, the concept of
“appropriate measures” becomes analytically challenging when the threat
is a zero-click exploit developed by a well-funded commercial surveillance company
and deployed by a foreign government. No commercially available security product
could have prevented the KISMET exploit at the time of its deployment. This raises
the question of whether data protection obligations should be evaluated against the
state of commercially available defenses or against the full spectrum of known threats.
Article 9 of Law No. 13 addresses the transfer of personal data outside Qatar. The
exfiltration of 270 megabytes of data from a journalist’s device to foreign
government-controlled infrastructure constitutes an unauthorized cross-border data
transfer of the most egregious kind. However, the “controller” in this
case is a foreign intelligence service, placing the violation beyond the practical
enforcement reach of Qatar’s domestic regulators.
The QFC Data Protection Regulations 2021, while not directly applicable to Al Jazeera
(which is not QFC-licensed), provide a more detailed framework for evaluating the
security obligations of organizations processing sensitive data. Article 29 of the
QFC DPR requires organizations to implement “appropriate technical and
organisational measures” to ensure data security, taking into account the state
of the art, implementation costs, and the nature, scope, context, and purposes of
processing. For media organizations handling journalistic sources and editorial
communications, the “nature and context” analysis would demand
significantly elevated security measures.
International legal frameworks provide additional context. The targeting of
journalists with spyware violates multiple provisions of international human rights
law, including Article 19 of the International Covenant on Civil and Political Rights
(freedom of expression) and Article 17 (freedom from arbitrary interference with
privacy). The UN Special Rapporteur on Freedom of Expression has explicitly stated
that the use of spyware against journalists constitutes a violation of international
law that cannot be justified under any circumstances.
## What Should Have Been Done
Defending against nation-state spyware like Pegasus requires security measures that
go beyond standard corporate cybersecurity. Al Jazeera, as a media organization
operating in one of the most contested information environments in the world, should
have implemented a security program specifically designed to counter state-sponsored
surveillance targeting.
Apple’s Lockdown Mode, introduced in iOS 16 in 2022 partly in response to the
Pegasus revelations, provides the most directly relevant technical mitigation. Lockdown
Mode restricts iMessage functionality, blocks unknown FaceTime calls, disables link
previews, and limits other attack surface features that zero-click exploits target.
While Lockdown Mode did not exist at the time of the Al Jazeera attacks, its
development validates the principle that high-risk individuals require fundamentally
reduced attack surfaces rather than incremental security improvements.
Mobile device management (MDM) with strict security policies should have been deployed
across all journalist devices. MDM solutions can enforce operating system updates
within hours of release, restrict app installations to approved sources, enforce
encryption, and provide centralized monitoring for indicators of compromise. The
KISMET exploit was effective against specific iOS versions, and aggressive patching
cadences reduce the window of vulnerability for known and unknown exploits.
Compartmentalization of communications was essential. Journalists covering sensitive
stories in the Gulf region should not have used the same devices for personal
communications, editorial coordination, and source communication. Dedicated devices
for source communication, regularly rotated and forensically examined, would have
limited the blast radius of any single device compromise and protected confidential
sources even if a journalist’s primary device was infected.
Network traffic analysis and anomaly detection should have been deployed to detect
the data exfiltration characteristic of Pegasus infections. The exfiltration of
270 megabytes from a single device in 16 hours represents anomalous network behavior
that could be detected through baseline traffic analysis. Mobile threat detection
solutions that monitor for unusual network connections, unexpected data transfers,
and communication with known surveillance infrastructure would have provided early
warning of active infections.
Regular forensic analysis of journalist devices should have been standard practice.
Citizen Lab’s discovery of the infections relied on forensic examination of
device artifacts and network logs. Organizations operating in high-risk environments
should conduct periodic forensic examinations of staff devices as a proactive
detection measure, rather than waiting for external researchers to discover
compromises months or years after they occur.
The Pegasus campaign against Al Jazeera represents the weaponization of commercial
surveillance technology against press freedom. Thirty-six journalists were
comprehensively surveilled through zero-click exploits that no user behavior could
have prevented. This incident underscores that media organizations operating in
contested geopolitical environments must adopt nation-state-grade defensive security
-because the threats they face are nation-state-grade offensive operations.