Sophisticated spyware was used to hack the phones of 36 Al Jazeera journalists, Citizen Lab said in a new report.
Citizen Lab said the hack, which it dubbed "Kismet," could be traced back to software made by Israeli security company NSO Group.
NSO Group denied any involvement.
Citizen Lab said it believed the hack was ineffective against iPhones with the iOS 14 update, but that the scale of the hack prior to that update could be worryingly large.
Journalists at news organization Al Jazeera were targeted by an iPhone hack that sent iMessages loaded with malware, the University of Toronto's Citizen Lab reports.
The hacking tool, dubbed "Kismet," was a zero-click, zero-day hack, meaning Apple had no idea the exploit existed, and the malware didn't need targets to click on anything for it to take effect.
Citizen Lab said the attack used the "Pegasus" software made by well-known Israeli security company NSO Group.
Citizen Lab said it had identified four separate entities using Pegasus in the attack. It said it could, with "medium confidence," link one of the four to Saudi Arabia, and another to the United Arab Emirates.
In a statement to Business Insider, NSO Group denied involvement, saying Citizen Lab's report was based on "speculation."
"NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, and as stated in the past we do not operate them," a spokesperson for NSO Group said.
"However, when we receive credible evidence of misuse with enough information which can enable us to assess such credibility, we take all necessary steps in accordance with our investigation procedure in order to review the allegations," they added.
This isn't the first time NSO Group's Pegasus software has been linked with hacking journalists' phones.
In June of this year, Amnesty International said Pegasus had been used by the Moroccan government to hack a Moroccan journalist's phone. NSO Group did not confirm nor deny the claims, and promised to investigate.
In October last year, Facebook filed a lawsuit against the company claiming its software was used to perpetrate a large-scale hack of WhatsApp users, including journalists and human rights activists. NSO is fighting the lawsuit.
Citizen Lab said it believed the hack was ineffective against iPhones with the iOS 14 update, but that the scale of the hack prior to that update rolling out could be worryingly large.
"Given the global reach of NSO Group's customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a minuscule fraction of the total attacks leveraging this exploit," Citizen Lab said in its report.
While Citizen Lab first detected Kismet in July 2020, it said device logs suggest the hack was being used as far back as October 2019.
An Apple spokesperson told Business Insider that iOS 14, which was launched in September of this year, was more robust.
"At Apple, our teams work tirelessly to strengthen the security of our users' data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data," the spokesperson said.
Read the original article on Business Insider