Between October 2019 and July 2020, the personal iPhones of 36 journalists, producers, anchors, and executives at Al Jazeera-Qatar’s flagship international news network-were compromised using NSO Group’s Pegasus spyware. The infections were discovered and disclosed in December 2020 by the University of Toronto’s Citizen Lab, which identified a zero-click exploit chain dubbed “KISMET” that targeted Apple’s iMessage service without requiring any user interaction.
Key Facts
- WhatNSO Pegasus spyware deployed via zero-click iMessage exploits against Al Jazeera.
- Who36 Al Jazeera journalists, producers, anchors, and executives were compromised.
- Data ExposedMessages, emails, GPS locations, photos, microphone recordings, and source contacts.
- OutcomeAttacks attributed to Saudi and UAE operators; prompted Apple Lockdown Mode creation.
What Was Exposed
- Complete contents of encrypted messaging applications including iMessage, WhatsApp, Signal, and Telegram conversations on 36 compromised devices
- Email archives from personal and professional accounts accessible on the infected devices, including correspondence with confidential sources
- Real-time GPS location tracking data for each compromised journalist, creating a continuous surveillance record of their physical movements
- Photographs and videos stored on device, including unpublished journalistic material and personal content
- Live microphone and camera activation capability, enabling real-time audio and visual surveillance of the journalists and their surroundings
- Contact lists, call logs, and social network mapping data revealing the journalists’ professional networks and confidential sources
- Passwords, authentication tokens, and credentials stored on or transmitted through the compromised devices
- Calendar entries, notes, and draft documents including unpublished stories and editorial planning materials
The KISMET exploit chain was exceptionally sophisticated. It exploited a then-unknown vulnerability in Apple’s iMessage processing stack that allowed code execution without any user interaction. The target received no visible message, notification, or alert. The exploit was delivered as an invisible iMessage that triggered the vulnerability automatically upon receipt, installing the full Pegasus implant without the journalist ever touching their device.
This zero-click capability rendered standard security advice-don’t click suspicious links, don’t open unknown attachments -completely irrelevant.
Once installed, Pegasus provided the operators with near-total access to the device.
The spyware could read all messages across all applications, including those using end-to-end encryption, because it operated at the device level rather than intercepting communications in transit. It could silently activate the microphone and camera, track GPS location in real time, extract stored files and credentials, and transmit all collected data to operator-controlled infrastructure.
The case of Al Jazeera journalist Tamer Almisshal, who cooperated with Citizen Lab’s investigation, illustrated the scale of data exfiltration. Network analysis of Almisshal’s device traffic revealed that 270 megabytes of data were uploaded to Pegasus infrastructure in a single 16-hour period. For context, 270 megabytes could contain tens of thousands of text messages, hundreds of high-resolution photographs, hours of compressed audio recordings, and extensive document archives.
This volume of exfiltration from a single device suggests a comprehensive harvesting operation rather than targeted collection of specific intelligence.
The attribution to Saudi and UAE government operators was based on Citizen Lab’s extensive infrastructure mapping of Pegasus command-and-control servers. The MONARCHY operator, attributed to Saudi Arabia, had been previously linked to the targeting of Saudi dissidents and human rights activists. SNEAKY KESTREL, attributed to the UAE, had been connected to previous surveillance operations against UAE-based activists and journalists. Two additional operators were identified but not publicly attributed to specific governments.
The targeting of Al Jazeera journalists must be understood in the context of the Gulf diplomatic crisis that began in June 2017. Saudi Arabia and the UAE had listed the closure of Al Jazeera as one of their 13 demands for lifting the Qatar blockade.
The surveillance campaign against Al Jazeera journalists, conducted during the blockade period, served dual purposes: intelligence collection on the network’s editorial operations and sources, and the potential gathering of compromising material that could be used to discredit the organization or individual journalists.
Regulatory Analysis
The Pegasus campaign against Al Jazeera presents a regulatory scenario that exists at the intersection of data protection law, press freedom protections, and international law governing state-sponsored surveillance. Qatar’s domestic legal framework provides some protections, but the cross-border, state-sponsored nature of the attack exposes the limitations of national data protection regimes when confronted with nation-state adversaries.
Qatar’s Law No. 13 of 2016, Article 7 requires appropriate technical measures to protect personal data against unauthorized access. However, the concept of “appropriate measures” becomes analytically challenging when the threat is a zero-click exploit developed by a well-funded commercial surveillance company and deployed by a foreign government. No commercially available security product could have prevented the KISMET exploit at the time of its deployment.
This raises the question of whether data protection obligations should be evaluated against the state of commercially available defenses or against the full spectrum of known threats.
Article 9 of Law No. 13 addresses the transfer of personal data outside Qatar. The exfiltration of 270 megabytes of data from a journalist’s device to foreign government-controlled infrastructure constitutes an unauthorized cross-border data transfer of the most egregious kind. However, the “controller” in this case is a foreign intelligence service, placing the violation beyond the practical enforcement reach of Qatar’s domestic regulators.
The QFC Data Protection Regulations 2021, while not directly applicable to Al Jazeera (which is not QFC-licensed), provide a more detailed framework for evaluating the security obligations of organizations processing sensitive data. Article 29 of the QFC DPR requires organizations to implement “appropriate technical and organisational measures” to ensure data security, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.
For media organizations handling journalistic sources and editorial communications, the “nature and context” analysis would demand significantly elevated security measures.
International legal frameworks provide additional context. The targeting of journalists with spyware violates multiple provisions of international human rights law, including Article 19 of the International Covenant on Civil and Political Rights (freedom of expression) and Article 17 (freedom from arbitrary interference with privacy). The UN Special Rapporteur on Freedom of Expression has explicitly stated that the use of spyware against journalists constitutes a violation of international law that cannot be justified under any circumstances.
What Should Have Been Done
Defending against nation-state spyware like Pegasus requires security measures that go beyond standard corporate cybersecurity. Al Jazeera, as a media organization operating in one of the most contested information environments in the world, should have implemented a security program specifically designed to counter state-sponsored surveillance targeting.
Apple’s Lockdown Mode, introduced in iOS 16 in 2022 partly in response to the Pegasus revelations, provides the most directly relevant technical mitigation. Lockdown Mode restricts iMessage functionality, blocks unknown FaceTime calls, disables link previews, and limits other attack surface features that zero-click exploits target.
While Lockdown Mode did not exist at the time of the Al Jazeera attacks, its development validates the principle that high-risk individuals require fundamentally reduced attack surfaces rather than incremental security improvements.
Mobile device management (MDM) with strict security policies should have been deployed across all journalist devices. MDM solutions can enforce operating system updates within hours of release, restrict app installations to approved sources, enforce encryption, and provide centralized monitoring for indicators of compromise. The KISMET exploit was effective against specific iOS versions, and aggressive patching cadences reduce the window of vulnerability for known and unknown exploits.
Compartmentalization of communications was essential. Journalists covering sensitive stories in the Gulf region should not have used the same devices for personal communications, editorial coordination, and source communication. Dedicated devices for source communication, regularly rotated and forensically examined, would have limited the blast radius of any single device compromise and protected confidential sources even if a journalist’s primary device was infected.
Network traffic analysis and anomaly detection should have been deployed to detect the data exfiltration characteristic of Pegasus infections. The exfiltration of 270 megabytes from a single device in 16 hours represents anomalous network behavior that could be detected through baseline traffic analysis. Mobile threat detection solutions that monitor for unusual network connections, unexpected data transfers, and communication with known surveillance infrastructure would have provided early warning of active infections.
Regular forensic analysis of journalist devices should have been standard practice.
Citizen Lab’s discovery of the infections relied on forensic examination of device artifacts and network logs. Organizations operating in high-risk environments should conduct periodic forensic examinations of staff devices as a proactive detection measure, rather than waiting for external researchers to discover compromises months or years after they occur.
The Pegasus campaign against Al Jazeera represents the weaponization of commercial surveillance technology against press freedom. Thirty-six journalists were comprehensively surveilled through zero-click exploits that no user behavior could have prevented. This incident underscores that media organizations operating in contested geopolitical environments must adopt nation-state-grade defensive security -because the threats they face are nation-state-grade offensive operations.