At least 36 journalists at Qatari state-run news organisation Al Jazeera were targeted between July and August in an online attack that can be linked to the governments of the United Arab Emirates and Saudi Arabia, a cyber security watchdog said in its report, released on Sunday.

University of Toronto-based Citizen Lab said the malware that infected the journalists’ phones was traced back to the Israel-based cyber intelligence company NSO Group, which has been previously criticised for selling spyware to governments.

“In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera,” the report said. “The personal phone of a journalist at London-based Al Araby TV was also hacked.”

Only through push notifications, the malware facilitated the phones to upload their content to servers linked to the Israeli firm, Citizen Lab said. This turned the phones of the journalists into powerful surveillance tools without them being lured to click on suspicious links or texts.

NSO Group’s Pegasus spyware is a mobile phone surveillance solution that allows to remotely exploit and monitor devices. The company has been accused of selling surveillance technology to governments around the world. According to leading researchers at Citizen Lab, the NSO Group is moving towards zero-click exploits and network-based attacks that allows infiltrating into phones without any interaction from the target, and does not leave any visible traces.

The phones of the Al Jazeera journalists were made vulnerable to the attack with the use of an “exploit chain” that appears to involve an “invisible zero-click exploit in iMessage”, according to the Citizen Lab’s report. “The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates,” it said.

The cyber security watchdog suspects that the infiltrations observed by them were a “miniscule fraction” of the overall attacks making use of the vulnerability. “Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean,” the report stated.

Citizen Lab’s report said that it had shared the findings with Apple and the tech company confirmed it was looking into the matter. The company reassured its customers by saying that the latest version of its operating system iOS 14 “delivered new protections against these kinds of attacks,” according to AP.

In 2019, Facebook-owned messaging platform WhatsApp was breached on at least 1,400 phones across the world. They were targeted through an exploit that was sent through a missed voice call. WhatsApp had notified the targets about the matter and later sued the NSO Group.

During a two-week period in May 2019, at least 121 Indians, including academics, lawyers, and Dalit activists, were also the target of an attempted security breach using the Pegasus WhatsApp spyware. According to the government, the personal data of at least 20 WhatsApp users was accessed by unidentified hackers. The spyware was developed by an Israeli company that claims that the software was sold to only government agencies. The government, however, has denied its role in the illegal surveillance of the devices.