A Saudi woman's iPhone revealed NSO group's web around the world

A glitch in the hacking software led Apple to notify thousands of state-backed hacking victims globally and formed the basis for a November 2021 lawsuit

A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies now facing a cascade of legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents around the world.

It all started with a software glitch on her iPhone.

An unusual error in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to discover a trove of evidence suggesting the Israeli spyware maker had helped hack her iPhone, according to six people involved in the incident. A mysterious fake image file within her phone, mistakenly left behind by the spyware, tipped off security researchers.

The discovery on al-Hathloul’s phone last year ignited a storm of legal and government action that has put NSO on the defensive.

Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping lead a campaign to end the ban on women drivers in Saudi Arabia. She was released from jail in February 2021 on charges of harming national security.

Soon after, the activist received an email from Google warning her that state-backed hackers had tried to penetrate her Gmail account. Fearful that her iPhone had been hacked as well, al-Hathloul contacted the Canadian privacy rights group Citizen Lab and asked them to probe her device for evidence, three people close to al-Hathloul told Reuters. 

After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file, rather than deleting itself, after stealing the messages of its target.

He said the finding, computer code left by the attack, was direct evidence NSO built the espionage tool. “It was a game changer,” said Marczak. “We caught something that the company thought was uncatchable.” The discovery amounted to a hacking blueprint and led Apple to notify thousands of other state-backed hacking victims around the world, according to sources.

Citizen Lab and al-Hathloul’s find provided the basis for Apple’s November 2021 lawsuit against NSO and it also reverberated in Washington, where US officials learned that NSO’s cyberweapon was used to spy even on American diplomats.

In a statement, an NSO spokesperson said the company does not operate the hacking tools it sells —government, law enforcement and intelligence agencies do. The spokesperson did not answer questions on whether its software was used to target al-Hathloul or other activists.

Discovering the blueprint

Al-Hathloul had good reason to be suspicious — it was not the first time she was being watched.

A 2019 Reuters investigation revealed that she was targeted in 2017 by a team of US mercenaries who surveilled dissidents on behalf of the United Arab Emirates under a secret program called Project Raven, which categorised her as a ‘national security threat’ and hacked into her iPhone.

She was arrested and jailed in Saudi Arabia for almost three years, where her family says she was tortured and interrogated utilising information stolen from her device. Al-Hathloul was released in February 2021 and is banned from leaving the country.

Al-Hathloul’s experience of surveillance and imprisonment made her determined to gather evidence that could be used against those who wield these tools, said her sister Lina al-Hathloul. The type of spyware Citizen Lab discovered on al-Hathloul’s iPhone is known as a ‘zero click,’ meaning the user can be infected without ever clicking on a malicious link.

Zero-click malware usually deletes itself upon infecting a user, leaving researchers and tech companies without a sample of the weapon to study. But this time was different.