Personal iPhones of at least 36 journalists, producers, anchors, and executives at Al Jazeera, as well as a journalist at London-based Al Araby TV were allegedly compromised using spyware called Pegasus sold by the Israeli private intelligence firm NSO Group.

The major espionage campaign against employees of one of the world’s leading media organizations was uncovered by researchers at Citizen Lab at the University of Toronto who said the cyber attack was most likely orchestrated by Saudi Arabia and the United Arab Emirates.

The campaign, which has been active in July and August 2020, involved a no-user-interaction zero-day vulnerability in the iOS iMessage app, which was part of an exploit chain called Kismet. Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.

The investigation revealed that this tool was also deployed in campaigns launched between October and December 2019.

According to the report, the Kismet tool was sold to at least four entities, including two buyers in Saudi Arabia and the United Arab Emirate which Citizen Lab linked to two threat actors. One is called Monarchy (attributed to Saudi Arabia), and the other is Sneaky Kestrel, which is thought to have ties to the United Arab Emirates.

Citizen Lab said the malicious code they discovered made “almost all” iPhone devices running versions that pre-dated iOS 14 vulnerable. According to the researchers, it appears that Kismet does not work against iOS 14 and above suggesting the issue has been already fixed by Apple.

“Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit,” the report said.

The researchers shared their findings with Apple that, in turn, initiated its own investigation into the matter.

NSO Group said it was not familiar with the allegations.

“As we have repeatedly stated we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on. However, where we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations,” a spokesperson for NSO Group said in a statement to the Guardian.