Dozens of iPhones used by reporters at Al Jazeera, the Qatar-funded news channel, were hacked using commercially sold spyware from Israel’s NSO Group which exploited an unknown flaw in Apple’s iMessage service, the watchdog group Citizen Lab said.

At least 36 phones were infiltrated with Pegasus, a military-grade spyware that surreptitiously turns the handset into a surveillance device, using a flaw in iMessage that was fixed around mid-2020, according to Citizen Lab.

The University of Toronto-based research group, which helps protect journalists and activists from surveillance, pointed to Saudi Arabia and the United Arab Emirates, regional rivals of Qatar, as the likely operators of the NSO Group’s spyware.

“For the UAE and Saudi surveillance apparatuses, hacking investigative journalists is no accident — it practically comes with the job description,” said Bill Marczak, a senior research fellow at Citizen Lab. “If you sold a hacking tool to some of the world’s most repressive governments, and told them it was invisible, who do you think they would target?”

Saudi and UAE officials did not immediately respond to requests for comment.

A London-based reporter at Al Araby, which has links to the Qatari government, was also hacked, the lab said.

The news comes just weeks after another Al Jazeera journalist, Ghada Oueiss, filed a lawsuit alleging that her phone had been hacked by Saudi Arabia and the UAE using NSO software that targeted a vulnerability in the WhatsApp messaging app.

The UAE and Saudi Arabia have previously demanded that Qatar close Al Jazeera, which has reported critically on human rights violations in Saudi Arabia as well as the Saudi and UAE-led intervention in the war in Yemen.

The Israeli company, valued at more than $1bn in a buyout that was led by management alongside the London-based private equity group Novalpina, has been the subject of intense criticism by human rights groups and the UN’s rapporteur on freedom of expression, for selling its powerful spyware to countries with a worrying record of repressing journalists and pro-democracy activists.

In a statement, the company attacked Citizen Lab for focusing on the NSO Group’s activities, and assailed its researchers for basing their work on “speculations, inaccurate assumptions and without a full command of the facts”.

NSO’s responses have not contained any denial that its software is being abused by either of the two Gulf nations, which have been tied to past targeting of journalists and critics of Saudi Arabia’s de facto leader Crown Prince Mohammed bin Salman.

Instead, the company said it investigated all reports of abuse thoroughly. In the past, it has said it only sells its product with the approval of the Israeli government and after careful vetting of customers.

“The NSO Group’s claims to abide by human rights standards are nearly impossible to verify,” said David Kaye, a law professor at University of California’s Irvine campus.

The company had published its human rights policies, he said, and “yet, these kinds of abuses take place with alarming regularity, without any oversight, and with a claim by the company of non-involvement”.

The Financial Times reported in May 2019 that the company’s spyware had used a weakness in the ubiquitous WhatsApp to deliver its payload of surveillance software, which would overcome the defences of iPhones and Android devices to transmit stored data and turn on the camera and microphone to secretly record in-person conversations.

This time, Citizen Lab found a similar ability to deliver a so-called “zero click” attack, which means that users of the iPhones had no way of knowing that their devices had been targeted.

Apple said in a statement that “the attack described in the research was highly targeted by nation-states against specific individuals”, and that its iOS 14 operating system delivered new protections against these sort of attacks.