The linked NYTimes article references 3 exploits dubbed the "Trident Exploit Chain" that are detailed in an excellent Lookout / Citizen Lab writeup [1] discussed on HN 8 days ago [2].
The target is sent an SMS containing a link to site that triggers the explot chain to remotely jailbreak the phone and clandestinely install the monitoring software.
Ahmed Mansoor, a UAE journalist, was recently targeted with one of these SMS messages and was immediately suspicious. Instead of clicking the link he contacted Citizen Lab researchers who connected it back to NSO group.
I'd suspect there's a disconnect between the group selling/providing the tools, and the group using them.
A webkit 0day could've been delivered via a watering-hole attack or something even just a tiny bit more sophisticated (compromise a trusted contacts social media account, send the link from there) and succeeded.
Whoever put the effort/time/money into developing the exploit chain is likely pissed off it got burnt via such an amateur delivery.
Not particularly. Besides the fact that was only one of many possible delivery vectors available, e.g. XSS, direct compromise of a visited site etc, it's one with quite a high chance of succeeding* in the wild.
* when the target isn't already paranoid due to previous attacks and the bait isn't quite so pathetic in its construction...
Edit: I imagine they went with the SMS method due to its high accuracy and low risk of detection from third parties.
The target is sent an SMS containing a link to site that triggers the explot chain to remotely jailbreak the phone and clandestinely install the monitoring software.
Ahmed Mansoor, a UAE journalist, was recently targeted with one of these SMS messages and was immediately suspicious. Instead of clicking the link he contacted Citizen Lab researchers who connected it back to NSO group.
[1] https://citizenlab.org/2016/08/million-dollar-dissident-ipho... [2] https://news.ycombinator.com/item?id=12360662