An Amnesty International employee and Saudi Arabian activist were targeted with what appears to be commercial spyware only sold to governments.
In a lengthy blog post released Wednesday, London-based Amnesty International revealed that a suspicious message with a malicious link was sent to an employee. Citizen Lab, a Canadian research organization, helped analyze the incident and posted its own set of findings, which corroborated Amnesty’s report.
Both suggest that the malicious messages bore the marks of Pegasus, a highly sophisticated commercial spyware and exploitation tool sold by NSO Group, a secretive Israeli surveillance company that only sells its highly proprietary wares to authorized governments.
In June, an Amnesty employee received a WhatsApp message in Arabic with Saudi Arabia-related content and a malicious link. Earlier this summer, a Saudi human rights activist living abroad also received SMS messages with a similar link. Neither were opened.
Had the recipients clicked the links, researchers believe that they would have triggered the automatic, undetectable installation of Pegasus.
The domain names that these links pointed to, along with associated network infrastructure that overlaps with previously identified NSO domains and servers, suggests the involvement of the Israeli company, Amnesty and Civilian Lab researchers wrote.
Security researchers have blown the cover on earlier versions of NSO spyware, forcing the company to take down previous domain names and servers “and spin up a new version of their infrastructure,” Bill Marczak, a research fellow at Citizen Lab, told CyberScoop.
“The websites in the [most recent] messages are linked to a third version of NSO’s infrastructure that has overlaps with the second version [detected in 2016],” said Marczak.
Citizen Lab couldn’t definitively link the messages to Pegasus because it was unable to obtain any exploit or spyware from the links.
Josh Franco, Amnesty’s head of technology and human rights, said he can’t attribute the messages to any known person or group.
“We don’t totally know,” Franco told CyberScoop. “We believe it’s a state actor who’s hostile to our work but can’t be specific beyond that.”
“NSO tries to very carefully control these links to make sure that security researchers can’t get useful stuff from them,” said Marczak, in part by making the malicious link valid only for a certain number of clicks and disabling it after a set amount of time.
“We can’t say 100 percent that this is Pegasus, because we haven’t seen the malware,” said Franco. “But we’re pretty confident, since there’s this infrastructure overlap with Pegasus.”
Pegasus – the spy’s dream snooping tool
A leaked product description of Pegasus touts it as “a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile device.”
Pegasus remotely installs invisible spyware on target devices, extracts data and securely transmits it back to proxy servers through a network of anonymizing nodes. Installing the spyware can be done through an over-the-air push notification or an “enhanced social engineering message.”
Once installed, the document states, Pegasus operators have “unlimited access” to the targeted device and can intercept calls, activate the microphone, pinpoint a user’s location, steal passwords and monitor application usage.
NSO only sells its tools to authorized governments and is subject to stringent export control laws and regulations, but its client base is unknown. The company is headquartered in Herzliya, a northern suburb of Tel Aviv, has hundreds of employees and draws talent from the ranks of the elite Israeli hacking unit Unit 8200.
The state-of-the-art spyware is able to routinely penetrate defenses because NSO’s staff continuously find vulnerabilities and zero-days, Marczak said.
NSO’s critics charge that its spyware isn’t only used on criminals and terrorists, but also on activists, journalists and dissidents. The company’s spyware has been used to snoop on members of Mexican civilians, a dissident in the United Arab Emirates and the political rivals of a former Panamanian president.
“Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism,” NSO Group said in a statement to Amnesty. “Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.”
“We agree that surveillance has a place in legitimate law enforcement and counterterrorism applications, but it has to adhere to certain human rights standards,” Franco said. “NSO has been implicated in previous scandals. They’re on notice.”