Alongside previous attacks using NSO’s software, “it paints a disturbing picture of the ways in which NSO Group technologies are being abused globally,” Amnesty wrote in a report sent by the NGO to Forbes ahead of publication on Wednesday. Indeed, there are as many as 174 publicly-reported cases of individuals “abusively targeted” with NSO spyware, according to John Scott-Railton, a security and privacy researcher at the University of Toronto-based Citizen Lab.
“The increasing ubiquity and affordability of off-the-shelf surveillance tools—and the secrecy surrounding this market—mean that just about any government can afford powerful tools for spying on those it wants to keep an eye on,” said the head of technology and human rights at Amnesty Josh Franco. “There is no one policing this market, and we have almost no idea what tools governments have at their disposal to target us, and few if any ways to hold them, or vendors, accountable.”
NSO declined to comment on the specifics of the report, saying it had signed nondisclosure agreements preventing it from discussing customers. “Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts and the values that we stand for as a company,” a spokesperson said.
“If an allegation arises concerning a violation of our contract or inappropriate use of our technology, we investigate the issue and take appropriate action based on those findings.”
In June this year, an unnamed Amnesty employee was sent a suspicious WhatsApp message. The sender asked the recipient to provide some kind of coverage of a protest happening in front of the Saudi Arabian embassy in Washington D.C. that supported “brothers” detained in the Middle Eastern country.
The message also contained a link, presumably containing information on the protest. But the link led to a website that Amnesty believes is controlled by NSO Group. The Israeli company’s tech uses such websites as launchpads, taking the target through to another site that’s used to launch attacks on target smartphones, according to Amnesty and Citizen Lab. If successful, this results in infection of the device with Pegasus.
Once the Pegasus spyware is on an Apple or Google device, it can do almost anything, from silently stealing messages and spying on calls to peeping through the webcam and listening in through the microphone. Fortunately for the Amnesty staffer targeted in this case, they avoided infection.
The nonprofit declined to say if the other non-Amnesty, Saudi-focused activist featured in its report was successfully hacked with NSO’s malware. The unnamed individual received an SMS text message that promised information on a mysterious court order, but again the linked website was connected by Amnesty to NSO.
“Regardless of whether that is ultimately successful or not, companies … have responsibilities to ensure their products don’t cause or contribute to human rights abuses,” said Franco. Amnesty couldn’t say who the attackers actually were, even though the victim activists were focused on Saudi Arabian issues.
600 potential threats to human rights
The connection from the suspicious link to NSO was the result of some deep technical work on behalf of Amnesty’s cybersecurity research team led by Claudio Guarnieri and Citizen Lab. They were able to develop a “fingerprint” of NSO’s attacks. The fingerprint was essentially a marker for identifying the way in which NSO rerouted targets from links in messages to websites where attacks would launch. NSO calls this the Pegasus Anonymizing Transmission Network (PATN).
The PATN uses encryption and layers of servers to avoid detection. But, ironically, as the surveillance company’s anti-detection techniques are unique, they can be turned into a fingerprint. Compare that fingerprint with techniques used in real-world attacks and it’s possible to link them to NSO. That’s just what Guarnieri and his team did with the attempted hacks on the Saudi activists.
Using that fingerprint, Amnesty researchers also found another 600 websites that rerouted visitors in a similar way to the attacks documented Wednesday. According to the Amnesty report, those 600 sites “represent potential threats to human rights defenders and civil society actors in countless other countries around the world.”
Some of the servers hosted websites that Amnesty believed could’ve been used in attacks on targets “relevant to Russian-speaking countries,” including a fake Sputnik News website. More fake news and government sites believed by the researchers to be controlled by NSO were also found in Kazakhstan.
‘175 cases of abuse’
Citizen Lab, which tracks surveillance tools, backed Guarnieri’s findings.
Talking about the 174 targets he’s tracked to date, Citizen Lab researcher Scott-Railton said: “The number weighs against NSO’s claims that their product is carefully used as part of national security and criminal investigations.
“I expect that the tally of abuses will only grow as NSO seeks to expand its customer base.”
In 2016, the iPhone of U.A.E. activist Ahmed Mansoor was targeted by the Pegasus tool, Citizen Lab reported. Throughout last year, the tool was allegedly used in Mexico, targeting a range of lawyers, activists and journalists, leading to a public outcry and demands for an official inquiry.
The Pegasus malware was also allegedly used by former Panama president Ricardo Martinelli to spy on his rivals. Martinelli was recently extradited from the U.S. to his homeland to face charges of embezzlement and espionage on political opponents. According to extradition court filings, he spent nearly $13.5 million on the Pegasus tool. He has denied any wrongdoing, according to previous reports.
Just earlier this month, it emerged one of NSO’s own programmers had stolen internal code and attempted to sell it on the dark web for as much as $50 million in various cryptocurrencies.
NSO, and its private equity owner Francisco Partners suffered because of those public relations kerfuffles. An acquisition deal with Blackstone Group that valued NSO at $1 billion last year fell apart because the investment business was concerned about the debacle in Mexico, a source familiar with the talks previously told Forbes. In July, it was reported that another acquisition deal with another Israeli surveillance giant, Verint, fell apart.