Human Rights Defenders Targeted by Government Surveillance Spyware

Hacking Phone
The Pegasus spyware can snoop on keystrokes, audio and video with a single click, cyber researchers say. iStock

Spy software with a documented history of being sold to governments was recently used to target a staff member of Amnesty International, the rights group said on Wednesday.

The Pegasus tool—designed to infect phones on iOS and Android—was linked to an Israeli cyberwarfare outfit called NSO Group. The spyware—which can snoop on keystrokes, audio and browser history with a single click—was sent via WhatsApp in June. The cyberattack came during a campaign demanding the release of six women's rights activists detained in Saudi Arabia.

Containing a booby-trapped link, the text attempted to lure the staffer with information about an alleged protest taking place in front of the Embassy of Saudi Arabia in Washington, D.C.

The message read: "I am on a scholarship here so please do not link me to this. Cover the protest now it will start in less than an hour. We need your support please." The domain included was tied to online infrastructure previously connected to NSO, Amnesty International said in a new report.

It was also discovered that another Saudi Arabia rights activist, who was not named, had also received a similar malicious text—and was likely one of many victims.

"NSO Group is known to only sell its spyware to governments," said Joshua Franco, Amnesty International's head of technology and human rights, in a news release on Wednesday.

"We therefore believe that this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work," he continued.

"The potent state-hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance. A smartphone infected with Pegasus is essentially controlled by the attacker—it can relay phone calls, photos, messages and more, directly to the operator."

Amnesty discovered a network of 600 suspicious domains in total, some posing as news outlets. It said the culprits were likely using automated software to push the malicious texts. The scope of the operation put human rights defenders around the world at risk, the group noted.

Researchers from cybersecurity company Lookout previously conducted in-depth analysis of the Pegasus variants. They found it "was built to be stealthy, targeted and is very sophisticated." Citizen Lab discovered one strain after United Arab Emirates human rights activist Ahmed Mansoor was targeted. Apple later took steps to block the surveillance tool.

"The message sent to us seems to be part of a much broader surveillance campaign, which we suspect is being used to spy on human rights activists worldwide and prevent their vital work," Franco said. "Defending human rights is not a crime, and we refuse to be intimidated by this.

"We are working with human rights activists to help them protect themselves against similar cowardly attacks, and ensure that abusive governments cannot use technology to silence them."

In a statement, the NSO Group defended the use of data interception technology.

"NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots," it asserted. "Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism.

"Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

"If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us."

A brochure describing Pegasus was exposed in the 2015 leak of information from Hacking Team, an Italian spyware vendor. This year, a rogue employee attempted to sell NSO source code.