Amnesty International on Wednesday morning tweeted: “A malicious WhatsApp message with #SaudiArabia-related bait content, carrying links we believe are used to infect victims with highly sophisticated mobile spyware, were sent to our staff member.”
A malicious WhatsApp message with https://t.co/TkzSMp8BXG
-related bait content, carrying links we believe are used to infect victims with highly sophisticated mobile spyware, were sent to our staff member. Read our full investigation here.— AmnestyInternational (@amnesty)
The linked 20-page report relates that in June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware.
“Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages,” the story continued. “In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”
NSO Group Technologies is an Israeli firm that works in the world of cyber intelligence. It was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio, and employs about 500 people at its headquarters in Herzliya.
On August 25, 2016, Citizen Lab and Lookout revealed that software known as Pegasus, created by NSO Group, was being used to target Ahmed Mansoor, one of the few openly critical voices in the United Arab Emirates. Mansoor was later sentenced to 10 years in prison and fined 1,000,000 Emirati Dirham ($270,000) for his posts on social media.
This WhatsApp message the AI employee received reads: “Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington. My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this—link provided. Cover the protest now, it will start in less than an hour. We need your support, please.”
“The message was clearly an attempt to trick our colleague into clicking on the link, which pointed to a domain name akhbar-arabia[.]com,” AI reported Wednesday. “…we discovered this domain to belong to a large network infrastructure that has been previously documented to be connected to the Israeli surveillance vendor, NSO Group.
“Through our investigation we identified one other human rights defender from Saudi Arabia, who also received malicious SMS messages. These messages carried links to domains which we identified as part of that same network infrastructure used by NSO Group or its customers to deliver exploits and malware designed to silently harvest data from the victims’ phones. This malware would allow an attacker complete access to the target’s phone or computer, essentially turning the device into a sophisticated eavesdropping and tracking tool to be used against them.”
Joshua Franco, Amnesty’s head of technology and human rights, believes that, since NSO Group is known to only sell its spyware to governments, “this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work.”
NSO Group issued a statement saying: “NSO Group develops cyber technology to allows government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company. If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter.”
In early July, Israel’s Justice Ministry announced that a former NSO Group employee had been charged with stealing intellectual property and trying to sell it for $50 million over the Darknet “in a manner that could harm state security.”
The ministry said the accused, 38, was dismissed on April 29, following a hearing by NSO Group, and then downloaded software and information worth hundreds of millions of dollars. He then made attempts to sell the information for $50 million in virtual currency, but the buyer alerted NSO, which in turn alerted police.