Amnesty International targeted with Trojan linked to state-sponsored cyber attacks

Amnesty International claims to have been the target of a state-sponsored cyber attack in the form of a suspicious WhatsApp message bearing the mobile spyware Pegasus.

Pegasus is sold by NSO Group, which provides hacking tools to governments across the world. It says its tools are only licensed for use against "terrorists and criminals".

Amnesty claims that a staff member received the malicious WhatsApp message, written in Arabic, in late June.

The message requested the organisation to cover a protest in front of the Saudi embassy in Washington DC in relation to "brothers detained in Saudi Arabia", and contained a link to a website promising information about the alleged protest.

This, though, connected to a domain belonging to network infrastructure linked with NSO Group.

As for surveillance, let's be clear: We're talking total surveillance.

That had followed the receipt of an SMS text message sent to the same activist in May from a number used as part of a virtual phone number management system. These are typically used for bulk-sending SMS messages, implying that the message had been sent to a number of people. 

That message, too, also contained a URL pointing in the direction of network infrastructure linked with NSO Group.

"Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages," claimed Amnesty.

It continued: "Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group."

Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism

The Amnesty activist wasn't the only person to have received such a text message. According to Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto in Canada, similar text messages have been sent to targets across the Gulf Cooperation Council countries of the Middle East.

Kaspersky published an analysis of Pegasus last year, which suggested that versions of Pegasus exist for both Android and Apple's iOS mobile operating systems.

Pegasus is sophisticated enough to be able to install itself surreptitiously on non-jail-broken iOS devices, taking advantage (at the time the Kaspersky report was written) of three zero-day vulnerabilities in iOS. The security software maker indicates that the vulnerabilities may well have come from the global grey market in tradeable security flaws.

"As for surveillance, let's be clear: We're talking total surveillance. Pegasus is modular malware. After scanning the target's device, it installs the necessary modules to read the user's messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. Basically, it can spy on every aspect of the target's life," warned Kaspersky.

Mansoor is currently in prison in the UAE, serving a ten-year sentence for writing social media posts critical of the government

The company's research indicates that it has been used by the authorities in the United Arab Emirates (UAE) to target activists. "Pegasus was discovered thanks to Ahmed Mansoor, a UAE human rights activist, who happened to be one of its targets," according to Kaspersky's research.

"It was a spear-phishing attack: He received several SMS messages that contained what he thought were malicious links, so he sent those messages to security experts from Citizen Lab, and they brought another cyber security firm, Lookout, to the investigation.

"Mansoor was right. If he had clicked, his iPhone would have been infected with malware — malware for iOS. For non-jailbroken iOS, to be precise. The malware was dubbed Pegasus, and Lookout researchers called it the most sophisticated attack they'd ever seen on any endpoint."

Mansoor, who in the past has also been targeted with spyware from Hacking Team and FinFisher, is currently in prison in the UAE, serving a ten-year sentence for writing social media posts critical of the government.

Basically, it can spy on every aspect of the target's life

Citizen Lab has backed up Amnesty's claims in a report published this week and adds that the Pegasus malware has also been sighted in Mexico and Panama.

In a statement, NSO Group denied that its technology could be used to target ordinary people and activists. It said: "NSO Group develops cyber technology to allows government agencies to identify and disrupt terrorist and criminal plots.

"Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

"If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter."

Further reading

• Law

Court rules HMRC must end FinFisher spy software stonewalling

• 13 May 2014

• Privacy

Bahrain government accused of using FinFisher spyware to snoop on activists

• 08 Aug 2014

• Security

Patch Tuesday sees Microsoft issue fixes for 82 security flaws, including one exploited by FinFisher spyware

• 13 Sep 2017

• Security

Mozilla lashes out at FinFisher spyware provider

• 01 May 2013

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• whatsapp
• security
• Kaspersky
• NSO Group
• Pegasus
• Amnesty
• malware