Amnesty International staff targeted with malicious spyware

An Amnesty International staff member has been targeted by a sophisticated surveillance campaign, in what the organization suspects was a deliberate attempt to spy on its staff by a government hostile to its work.

In early June 2018, an Amnesty International staff member received a suspicious WhatsApp message in Arabic. The text contained details about an alleged protest outside the Saudi embassy in Washington D.C., followed by a link to a website. Investigations by Amnesty International’s technology team revealed that clicking the link would have, according to prior knowledge, installed “Pegasus”, a sophisticated surveillance tool developed by the Israel-based company NSO Group.

“NSO Group is known to only sell its spyware to governments. We therefore believe that this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work,” said Joshua Franco, Amnesty International’s Head of Technology and Human Rights.

“The potent state hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance. A smartphone infected with Pegasus is essentially controlled by the attacker – it can relay phone calls, photos, messages and more directly to the operator. This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology.”

In a statement to Amnesty International, NSO Group said that their product “is intended to be used exclusively for the investigation and prevention of crime and terrorism” and that any other use violate their policies and contracts.

Saudi alleged protest used as bait

The WhatsApp message was sent to Amnesty International in a week when the organization was campaigning for the release of six women’s rights activists detained in Saudi Arabia.

The message, carefully analyzed by Amnesty International’s technology experts, read: “Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington. My brother was detained in Ramadan and I am on a scholarship here so please do not link me to this. [LINK]. Cover the protest now it will start in less than an hour. We need your support please.”

The link, if clicked, would have allowed the Pegasus software to infect the user’s smartphone, tracking keystrokes, taking control of the phone’s cameras and microphone and accessing contact lists.

Amnesty International’s investigation also discovered that another Saudi Arabia rights activist received a similar malicious message.

Connection to NSO Group and suspicious websites

Further investigations by Amnesty International revealed that the domain link in the message belongs to a large infrastructure of more than 600 suspicious websites which had been previously connected to NSO Group. Amnesty International is concerned that these could be used to bait and spy on activists in countries including Kenya, Democratic Republic of Congo and Hungary, in addition to the Gulf.

Last year Toronto-based research group Citizen Lab uncovered NSO Group’s involvement in a similar spyware scheme in Mexico. Activists, journalists and opposition party leaders were targeted by false messages containing Pegasus software in an attempt to silence government opposition. Pegasus was also used to target the Emirati award-winning human rights defender Ahmed Mansoor, who has been in prison in the United Arab Emirates since March 2017.

“The message sent to us seems to be part of a much broader surveillance campaign, which we suspect is being used to spy on human rights activists worldwide and prevent their vital work,” said Joshua Franco.

“Defending human rights is not a crime, and we refuse to be intimidated by this attack. Attempts to spy on us will never prevent Amnesty International from speaking up for truth, justice and equality. We are working with human rights activists to help them protect themselves against similar cowardly attacks, and ensure that abusive governments cannot use technology to silence them.”

Background

While law enforcement agencies in many countries have used secret surveillance in relation to national security objectives, Amnesty International is concerned that in many cases surveillance is being carried out in a manner contrary to international human rights law. Tools like Pegasus are especially problematic from a human rights law perspective as they are so deeply invasive.

As laid out in the UN Guiding Principles on Business and Human Rights (UNGPs), companies also have a responsibility to respect human rights wherever they operate in the world.

NSO Group response

In a written response, NSO Group said: “NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter.”