Human rights charity Amnesty International has found hackers attempted to infect one of their researcher's phones with malware from Israeli vendor NSO Group.


Malware from hacking firm NSO Group has been used to spy on Mexican journalists, political dissidents in the United Arab Emirates, and even political rivals of a former Panamanian president. Now, human rights charity Amnesty International says hackers used the Israel company’s tools to target one of its researchers earlier this year.

The news, corroborated by a second group of technologists, highlights what campaigners say is a clear abuse of a technology that has legitimate uses in terrorism and criminal cases but has been repeatedly deployed to track, spy, and harass researchers, journalists, and human rights activists. Amnesty’s research has also found potential signs of NSO in other previously unreported countries around the world.

“Amnesty speaks out for human rights and calls out governments abusing human rights—this attack fits a growing pattern of hostility towards organizations and individuals working on human rights,” Danna Ingleton, research and policy advisor at Amnesty, told Motherboard in an email.

NSO sells malware, dubbed “Pegasus,” for iPhone, Android, and other mobile devices to government law enforcement and intelligence agencies. By first using a series of exploits to surreptitiously gain a foothold on the phone, NSO’s capabilities can then turn on the device’s microphone, siphon emails, texts, and messages before they’re encrypted, as well as track the phone’s GPS location, according to documents previously released as part of a data breach of Italian surveillance company Hacking Team. NSO offers one-click solutions, where the target has to click on a link, or no-click versions, which require no target interaction.

In June, an Amnesty researcher received a WhatsApp message, which included a link purporting to be from an Arabic news website.

“Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington,” the message read, according to Amnesty’s report.

Amnesty was unable to grab the malware the links were designed to deliver, but the domains, as well as ones included in text messages sent to another human rights activist from Saudi Arabia in May, are part of infrastructure previously used by NSO, the report says. Amnesty shared the text messages with research group Citizen Lab, which has extensively tracked NSO as well as other malware companies.

“The links in the messages, it turned out, matched a big cluster of [NSO-linked] websites that I’d been tracking for the past year and a half,” Bill Marczak, senior researcher at Citizen Lab, told Motherboard in a phone call. In its own report, Citizen Lab said other messages similar to the second set identified by Amnesty have been sent to other people in the Gulf region. Through its scanning—based on a quirk in how the NSO websites operated—Amnesty identified approximately 600 domains potentially linked to NSO.

This sort of infrastructure—the websites and servers used to deploy the malware to victims—is set up on a per-customer basis, and is not shared among NSO customers more widely, Marczak said. Whereas with other malware companies, such as Hacking Team or FinFisher, it has been possible to pinpoint customer countries, in this case it was hard to identify who the specific user was. However, the sites in the text messages seem to have a focus on Saudi Arabia, Marczak added.

Amnesty’s Ingleton added “This story is about more than just the spread of surveillance technologies, it is also about the unabashed use of them by governments to silence human rights. It shows that there is a serious lack of accountability for these violations that must come to a stop. It’s the wild west."

Those 600 domains Amnesty identified include ones with “zm,” a possible reference to Zambia; a domain that references a specific part of the Congo; some that refer more generally to Africa; and others that appear to cater to Russian-speaking countries. One of those includes sputnik-news.info, a spoof of the website for Kremlin-linked news operation Sputnik. Other domains make reference to Kazakhstan, Latvia, and Hungary.

Omri Lavie, co-founder of NSO, did not respond to a request for comment.