Amnesty International says one of its staff was the target of an effort to spy on them with sophisticated Israeli-made malware that turns a person’s mobile phone into a powerful surveillance device.
In June, a staffer at the human rights group received a WhatsApp message purporting to be about a protest in support of political prisoners held by Saudi Arabia.
According to Amnesty International’s analysis, the message contained a link to a fake news website that if clicked would have installed sophisticated malware that would turn the user’s mobile phone into a spying device.
The malware, called Pegasus, is made by the Israeli cyber warfare company NSO Group and is only sold to governments.
Once infected by the malware, a smartphone can send a frightening amount of data back to those doing the spying, including tracking the person’s movements and location. The malware can take screenshots and turn on the phone’s camera and microphone, retrieve emails, WhatsApp messages and passwords.
“The message was clearly an attempt to trick our colleague into clicking on the link,” Amnesty states.
It adds that the domain name in that link belongs to “a large network infrastructure that has been previously documented to be connected to the Israeli surveillance vendor, NSO Group.”
Amnesty has identified one other human rights defender from Saudi Arabia who received similar messages.
Those messages also appeared to be sharing information about human rights issues in Saudi Arabia, but Amnesty believes they contained harmful links to the NSO Group network.
In a response to Amnesty, the Israeli company that makes Pegasus stated: “NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism.”
Yet as investigations by the University of Toronto’s Citizen Lab have revealed, the same Israeli spyware has been used in attempts to target journalists, human rights defenders and others in Panama, Mexico and the United Arab Emirates.
According to Citizen Lab, at least 175 individuals “may have been inappropriately targeted with NSO Group’s spyware in violation of their internationally recognized human rights.”
One of them is award-winning human rights defender Ahmed Mansoor who was targeted with Pegasus in 2016 in an operation Citizen Lab says it “linked to the UAE government.”
In May, authorities in the United Arab Emirates sentenced Mansoor to 10 years in prison for social media postings.
“Ahmed is a prisoner of conscience who has been targeted, tried and sentenced for using Facebook and Twitter to share his thoughts,” Amnesty stated at the time. “He should never have been charged in the first place and now he must be released immediately.”
Amnesty says it has also identified about 600 websites with addresses that make them look like they provide news or information about human rights, but that are actually linked to the NSO Group’s infrastructure.
Amnesty has published several dozen of these domain names that it says pose “possible threats to civil society and human rights defenders.”
Some of these websites appear to target people in specific countries in Africa, Russian-speaking nations and Kazakhstan, among others.
Others appear to impersonate well-known news organizations, such as the newspaper Asharq Al-Awsat.
One fake domain is “sputnik-news[.]info,” likely intended to fool people into thinking it is the website of the Russian news network Sputnik.
That an Israeli spy firm is impersonating a Russian organization is notable given the current political furor over claims that Russia is engaged in extensive cyber sabotage aimed at the United States and other countries.
According to Amnesty, the fake WhatsApp message sent to its employee “was a digital attack on our staff member’s privacy rights and on our role as a human rights organization.”
“While secret surveillance may have legitimate uses by states in some contexts – this attack against us is not one,” Amnesty adds.
In light of the previous cases of the Israeli spyware being used in Mexico and the UAE, the latest instance “paints a disturbing picture of the ways in which NSO Group technologies are being abused globally.”
Amnesty does not state who it thinks was behind the attack.
However given that Pegasus is only sold to governments, and the Saudi government would be most interested in monitoring Saudi dissidents, it would have to be a prime suspect – just as the UAE government would be the prime suspect in the targeting of Ahmed Mansoor.