By Danna Ingleton, Research and Policy Advisor at Amnesty International
Last month one of my colleagues at Amnesty International received a suspicious WhatsApp message. It came from a number they didn’t recognize, and contained details about a protest supposedly taking place at the Saudi embassy in Washington DC.
At the time, Amnesty International was vocally campaigning for the release of six activists who had been locked up in Saudi Arabia, days before the Kingdom’s ban on women drivers was due to be lifted.
Clicking the link would have installed highly potent spyware – the Saudi protest was just carefully chosen bait.
We knew it was a sensitive time, so my colleague decided not to follow the link. This turned out to be a wise decision. When Amnesty’s tech team analyzed the message, we found that clicking the link would have installed highly potent spyware – the Saudi protest was just carefully chosen bait.
A closer look revealed that the domain name in the link belonged to a large infrastructure of more than 600 suspicious websites which had been previously connected to one secretive company: NSO Group.
NSO Group, which is based in Israel, manufactures surveillance tools and sells them exclusively to governments. In a statement to Amnesty International*, NSO said that its technology “allows government agencies to identify and disrupt terrorist and criminal plots”. But over the past few years, digital rights groups including Citizen Lab and Access Now have traced a number of malicious state-backed attacks on human rights activists back to NSO’s tools.
For example, last year Citizen Lab uncovered NSO’s involvement in a spyware scheme in Mexico. Mexican journalists, opposition party leaders, and activists working on corruption and human rights were targeted with spyware, in a clear attempt to silence government opposition (remember NSO only sells to governments). Some of the messages were designed to look like they contained information about missing children.
The Mexico attacks used an incredibly sophisticated tool called Pegasus, which effectively commandeers a smartphone. Citizen Lab describes a Pegasus-infected phone as “a digital spy in the pocket of a victim” – it can relay everything from camera activity to keystrokes back to the person who organized the attack.
In 2016, Citizen Lab revealed that Pegasus was used by the United Arab Emirates (UAE) authorities to target Ahmed Mansoor, an award-winning human rights activist. Mansoor forwarded the suspicious messages he received to Citizen Lab, and subsequent media attention prompted Apple to issue a security update to the iPhone. Mansoor’s quick thinking likely saved many others from state-backed surveillance, but in March 2017 he was arrested by UAE authorities and has been in prison ever since. The recent attempt on Amnesty International also had all the characteristics of Pegasus.
This attempt shows just how great a risk “cyber warfare” (NSO’s own term) poses to activists the world over. The 600 suspicious websites that we found potentially represent 600 ways of baiting activists to click on links.
If the world’s largest human rights organization, which is supported by millions of people and has technology experts among its staff, can be targeted, it’s easy to see how exposed activists who work alone or in secret could be. Because this is all so shrouded in secrecy – NSO doesn’t even have a website – it’s difficult to know how to protect yourself against this type of attack.
Relying on export control laws and contractual clauses is not effective if a government’s own laws are problematic from a human rights perspective
In response to Citizen Lab’s research linking it to surveillance of Ahmed Mansoor, NSO attempted to distance itself from how its products are used once money has changed hands. It emphasized that it complies with “strict export control laws and regulations”, that customers are contractually required to use its products “in a lawful manner” and that the “company has no knowledge of and cannot confirm the specific cases mentioned in [the] inquiry”.
But relying on export control laws and contractual clauses is clearly not effective if a government’s own laws are problematic from a human rights perspective. NSO is essentially leaving it up to governments to use politically motivated definitions of “crime” and “terrorism” when they decide who to target.
Amnesty International is working with other activists to educate them about what to look out for, and how they can protect themselves against cyber-attacks like the one that targeted our staff. We owe it to people like Ahmed Mansoor to stand up to irresponsible vendors like NSO, and ensure that they are held accountable for making oppressors’ lives easier.
*NSO’s full statement:
NSO Group develops cyber technology to allows government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.
If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter.