Did Israeli-made spyware try to hack a human rights group through WhatsApp?
On Wednesday, Amnesty International reported an encounter with a spyware campaign that appears to be targeting activists from Saudi Arabia using malicious messages over the popular chat app.
The culprit behind the attack? According to Amnesty International, the campaign bears the hallmarks of an Israel surveillance vendor called NSO Group that’s been selling its controversial technology to governments across the world.
The hacking attempt occurred in June when an Amnesty International staffer received a WhatsApp message about how the sender’s brother was detained in Saudi Arabia. The same message carried a malicious link to a dummy Arabic news site domain.
The staffer wasn’t the only one to encounter the spyware campaign. A Saudi activist based abroad also received WhatsApp messages from an unknown sender loaded with similar links. One message even contained text that was pulled verbatim from an Amnesty International press release, probably in an attempt to trick the activist into opening the link.
The human rights group decided to investigate who might’ve sent the WhatsApp messages by analyzing the domains used in the malicious links. To do this, the group probed the internet-facing servers behind the domains, which revealed they shared traits with “anonymizing” web traffic technology from NSO Group.
“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior,” Amnesty International said, noting that a number of the domains try to impersonate news websites.
The group’s findings were corroborated by Citizen Lab, a research group at the University of Toronto that’s been studying state-sponsored surveillance technologies. In 2016, Citizen Lab published research linking an iPhone-based spyware with NSO Group’s internet infrastructure.
In this instance, no sample of the spyware was obtained. The attackers behind the campaign probably configured their servers to deliver the malicious code under very specific conditions, like in a certain time frame or to devices based in a set country. This was probably done to prevent security researchers from uncovering the spyware, Amnesty International said.
“If the targets had clicked the links, their phones would likely have been infected with NSO Group’s Pegasus spyware,” Citizen Lab added. Once installed, the spyware has the ability to secretly record your phone calls, take photos, log messages from chat apps, and track your handset’s location.
NSO Group couldn’t be reached for comment. But the Israeli vendor sent a statement to Amnesty International that neither denied or confirmed the hacking attempt.
“Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism,” the company said. “Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.” The vendor has told Amnesty International it plans to investigate the matter.