Amnesty International announced last week that one of its staff members was at the receiving end of a malicious "surveillance campaign" which, it believed, was orchestrated by hackers sponsored by a government hostile to its work. However, the organisation stopped short of naming any country.
Hackers behind the campaign sent a message to an Amnesty International staffer via WhatsApp in June, asking the organisation to participate in an alleged protest outside the Saudi embassy in Washington, DC.
The message contained a link which, after being investigated by the organisation's technology team, was found to contain Pegasus, a sophisticated surveillance tool. Had the staffer clicked on the link, his device would have been infiltrated by Pegasus, allowing hackers to carry out covert surveillance over the device.
Pegasus is a well-known surveillance tool developed by the Israeli-based NSO Group and has been sold by the firm to various governments in the past to enable the latter to carry out covert surveillance on targeted individuals such as journalists, human rights activists, private citizens and dissidents.
Based on the fact that NSO Group only sells its spyware to governments, Amnesty International concluded that the phishing attack via WhatsApp was sponsored by a government hostile to the organisation's activities.
"The potent state hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance. A smartphone infected with Pegasus is essentially controlled by the attacker – it can relay phone calls, photos, messages and more, directly to the operator. This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology," it said.
The WhatsApp message was timed carefully to coincide with an ongoing campaign that was initiated to demand the release of six women's rights activists detained by Saudi Arabia. This fact, along with the wording of the malicious message, made it sound totally legit.
"Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington. My brother was detained in Ramadan and I am on a scholarship here so please do not link me to this. [REDACTED LINK]. Cover the protest now it will start in less than an hour. We need your support please," the message read. Not only did it sound legit, but also created a sense of urgency to lure the recipient to click on the link.
According to Amnesty International, the same message was also sent to another Saudi Arabia rights activist, suggesting that the campaign was launched to target those who were participating in or were likely to join the protest against Saudi Arabia's detention of six women's rights activists.
Amnesty International added that upon further investigation, it observed that the domain link sent by hackers "belongs to a large infrastructure of more than 600 suspicious websites which had been previously connected to NSO Group" and that these websites could be used to target activists in countries including Kenya, Democratic Republic of Congo and Hungary.
Responding to Amnesty International's allegation, NSO Group said in a written response that its technologies are intended to be used "exclusively for the investigation and prevention of crime and terrorism".
"If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter," the firm said.
Commenting on the use of Pegasus by nation-state hackers to spy on Amnesty International's activities, Joseph Carson, chief security scientist at Thycotic, told SC Magazine UK that the revelation should be a warning that cyber-security tools developed for nation-state or law enforcement purposes can easily make their way into illegal practices.
"We have to accept that cyber-criminals steal cyber-weapons and eventually they are used against companies and citizens for financial fraud, IP theft, political advantage, disruption and espionage. A single click on an SMS message can turn your mobile device into an electronic spy in your pocket not only stealing your information but anyone you interact with. This could be very concerning as you have no way of knowing if you are a victim or the person you interact with is.
"These cyber-weapons have changed the way espionage works and no longer do you need to send spies to other countries and have them adapt to the community, all you need is a victim and their mobile phone turning them into unsuspecting spies in minutes not years. Amnesty International of course will be a target from nation-states who are opposed to human rights and those countries will do anything for intelligence on any of their citizens who support Amnesty International," he added.