Amnesty International spearphished with government spyware

Amnesty International has been spearphished by a WhatsApp message bearing links to what the organization believes to be malicious, powerful spyware: specifically, Pegasus, which has been called History’s Most Sophisticated Tracker Program.

On Wednesday, the human rights-focused NGO said in a post that a staffer received the link to the malware in June. It was baited with a message written in Arabic that implored the group to cover a protest for “your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington.”

My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this [link]

Cover the protest now it will start in less than an hour

We need your support please

Pegasus is a tool sold by NSO Group, an Israeli company that sells off-the-shelf spyware. It enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus at one point even worked on non-jailbroken iOS devices. In 2016, Citizen Lab and Lookout discovered that the spyware was exploiting three critical iOS zero-day vulnerabilities to slip past Apple’s device security and install itself. Apple quickly fixed the vulnerabilities when alerted to them, according to Lookout.

This isn’t the first time that a group or individual who isn’t supposed to be a target of Pegasus has alleged they have been. NSO Group’s response to incidents like this has been consistent on each occasion: the company points to the fact that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.

The statement NSO Group issued on Wednesday following Amnesty International having contacted it with its findings:

NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company. If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter.

Once software blinks into existence, keeping it out of the hands of the wrong people can be very difficult. Pegasus is a case in point: last month, one of NSO Group’s own employees allegedly stole the valuable software and hid it under his bed. Then, he allegedly tried to sell it for the bargain basement price of USD $50 million. (According to the indictment (PDF), the tool is estimated to be worth “hundreds of millions of [US] dollars.”)

Last year, Pegasus was also reportedly used to target Mexico’s “most prominent human rights lawyers, journalists and anti-corruption activists, in spite of an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans,” as the New York Times reported.

According to Amnesty International, Pegasus has also been used in the United Arab Emirates, where the government targeted prominent human rights activist and political dissident Ahmed Mansoor. In June, Mansoor was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) on charges including “insulting the UAE and its symbols.”

The Amnesty International staffer didn’t need to click on the malicious link to ascertain that it was a spearphishing attack. The group says it figured it out because the message looks to have come from a commercial provider that offers, among other services, a virtual phone number management system that allows customers to automatically send bulk SMS messages.

Such a feature is normally used for promotional campaigns or other forms of automated systems, but Amnesty believes that the attackers might be using the service to automate the process of sending malicious SMS and WhatsApp messages containing malware.

Amnesty said the link in the message was clearly rigged: it pointed to a domain that it claims belongs to a large network infrastructure connected to NSO Group.

Amnesty says it knows all this about Pegasus thanks to Mansoor, the now-jailed UAE human rights defender, who was himself targeted with Pegasus. Mansoor shared the phishing message that contained Pegasus with Citizen Lab: a Canadian research group from the University of Toronto that went on to publish numerous reports on the spyware in 2016 and 2017.

In its analysis of the messages, Amnesty claims to have found connections with a network of over 600 suspicious domain names. Not only are these domain names suspicious, Amnesty said; they also overlap with infrastructure previously identified as part of Pegasus.

Amnesty said that those 600 domains “represent potential threats to human rights defenders and civil society actors in countless other countries around the world.”

“Defending human rights is not a crime,” Amnesty said, yet tools meant to catch terrorists are being used against those who fight to defend human rights. What’s more, the attackers are baiting their snares with Amnesty’s interest in fighting for those human rights:

The unchecked use of surveillance technologies such as those produced by NSO Group can have a serious silencing effect on civil society. Someone doesn’t even need to actually be spied on to feel the repressive reach of the surveillance industry – especially when our interest in human rights is knowingly and purposefully used as bait.

When in doubt, don’t click, whether it’s a link in an email, WhatsApp, or other text messages. Be like that targeted Amnesty International staffer: put unexpected messages, and whatever links they try to lure you into clicking, under a microscope.

Take note that the attackers in this case have also used shortened URLs. That’s a method used by malware distributors and phishers to conceal the true destinations of their links. You can’t tell whether a shortened link is evil or not just by looking at it but in the case of you can just add a “+” after a Bitlink in your browser window to get a preview of where it wants to take you.

Remember though, criminals often add phishing pages to legitimate websites they’ve hacked, so while an unusual or untrustworthy domain is probably a bad sign, a trustworthy domain isn’t necessarily a good one!