Amnesty International alleges Israeli spyware linked to Saudi Arabia

Amnesty International said one of its staff members was targeted by malicious WhatsApp messages with “Saudi Arabia-related bait content” that contained spyware “sold by the Israel surveillance vendor, NSO Group.” The report claims that two human rights activists in Saudi Arabia were targeted and that web domains linked to the spyware were registered during “Israeli working days and hours” which insinuates there is an Israeli connection.

The report released Wednesday coincided with a second report from Citizen Lab, an interdisciplinary lab that deals with information technology and human rights, which examined the suspicious messages and corroborated Amnesty’s findings.

“The SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

NSO Group “develops mobile device surveillance software. The software called Pegasus developed by the company can be used to record conversations and gain access to photos, text messages and websites viewed from a smartphone,” according to Bloomberg.

The company was founded in 2010 and is based in Herzliya, Israel. Calcalist reported that NSO’s co-founder has asserted the company only sells to “government bodies that are defined as legitimate.”

The malicious messages arrived in June and appeared to target human rights activists. The messages ostensibly provided information about a protest or court case that lured the potential victim to click on a link. One message even mimicked an Amnesty report title about Saudi Arabia’s lifting the ban on women driving.

Amnesty, which focuses on global human rights abuses, investigated the origin of the text messages and the sites they linked to. “These messages carried links to domains which we identified as part of that same network infrastructure used by NSO Group.

AMNESTY CLAIMS that human rights organization have documented cases where surveillance has been used contrary to international human rights law. In this case, the result of the attempted targeting is unclear. The organization says that in one case it was unable “to confirm whether this [message and link] was also carrying a link connected to known NSO Group’s infrastructure.”

In another case they attempted to open a link to “activate the infection” but the link went to a “legitimate Saudi Arabian news site.” This is because advanced spyware seeks to verify if the device it is connecting to is the intended recipient, Amnesty notes. This would prevent spyware, for instance, to spread uncontrolled, the way the Stuxnet malicious computer worm apparently did.

Citizen Lab claims that NSO’s software allows the operator to spy on the activity of the user of a device. For instance, it could turn on the device’s webcam and microphone, “to record calls and log messages in mobile chat apps and to track the device’s movements.” This would help a government track down a wanted terrorist, but it could also allow monitoring of dissidents.

Citizen Lab claims there is a growing list of “abusive misuse of NSO Group’s spyware.” This includes cases in Saudi Arabia, the UAE, Panama and Mexico. However, the report does not allege that the company is responsible, or that governments are responsible.

In July, Reuters reported that a “former employee of cyber surveillance company NSO Group has been charged with stealing intellectual property and trying to sell it for $50 million over the Darknet.” Israel’s Justice Ministry said that this could harm state security.

The Amnesty report goes to great lengths to show that the domain names associated with the spyware “were registered between Sundays and Thursdays, which matches the Israeli work week.” It also made a graph showing that the domains were registered mostly from 6 to 10 p.m. “in Tel Aviv’s time zone.” Some were also registered from 1 to 3 a.m. Almost none were registered on Saturday.

Israel, because it is a tech center known for innovation and with a reputation for sometimes cutting corners, has been at the center of some of these stories. As far back as 2003, Bloomberg reported that an Israeli technology had helped Saudi Arabia track down jihadists. Bloomberg also revealed in July of last year a second Israeli company that specialized “in the development of tailor-made innovative solutions for law enforcement, intelligence agencies and national security organizations.”

The murky stories join a series of recent cases of hacking between governments as part of international disputes in the region. Governments and others have also targeted dissidents and rivals. In June 2017, Qatar claimed its state news agency was hacked to spread positive stories about Iran and Israel. A fundraiser in the US alleged in May that Qatar coordinated with “ex-spies and influential Qataris” to hack his emails. Hackers also targeted the UAE ambassador.

This is the high stakes game of cybersecurity that now plays out globally.