NSO Group's Spyware Operations Caught Again

NSO Group's Spyware Operations Caught Again
  • Amnesty International has published a report detailing attempted hacks against two Serbian journalists using NSO Group's spyware Pegasus.
  • The hacks were carried out using phishing attacks, with the journalists receiving suspicious text messages including a link.
  • NSO Group's customers are losing their battle to stay in the shadows, with security researchers able to spot signs of the company's spyware.
  • There is hard evidence proving that NSO Group's spyware has been used to target at least 130 people around the world.
  • The Pegasus Project, a collective journalistic initiative, has investigated abuse of NSO Group's spyware based on a leaked list of phone numbers.

NSO Group's Spyware Problem

On Thursday, Amnesty International published a new report detailing attempted hacks against two Serbian journalists, allegedly carried out with NSO Group's spyware Pegasus. The two journalists, who work for the Serbia-based Balkan Investigative Reporting Network (BIRN), received suspicious text messages including a link - basically a phishing attack, according to the nonprofit.

In one case, Amnesty said its researchers were able to click on the link in a safe environment and see that it led to a domain that they had previously identified as belonging to NSO Group's infrastructure. This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.

Security researchers like Donncha Ó Cearbhaill, the head of Amnesty's Security Lab, who have been keeping tabs on NSO's activities for years are now so good at spotting signs of the company's spyware that sometimes all researchers have to do is quickly look at a domain involved in an attack.

NSO Group and its customers are losing their battle to stay in the shadows. John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, told TechCrunch that NSO has a basic problem: they are not as good at hiding as their customers think.

There is hard evidence proving what Ó Cearbhaill and Scott-Railton believe. In 2016, Citizen Lab published the first technical report ever documenting an attack carried out with Pegasus, which was against a United Arab Emirates dissident. Since then, in less than 10 years, researchers have identified at least 130 people all over the world targeted or hacked with NSO Group's spyware.

The sheer number of victims and targets can in part be explained by the Pegasus Project, a collective journalistic initiative to investigate abuse of NSO Group's spyware that was based on a leaked list of more than 50,000 phone numbers that was allegedly entered in an NSO Group targeting system.

But there have also been dozens of victims identified by Amnesty, Citizen Lab, and Access Now, another nonprofit that helps protect civil society from spyware attacks, which did not rely on that leaked list of phone numbers.