Amazon has shut down cloud services for Pegasus spyware developer NSO Group following accusations that its tech has been used to surveil journalists and human rights activists. Israeli lawmakers have now compared NSO’s operations to selling weapons “to non-democratic countries”. The NSO Group has previously been linked to a hack into Amazon founder Jeff Bezos’ phone in 2018.
NSO Group is the developer of military-grade malware designed to spy on and track terrorists and criminals.
However, sweeping reports published by 17 news organisations and activist groups on Monday said the company’s tools had been used to hack into 37 smartphones belonging to journalists, human rights activists, business executives and individuals close to murdered Saudi journalist Jamal Khashoggi.
On Sunday, Amnesty International published a forensic investigation that named Amazon Web Services (AWS) as one cloud provider servicing the Pegasus developer. The other three were Linode, OVHcloud and Digital Ocean.
AWS unplugged its services to the Israel-based surveillance firm after the widespread reports hit the wires on Monday, Vice reports.
“When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts,” an AWS spokesperson told Vice.
Verdict reached out to Linode, Digital Ocean and OVHcloud, asking if they will follow Amazon’s Pegasus ban with blocks of their own. Digital Cloud and Linode replied, but did not commit to following in Amazon’s footsteps.
“We are not aware of any of the activities described in the Amnesty International link, nor were we able to validate any of the claims,” Mike Maaney, corporate communications executive at Linode, tells Verdict. “For example, the IP addresses listed in the report no longer resolve to the domains listed. However, we ask any one with information regarding the use of our services for malicious purposes to immediately file a abuse complaint so we can investigate and take all necessary action.”
Digital Ocean gave a similar answer:
“Our security team takes an aggressive and proactive approach toward stopping illegal activity on our platform, including malware. If we find or are notified of any illegal activity or misuse of our platform, we take action to stop the activity in question.”
OVHcloud didn’t return requests for comment prior to the publication of this story.
The news and human rights organisations stated that the phone numbers of the 37 compromised devices appeared on a list of 50,000 numbers. The numbers were located in countries known to surveil their citizens. It is unclear who put the numbers on the list.
The news and human rights organisations managed to identify 1,000 numbers. Of those, several belonged to Arab royal family members, over 600 to politicians and government officials, 65 to business executives, 85 to human rights activists and 189 to journalists. The numbers of several heads of state and prime ministers also appeared on the list. It is unclear how many devices linked to numbers on the list were hacked.
In a response to the Guardian, the Pegasus developer has denied any wrongdoing, saying that the “false claims” are based on “uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.”
“NSO Group has good reason to believe that claims that you have been provided with are based on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products,” the company continued.
“Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide. It is also beyond dispute that the data has many legitimate and entirely proper uses having nothing to do with surveillance or with NSO, so there can be no factual basis to suggest that a use of the data somehow equates to surveillance.”
Nevertheless, the reports have resulted in a public debate in NSO Group’s home country.
Israel’s Defence Ministry has issued a statement saying it only approves of cyber products being exported to government entities who exclusively use them lawfully and “for the purpose of preventing and investigating crime and counter terrorism,” according to Reuters.
The ministry added that any violation to these rules can expect to face “appropriate measures”.
Health minister Nitzan Horowitz, head of the liberal Meretz party, said he’d speak with the defence minister about NSO and its exports.
Mossi Raz, a lawmaker and member of the Merez party, demanded during a party meeting that Israel halt NSO Group’s exports, suggesting it was akin to peddling weaponry, “which is forbidden to non-democratic countries.”
This is not the first time Pegasus has been linked to high-profile breaches. In fact, Jeff Bezos himself fell victim to a digital assault linked to NSO Group in 2018.
Three years ago it was revealed that a video sent via a WhatsApp account allegedly belonging to the Crown Prince of Saudi Arabia had been used to install spyware into the then-Amazon CEO’s phone.
Reports quickly linked the hack to NSO Group, noting the similarities in the hack and how the NSO Group tool worked. While a report by FTI Consulting concluded that the Pegasus developer had the ability to break into phones in a similar way, it fell short of naming the Israeli firm as the developer behind the tools used to gain access to Bezo’s phone. NSO Group has denied any wrongdoing in that hack too.
Amazon didn’t return requests to comment on any links to the 2018 hack and the new AWS block of the Pegasus developer.
The news comes as the global cybersecurity industry is expected to be worth nearly $238bn by 2030, having grown at a compound annual growth rate of 6.4% between 2019 and 2030, according to a recent thematic research report from GlobalData.
Verdict deals analysis methodology
This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.