Human rights stalwart Amnesty International says that it has been targeted in a nation-state led cyberespionage attack.

The group said that a staff member in June received a malicious WhatsApp message in Arabic, purporting to contain a link to information about an alleged protest outside the Saudi embassy in Washington D.C. The text read:

“Can you please cover [the protest] for your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington. My brother was detained in Ramadan and I am on a scholarship here so please do not link me to this. Cover the protest now it will start in less than an hour. We need your support please.”

Fortunately, the employee saw the message as suspicious and referred it to the nonprofit’s tech team. Further investigation revealed that the link would have led to infection by the mobile cyber-weapon known as Pegasus (attributed to Israel-based company NSO Group as an offering for state-level actors around the world, according to Amnesty International and various researchers, including Kaspersky Lab).

In its deeper research on the incident published today, Amnesty International was able to uncover that the domain link in the message belongs to a large infrastructure of more than 600 suspicious websites which it said had been previously connected to NSO Group – and that another Saudi Arabia rights activist received a similar malicious message.

“The message sent to us seems to be part of a much broader surveillance campaign, which we suspect is being used to spy on human rights activists worldwide [including Kenya, Democratic Republic of Congo and Hungary, in addition to the Gulf] and prevent their vital work,” said Joshua Franco, Amnesty International’s head of technology and human rights, in a media statement. He added, “NSO Group is known to only sell its spyware to governments. We therefore believe that this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work.”

Pegasus: Top-Tier Spyware

Pegasus contains a host of spy features, which can be used to infect the user’s smartphone, track keystrokes, take control of the phone’s camera and microphone, and access contact lists. It’s been on the international market for a while, and continues to morph: In 2016, Citizen Lab and Lookout found that Pegasus was being used to take control of Apple devices using three zero-day iOS vulnerabilities, collectively called Trident. This function (now patched) was then used to target the Emirati award-winning human rights defender Ahmed Mansoor, the firms found, who has been in prison in the United Arab Emirates since March 2017.

“As for surveillance, let’s be clear: We’re talking total surveillance,” Kaspersky Lab said in a 2017 overview of the spyware. “Pegasus is modular malware. After scanning the target’s device, it installs the necessary modules to read the user’s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. Basically, it can spy on every aspect of the target’s life. It’s also noteworthy that Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording capabilities, it was stealing messages before they were encrypted (and, for incoming messages, after decryption).”

Clearly, it was fortunate that the employee was on the alert. “Attackers are using chat tools frequently today,” Will LaSala, director of security solutions and security evangelist at OneSpan, told Threatpost. “If a user receives a chat message from an unknown sender, they should treat it the same way they have been taught with unknown email senders. Users want to be able to respond immediately to messages from these types of chat applications. It is in their nature to simply click on any message they receive.”

A Word About NSO Group

For its part, NSO Group has long been under scrutiny, suspected to be part of an ethically grey-scaled world of cyber-arms/defense-dealing that also includes companies like FinFisher, Hacking Team, Vupen and Zerodium. These businesses specialize in acquiring zero-day exploits – often for quite a bit of money. Then, they sell them off.

The outfits often offer vague company mission statements: Zerodium for instance bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.” In practice, it has been known to offer up to $1 million for certain kinds of fully functional exploits.

Like its rivals, NSO Group has maintained that it’s choosy about its buyers, and told Amnesty International that Pegasus “is intended to be used exclusively for the investigation and prevention of crime and terrorism.”

Chris Olson, CEO of The Media Trust, also pointed out an ancillary concern: Whatever ethical challenges exist in this cyber-arms market, sophisticated weapons can easily fall into the wrong hands – a concern that researchers have voiced ever since Stuxnet was deployed to take out Iran’s nuclear infrastructure in 2009-2010.

“Spyware like the NSO malware can be used to stealthily gather information from high-value targets, such as executives with strategic company information, government officials privy to national or international secrets, etc.,” he told Threatpost. “But malware designed for specific targets and uses, once leaked, can be redesigned for a more widespread attack, such as those that make use of the digital advertising supply chain to gain access to millions of users. The same link that was included in the SMS text could be applied to any compromised website that draws heavy traffic.”