Amazon Shuts Down Some Infra and Accounts Linked to NSO Group

This is the first time that Amazon has addressed the use of its technology by NSO.

Listen to this article:

New Delhi: Amazon Web Services, which offers paid cloud computing services, has shut down infrastructure and accounts that were linked to the Israeli spyware firm, NSO Group.

Amazon’s actions came as a result of forensic analysis conducted by Amnesty International’s Security Lab, who informed them of their findings in May 2021.

Amnesty, which conducted digital forensics on over 60 of the numbers on the list, and Citizen Lab, which peer reviewed Amnesty’s discoveries, have both said that the NSO Group made use of the Amazon CloudFront service in conducting snooping activities.

“When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts,” a spokesperson of Amazon Web Services told VICE’s tech portal ‘Motherboard’ in an email.

This is the first time that Amazon has addressed the use of its technology by NSO. It had earlier reportedly turned down VICE’s request for comment when, in 2020, the portal had first reported on the connections between Pegasus and Amazon.

Also read: FAQ: On the Pegasus Project’s Digital Forensics

This week, 17 media outlets across the world, including The Wire, published reports on their joint investigations into a database of phone numbers that are of apparent interest to clients of the NGO Group, some of which had been subjected to attempted and successful surveillance. The NSO Group has claimed that its clients are only “vetted governments”.

Amnesty says, and as has been highlighted by VICE, a phone belonging to a French rights lawyer which was infected with the Pegasus spyware sent information on the device “to a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months.”

The spyware is, at present, being delivered through “zero-click exploits” through the iMessage app on phones running on the Apple software iOS. This technology was used to hack election strategist Prashant Kishor, as The Wire has reported.

Also read: Government Cites Old RTI Response To Deny Pegasus Link, Says Media Didn’t Do Due Diligence

The use of CloudFront, VICE says, “Protects NSO somewhat from researchers or other third parties trying to unearth the company’s infrastructure.”

Amnesty’s report concurs with the above, noting that the use of cloud services protects NSO from some scanning technology. It further says that the move to CloudFront may have been necessitated by a Citizen Lab report which has outed Pegasus domains on its earlier V4 DNS server.

“The V4 DNS server infrastructure began going offline in early 2021 following the Citizen Lab iPwn report which disclosed multiple Pegasus V4 domains.

“Amnesty International suspects the shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO Group from some Internet scanning techniques.”

Amnesty has found that Amazon hosts up to 73 servers on its network.

Also read: NSO Group’s Response to the Pegasus Project and Our Take

“Most identified servers are assigned to the US-owned hosting companies Digital Ocean, Linode and Amazon Web Services,” Amnesty’s report says, noting that it appears that NSO Group is primarily using the European data-centres run by American hosting companies to run much of the attack infrastructure for its customers.

Amnesty notes that when it reported a distinctive pattern of spyware attacks made in 2020 and 2021, to Amazon, the latter informed them that they “acted quickly to shut down the implicated infrastructure and accounts”.

In the aftermath of the news breaking, NSO has claimed that it “does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers.”

Read The Wire’s coverage as part of the Pegasus Project here.