In two separate reports, Amnesty International and Citizen Lab confirm Amazon’s connection to NSO’s Pegasus malware and include the location of servers used by the Israeli company.
Amazon Web Services (AWS) on Monday shut down infrastructure and accounts linked to Pegasus vendor NSO Group, Amazon said in a statement to Vice.
On Sunday, it emerged that several Indian activists, journalists, politicians, and their acquaintances may have had their communications targeted for interception by the government with the help of NSO’s Pegasus spyware, which is only sold to nation-states. These revelations are the outcome of a collaboration called Pegasus Project comprising more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories.
Why this matters? While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns of organised crime dealings — for which surveillance is usually sanctioned. The targets include journalists and activists critical of the government, politicians from the opposition, and officials in the Election Commission and Supreme Court.
What is Amazon’s role here?
Amnesty International: Amnesty International’s Security Lab, which provided technical support to the Pegasus Project, published a forensic investigation on Sunday that revealed NSO’s Pegasus malware sent information from an infected iPhone “to a service fronted by Amazon CloudFront.” Amnesty also found that the same CloudFront domain was contacted to execute, download and launch additional malicious components onto an iPhone.
According to Amazon’s website, “CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally.”
After NSO’s Version 3 infrastructure was abruptly shut down in August 2018 following Amnesty’s report that one of its staff members was targeted with Pegasus, NSO began rolling out its Version 4 infrastructure in September 2018. But the Version 4 infrastructure began going offline in early 2021 following the Citizen Lab’s report which disclosed multiple domains, Amnesty stated. “The shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO Group from some Internet scanning techniques,” Amnesty said.
The report also stated that the servers used by NSO were mostly located in European data centers run by American hosting companies like:
- Digital Ocean (142 servers)
- Linode (114 servers)
- Amazon Web Services (73 servers)
Citizen Lab: University of Toronto’s Citizen Lab, which conducted a peer review of Amnesty’s findings, reported that “Amnesty’s described methodology for linking the activity they observed involving Amazon CloudFront servers to the NSO Pegasus killchain is sound.” The lab also “independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”
Vice: Amazon’s connection to NSO is not new. In May 2020, when Vice “uncovered evidence that NSO used Amazon infrastructure to deliver malware, Amazon did not respond to a request for comment asking if NSO had violated Amazon’s terms of service,” Vice stated.
Meanwhile, NSO has maintained that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” The group also refused to identify its customers “due to contractual and national security considerations.”
Updated (20 July, 2:20 PM): Added comments from AWS Spokesperson to MediaNama, removed comment given to Vice.
More reading on Pegasus
- Members Of Parliament React To Pegasus Spyware Controversy Amidst Monsoon Session
- IT Minister Ashwini Vaishnaw Addresses Parliament On Pegasus Spyware; Doesn’t Deny Usage
- ‘Illegal And Deplorable’: How Pegasus Spyware Targets In India Are Reacting
- A Guide To The NSO Group’s Pegasus Spyware In India