wordpress blog stats
Connect with us

Hi, what are you looking for?

Amazon Web Services shuts down infrastructure linked to Pegasus vendor NSO Group

In two separate reports, Amnesty International and Citizen Lab confirm Amazon’s connection to NSO’s Pegasus malware and include the location of servers used by the Israeli company. 

Amazon Web Services (AWS) on Monday shut down infrastructure and accounts linked to Pegasus vendor NSO Group, Amazon said in a statement to Vice.

On Sunday, it emerged that several Indian activists, journalists, politicians, and their acquaintances may have had their communications targeted for interception by the government with the help of NSO’s Pegasus spyware, which is only sold to nation-states. These revelations are the outcome of a collaboration called Pegasus Project comprising more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories.

“We shut down the infrastructure referenced in this report that was confirmed to be supporting the reported hacking activity, in accordance with our terms of use,” an AWS Spokesperson told MediaNama.

Why this matters?  While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns of organised crime dealings — for which surveillance is usually sanctioned. The targets include journalists and activists critical of the government, politicians from the opposition, and officials in the Election Commission and Supreme Court.

Read: Pegasus Spyware: All The Latest Facts On Who Was Targeted, The Modus Operandi, And More

Advertisement. Scroll to continue reading.

What is Amazon’s role here?

Amnesty International: Amnesty International’s Security Lab, which provided technical support to the Pegasus Project, published a forensic investigation on Sunday that revealed NSO’s Pegasus malware sent information from an infected iPhone “to a service fronted by Amazon CloudFront.” Amnesty also found that the same CloudFront domain was contacted to execute, download and launch additional malicious components onto an iPhone.

According to Amazon’s website, “CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally.”

After NSO’s Version 3 infrastructure was abruptly shut down in August 2018 following Amnesty’s report that one of its staff members was targeted with Pegasus, NSO began rolling out its Version 4 infrastructure in September 2018. But the Version 4 infrastructure began going offline in early 2021 following the Citizen Lab’s report which disclosed multiple domains, Amnesty stated. “The shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO Group from some Internet scanning techniques,” Amnesty said.

The report also stated that the servers used by NSO were mostly located in European data centers run by American hosting companies like:

  • Digital Ocean (142 servers)
  • Linode (114 servers)
  • Amazon Web Services (73 servers)

Citizen Lab: University of Toronto’s Citizen Lab, which conducted a peer review of Amnesty’s findings, reported that “Amnesty’s described methodology for linking the activity they observed involving Amazon CloudFront servers to the NSO Pegasus killchain is sound.” The lab also “independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”

Vice: Amazon’s connection to NSO is not new. In May 2020, when Vice “uncovered evidence that NSO used Amazon infrastructure to deliver malware, Amazon did not respond to a request for comment asking if NSO had violated Amazon’s terms of service,” Vice stated.

Meanwhile, NSO has maintained that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” The group also refused to identify its customers “due to contractual and national security considerations.”

Updated (20 July, 2:20 PM): Added comments from AWS Spokesperson to MediaNama, removed comment given to Vice.

Advertisement. Scroll to continue reading.

More reading on Pegasus

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....


By Anand Venkatanarayanan                         There has been enough commentary about the Indian IT...


By Rahul Rai and Shruti Aji Murali The Indian antitrust regulator, the Competition Commission of India (CCI) has a little more than a decade...


By Stella Joseph, Prakhil Mishra, and Surabhi Prabhudesai The recent difference of opinions between the Government and Twitter brings to fore the increasing scrutiny...


This article is being posted here courtesy of The Wire, where it was originally published on June 17.  By Saksham Singh The St Petersburg paradox,...

You May Also Like


In the wake of the Pegasus exposé, the Indian Parliament has witnessed chaotic proceedings with an increasing number of MPs demanding a judicial probe...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ