wordpress blog stats
Connect with us

Hi, what are you looking for?

Amazon Web Services shuts down infrastructure linked to Pegasus vendor NSO Group

In two separate reports, Amnesty International and Citizen Lab confirm Amazon’s connection to NSO’s Pegasus malware and include the location of servers used by the Israeli company. 

Amazon Web Services (AWS) on Monday shut down infrastructure and accounts linked to Pegasus vendor NSO Group, Amazon said in a statement to Vice.

On Sunday, it emerged that several Indian activists, journalists, politicians, and their acquaintances may have had their communications targeted for interception by the government with the help of NSO’s Pegasus spyware, which is only sold to nation-states. These revelations are the outcome of a collaboration called Pegasus Project comprising more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories.

“We shut down the infrastructure referenced in this report that was confirmed to be supporting the reported hacking activity, in accordance with our terms of use,” an AWS Spokesperson told MediaNama.

Why this matters?  While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns of organised crime dealings — for which surveillance is usually sanctioned. The targets include journalists and activists critical of the government, politicians from the opposition, and officials in the Election Commission and Supreme Court.

Advertisement. Scroll to continue reading.

Read: Pegasus Spyware: All The Latest Facts On Who Was Targeted, The Modus Operandi, And More

What is Amazon’s role here?

Amnesty International: Amnesty International’s Security Lab, which provided technical support to the Pegasus Project, published a forensic investigation on Sunday that revealed NSO’s Pegasus malware sent information from an infected iPhone “to a service fronted by Amazon CloudFront.” Amnesty also found that the same CloudFront domain was contacted to execute, download and launch additional malicious components onto an iPhone.

According to Amazon’s website, “CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally.”

After NSO’s Version 3 infrastructure was abruptly shut down in August 2018 following Amnesty’s report that one of its staff members was targeted with Pegasus, NSO began rolling out its Version 4 infrastructure in September 2018. But the Version 4 infrastructure began going offline in early 2021 following the Citizen Lab’s report which disclosed multiple domains, Amnesty stated. “The shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO Group from some Internet scanning techniques,” Amnesty said.

The report also stated that the servers used by NSO were mostly located in European data centers run by American hosting companies like:

  • Digital Ocean (142 servers)
  • Linode (114 servers)
  • Amazon Web Services (73 servers)

Citizen Lab: University of Toronto’s Citizen Lab, which conducted a peer review of Amnesty’s findings, reported that “Amnesty’s described methodology for linking the activity they observed involving Amazon CloudFront servers to the NSO Pegasus killchain is sound.” The lab also “independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”

Vice: Amazon’s connection to NSO is not new. In May 2020, when Vice “uncovered evidence that NSO used Amazon infrastructure to deliver malware, Amazon did not respond to a request for comment asking if NSO had violated Amazon’s terms of service,” Vice stated.

Advertisement. Scroll to continue reading.

Meanwhile, NSO has maintained that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” The group also refused to identify its customers “due to contractual and national security considerations.”

Updated (20 July, 2:20 PM): Added comments from AWS Spokesperson to MediaNama, removed comment given to Vice.

More reading on Pegasus

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.

News

Find out how people’s health data is understood to have value and who can benefit from that value.

News

The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.

News

When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ