Pegasus spyware: Amazon shutters NSO Group infrastructure and accounts

The surveillance firm allegedly uses services from AWS, OVH, Digital Ocean and Linode

AWS has deactivated cloud infrastructure and accounts linked to Israeli surveillance firm NSO Group.

The move follows a new report from Paris-based non-profit Forbidden Stories and Amnesty International, which claimed that NSO Group's hacking tools were used in attempted and successful hacks of 37 phones. The devices belonged to journalists, rights activists, politicians and other prominent individuals around the world.

The report alleged that NSO Group used cloud services from AWS and other companies, including OVH, Digital Ocean and Linode, as part of its spyware system. Multiple governments used NSO's tools for surveillance purpose.

"When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts," an Amazon spokesperson told Vice.

NSO allegedly preferred servers in the US and Europe, particularly 'the European data centers run by American hosting companies,' according to the Amnesty report.

The Pegasus attacks included so-called 'zero-click' attacks, which do not require any interaction from the target.

'Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful 'zero-click' attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021,' the report said.

The report's authors have also claimed that NSO's Pegasus malware, after compromising a phone, sent information to 'a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months'.

CloudFront is a content delivery network that companies can use to deliver data, videos, applications and APIs to users reliably, at high speeds, and with low latency.

Amnesty said the CloudFront service protects NSO from researchers trying to uncover its infrastructure.

In a separate post, Citizen Lab wote that it had observed NSO Group beginning to make extensive use of CloudFront and other AWS services in 2021.

The latest allegations against NSO Group are based on a list of 50,000 phone numbers of potential targets that are believed to be of interest to the Israeli surveillance firm's clients.

Amnesty and Forbidden Stories were the first to see the list. They then shared it with 17 international media outlets, including The Washington Post, The Guardian and Le Monde, as part of a collaborative investigation.

It is unclear where the list came from, or exactly how many devices were compromised, although forensic analysis of 37 phones showed there had been both 'attempted and successful' hacks.

Nearly 1,000 people have been identified from the list so far.

NSO denies any wrongdoing, saying its software helps law enforcement agencies to tackle terrorists and criminals. The company claims it sells software only to countries with good human rights records.

In a statement to Reuters, NSO Group said the list of phone numbers is 'not...related to NSO Group, and NSO does not have any target lists.

'The 'list' is derived from services such as HLR Lookup, which is open and free to anyone online.'

NSO said it would 'continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.'