Days After New Human Rights Policy, NSO Client Hacked an Activist

Days After New Human Rights Policy, NSO Client Hacked an Activist

June 21, 2020 Off By Joseph Cox

Just three days after controversial surveillance vendor NSO Group announced its new human rights policy, saying that clients can only use the company's products to combat serious crime and to ensure that they're not used to violate human rights, a likely Moroccan government agency hacked the phone of a human rights defender using NSO malware, according to a new technical report from Amnesty International.

The news highlights the apparent gulf between NSO's repeated claims that it tries to protect against abuses of its product and the reality of how clients use its hacking tool, dubbed Pegasus.

The report "demonstrates NSO Group's continued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy," the report, provided by Amnesty to Motherboard before public release, reads.

Do you work at NSO Group, did you used to, or do you know anything else about the company? We'd love to hear from you. Using a non-work phone or computer you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

NSO sells its Pegasus hacking product to intelligence and law enforcement agencies. After infecting a device, sometimes via a link the target has to click, Pegasus can siphon a device's texts, emails, social media messages, and photos. It can also track the phone's GPS location, and much more. NSO more well-known clients include Saudi Arabia, Mexico, and the United Arab Emirates.

On September 10th 2019, NSO announced its new human rights policy designed to bring the company in line with the United Nations Guiding Principles on Business and Human Rights. The policy included contractual obligations requiring clients to limit the use of NSO's tools to the prevention and investigation of serious crimes, and to ensure that the products won't be used to violate human rights, the announcement said. It also contained an evaluation of NSO's sales process, including a country's past human rights performance and governance standards of the country, the announcement added.

But on September 13th 2019, a likely Moroccan-government client used Pegasus to hack the phone of Omar Radi, a journalist and activist from Morocco whose work touches on corruption and human rights abuses, according to the Amnesty report. Amnesty researchers found forensic traces on Radi's device of attacks that used malicious domains the researchers previously attributed to NSO infrastructure from earlier attacks on other Moroccan human rights defenders.

According to the report, the attackers targeted Radi's device by intercepting his web browsing session and redirecting his browser to a malicious webpage that installed the Pegasus malware. This could have been achieved by the Moroccan client leveraging access to Radi's telecom provider, according to the report. The so-called network injection attacks stretched from January 2019 to January 2020, the report says, showing how the Moroccan client continued to target Radi even well after NSO's new human rights policy.

An NSO spokesperson told Motherboard in an email, “NSO has undertaken a Human Rights Compliance Policy to comply with the UN Guiding Principles on Business and Human Rights. We are the very first in our industry to sign on to these principles, and we take any claim of misuse seriously. We responded directly to Amnesty International after learning of their allegations in accordance with NSO’s industry-leading human rights policies and we shall immediately review the information provided and initiate an investigation if warranted."

“While we seek to be as transparent as feasible in response to allegations that our products have been misused, because we develop and license to States and State agencies technologies to assist in combatting terrorism, serious crimes, and threats to national security, we are obligated to respect state confidentiality concerns and cannot disclose the identities of customers," the statement added.

Subscribe to our new cybersecurity podcast, CYBER.