Report: Hackers Spied on Moroccan Human Rights ActivistsAmnesty International Says NSO Group Spyware May Have Been Used
Hackers apparently used sophisticated spying tools to plant malware on the smartphones of two human rights activists in Morocco, according to Amnesty International.
The activists may have been targeted by spyware developed by Israel-based cyber-intelligence firm NSO Group, which has been accused of providing technology to governments looking to crack down on journalists, activists and protestors, according to Amnesty International.
Over the course of two years, the hackers apparently attempted to install NSO's Pegasus spyware through SMS messages sent to the targets' smartphones that carried malicious links, the group says in a new report.
In addition, the attackers tried to plant more malware on the mobile network used by one of the activists, the report notes.
In an interview with Reuters about the report, Claudio Guarnieri, a security researcher with Amnesty International, said the activists apparently were hacked with the help of tools developed by NSO.
Amnesty International's accusations come a month after NSO Group announced its decision to adopt the United Nation's Guiding Principles on Business and Human Rights and publish its own human rights guidelines as well as rules to protect whistleblowers (see: Cyber-Intelligence Firm NSO Group Tries to Boost Reputation ).
An NSO Group spokesperson told Information Security Media Group that it takes the allegations made by Amnesty International seriously.
"Our products are developed to help the intelligence and law enforcement community save lives," the spokesperson says. "They are not tools to surveil dissidents or human rights activists. That’s why contracts with all of our customers enable the use of our products solely for the legitimate purposes of preventing and investigating crime and terrorism. If we ever discover that our products were misused in breach of such a contract, we will take appropriate action."
In its report, Amnesty International rejected similar claims made by NSO Group to the organization. "In the absence of adequate transparency on investigations of misuse by NSO Group and due diligence mechanisms, Amnesty International has long found these claims spurious," the report notes.
SMS Targeting Activists
In its Oct. 10 report, the international human rights watchdog found that two prominent Moroccan human rights activists, Maati Monjib and Abdessadak El Bouchattaoui, have been targeted by hackers since at least October 2017.
Monjib and Bouchattaoui have extensive track records of working for human rights in Morocco and have been persecuted by the government, according to the Amnesty International report.
Security experts from Amnesty International who assessed the activists' mobile phones discovered malicious links within SMS messages as well as carrier network intrusion attacks linked to hackers who had access to the NSO Group's Pegasus spyware, the report states.
In the SMS campaign, which began near the end of 2017, the attackers used a mix of political and automated spam messages to trick the victims to click malicious links, Amnesty International says.
An analysis of the URLs sent through the SMS messages, as well as webpages themselves, revealed similarities to an earlier spying attempts by hackers who had access to NSO Group tools, according to the report. In June 2018, Amnesty International reported that several of its international staff members were targeted through a suspicious WhatsApp link in Arabic, which, once clicked, led to the installation of Pegasus spyware (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
In addition, the Amnesty International researchers found similarities in the types of SMS messages and domains that targeted the two activists in Morocco with other activity documented by Citizen Lab, a research group within the University of Toronto that investigates the use of software exploits by governments.
Citizen Lab researchers published a 2018 report about NSO Group and the technology that it sells to governments.
The Amnesty International report notes that neither Monjib and Bouchattaoui clicked on these messages or visited the websites, so that the Pegasus spyware was never fully downloaded.
Remote Spyware Injections
In addition to being targeted by malicious SMS messages, Monjib was also targeted through remote network injection attacks that attempted to install spyware on his iPhone, the Amnesty International report notes.
Because the activist's iPhone remained physically inaccessible to the attackers, Amnesty International believes the hackers decided to carry out man-in-the-middle attacks by intercepting the web requests in the victim's mobile phone. A man-in-the-middle attack occurs when a third party intercepts and alters the communication between the customer and the service provider or the employee and the business service that they are trying to access.
Unfortunately there are limited ways to identify these attacks. NSO Group's SMS messages seem to have stopped in mid-2018, but there might be still some traces left.— nex (@botherder) October 10, 2019
Here's how to look for them: pic.twitter.com/qCAKuHMkva
In this case, the attackers successfully installed the malware by manipulating the device's web-browser data, which was stored in a separate SQLite file, according to Amnesty International researchers. In the case of Monjib's iPhone, the researchers note this data can be accessed through an iTunes backup procedure and can then be tweaked to redirect the user to malicious sites without the users knowing.
When Maati Monjib tried to visit the French-language page of Yahoo by manually typing "yahoo.fr" into the iPhone's Safari web browser, the spyware instead redirected him to a webpage lacking proper Transport Layer Security security, according to the report. This page used the URL "http://yahoo.fr" - a phony webpage created by the hackers.
"We believe this is what happened with Maati Monjib’s phone," the report states. "As he visited yahoo.fr, his phone was being monitored and hijacked, and Safari was automatically directed to an exploitation server which then attempted to silently install spyware."
Although Amnesty International acknowledges that there isn't any concrete proof to attribute this suspected network injection to a particular government using the NSO tools, the organization notes that there are similarities to other types of Pegasus infections, including the wiping of all these crash files after a forced reboot of the phone by the spyware.