Amnesty report claims NSO’s Pegasus was used to spy on a Moroccan journalist

The human rights group conducted a forensic examination of Omar Radi’s phone and found digital fingerprints of the Israeli cyber company

Omer Kabir 12:1322.06.20
Pegasus spyware developed and sold by Israeli cyber company NSO Group contributed to a sustained campaign by the government of Morocco to spy on Moroccan journalist Omar Radi, this despite the company’s public pledge to prevent its product being used to harm human rights, a new report by Amnesty International alleges.


According to the report, surveillance of Radi took place for a year, between January 2019 to the beginning of 2020. Radi, an award-winning investigative journalist who worked for various international publications exposing links between corporate and political interests, corruption and breaches of human rights in Morocco, is one of 10 journalists that Amnesty claims is suffering from prolonged harassment by the state. In March, he was handed a suspended four-month prison term for a tweet he posted in April 2019 criticizing the unfair trial of a group of activists.


NSO headquarters in Herzliya. Photo: AFP NSO headquarters in Herzliya. Photo: AFP
Amnesty Tech, the global human rights agencies cyber forensic unit, examined Radi’s smartphone and revealed that the device was subject to a series of ‘network injection’ attacks.


“Through our investigation, we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalization at the hands of Moroccan authorities leading to a shrinking space for dissent,” reads the report.


According to Amnesty, Pegasus was installed on Radi’s phone using network injections, which allow for the automatic and invisible redirection of targets’ browsers and apps to malicious sites under the attackers’ control. It is considered a more advanced method than the more widely used previous techniques that relied on tricking the user into taking an action in response to a link sent to the user.


A Business Insider report from January revealed that NSO offers its clients a mobile interception device used to collect data while close to the target and in this way hack into the user’s phone and install the spyware remotely. All that’s needed is to place the antenna-like device in the target’s proximity and wait for them to arrive. “These devices act as portable base stations and impersonate legitimate cellular towers in order to trick phones in the vicinity to connect to them and enable the attacker to manipulate the intercepted mobile traffic,” explained Amnesty.


In its analysis of Radi’s phone, Amnesty found evidence that Pegasus was planted via network injection attacks that occurred on January 27, February 11, and September 13, 2019 and forced his browser to visit an exploitation site. The same site was also used to hack into the phone of Moroccan human rights defender Maati Monjib.


“Taken together with the technical evidence that we detail in the next section, showing overlaps in timing, recovered forensic artifacts and attack infrastructure linked to previous surveillance attacks in Morocco using NSO tools, this strengthens the evidence linking NSO's network injection tools to this attack,” reads the report.


The Amnesty report further noted that the latest attack on Radi took place mere days after NSO pledged that its tools would not be used to violate human rights. “NSO Group clearly cannot be trusted. While it was undertaking a PR offensive to whitewash its image, its tools were enabling the unlawful surveillance of Omar Radi, an award-winning journalist and activist,” said Danna Ingleton, Deputy Director of Amnesty Tech. “Even after being presented with chilling evidence of its spyware being used to track activists in Morocco, it appears that NSO chose to keep the Moroccan government on as a customer. If NSO won’t stop its technology from being used in abuses, then it should be banned from selling it to governments who are likely to use it for human rights abuses.”


“NSO takes this report very seriously and offered its reactions to the findings directly to Amnesty stating it would investigate the presented claims,” NSO told Calcalist when asked for comment. “As an industry leader, NSO has uniquely and unprecedentedly adopted the UN’s guidelines on businesses and human rights and are following them to ensure the appropriate use of our products. However, the claims sent by the organization, to us and to the media at the same time, require a thorough review to find out whether the allegations are related to customers or company products, and it is a pity that the organization failed to provide us with the full details insofar as it is genuinely interested in preventing human rights violations and to allow a thorough review absent other motives. For commercial and operational reasons, the company is prohibited from detailing its customers.”


Amnesty International has repeatedly called on the Israeli government to halt NSO exports with claims that it is used to violate human rights. Last March, the organization’s local branch petitioned the Tel Aviv District Court, claiming that NSO’s spyware was used in attempted surveillance of an Amnesty staff member, a Saudi human rights activist, in August 2018.


Over the past two years, NSO has repeatedly fended off accusations that its technologies were being misused, claiming it only sells its product to governments and law enforcement agencies and maintaining that its spyware has saved tens of thousands of lives. In December 2018, an associate of slain Saudi journalist Jamal Khashoggi sued the company, claiming it played a role in Khashoggi’s murder.