Amazon kicks NSO Group activity off its cloud service after spying reports

The maker of the Pegasus hacking tool reportedly used AWS as part of its spyware services to government clients.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
A black phone screen covered with dusted white fingerprints.

NSO Group says it monitors customers for abuses of its spyware.

Getty Images

Amazon has deactivated cloud computing accounts that researchers have associated with NSO Group, a hacking tools company that reportedly used Amazon Web Services as part of spyware systems in turn used by governments to surveil phones. The removal came as a result of research by forensic investigators at Amnesty International, who discovered the Israeli company's Pegasus software on the phones of activists and journalists, at times using AWS systems to operate.

Forensic researchers at Citizen Lab, which analyzes spyware at the University of Toronto, independently confirmed Amnesty's discovery that the hacking tools were operating on AWS' CloudFront, a content delivery network product. Amnesty's report says Amazon told its researchers in May that it had moved fast to get the hacking activity off its systems.

The Pegasus spyware is capable of accessing and recording texts, videos, photos and web activity as well as passively recording and scraping passwords on a device, according to a New York Times report. The software is designed to work on iPhones and some Android phones.

In a statement, Amazon reiterated what it had told Amnesty. "When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts," the company said.

News of the removal of NSO Group's activity from AWS was reported earlier by Vice

An out-of-focus iPhone is held up in front of NSO Group's headquarters, with the company logo visible on the side of the building.

A cell phone outside NSO Group's headquarters. The company says it will investigate the reported abuses of its software.

Getty Images

An NSO Group spokesperson said in a statement that the "claims are false." The company subsequently clarified the statement, saying it referred to the claim that AWS had removed its accounts. 

In response, an Amazon spokesperson said, "We shut down the infrastructure referenced in this report that was confirmed to be supporting the reported hacking activity, in accordance with our terms of use."

NSO Group told The Washington Post that it would investigate the recent findings that its products had been used to spy on activists and journalists. Amnesty International's findings indicate the company's Pegasus spyware was found on dozens of phones that it received for review. Some phones showed signs they had been breached with the spyware multiple times. 

The Pegasus software was installed on targets' phones through a variety of methods, the researchers found. The phones' owners might visit a common website, but be secretly redirected to another site that would automatically download the spyware. To carry out the redirection, the hacking organization would have to intercept web traffic going to a target's devices with a machine that mimics cell phone towers or a device installed at the target's internet service provider, Amnesty International concluded.

Some targets' devices were infected when they received a text message that contained a "zero-click" attack, meaning the owner of the device doesn't have to click on a malicious link for the infection to take place. The reported attacks took place through iMessage, a method that Citizen Lab previously reported had been used to hack the phones of Al-Jazeera journalists. (NSO Group denied the claims in the report.)

Amazon's decision to end support for the hacking activity comes the same year that AWS removed accounts belonging to social media service Parler, where right-wing extremists posted. Amazon said Parler failed to moderate posts from users who posted racist and sexist slurs, as well as calls to violence against lawmakers, Amazon facilities and Amazon founder Jeff Bezos. Parler sued Amazon twice over the move, claiming Amazon had defamed the company and was favoring another customer, Twitter, by removing support for Parler.

The Amazon removal comes as a group of news sites revealed extensive details of the NSO Group's operations, analyzing a list of 50,000 phone numbers obtained by journalists. The phones Amnesty International analyzed were on the list of numbers, and had been infected by Pegasus or showed signs that someone had tried to install Pegasus. Among the reported targets were two women close to murdered Saudi journalist Jamal Khashoggi, according to The Washington Post, as well several journalists and activists in countries including India, Azerbaijan and Rwanda, according to Amnesty International.

The reported hacking has drawn criticism from privacy advocates, including Edward Snowden, who blew the whistle on National Security Agency spying activities in 2013.

"If you don't do anything to stop the sale of this technology, it's not just going to be 50,000 targets," Snowden told The Guardian. It's going to be 50 million targets, and it's going to happen much more quickly than any of us expect."

NSO Group denies its software was involved in hacking the targets associated with Khashoggi, and called the news investigation into question. The company claims its software hasn't been licensed to use on 50,000 phones. Among thousands of phone numbers investigated, 37 phones were analyzed. On those phones, "the reporters fail to prove a definitive link between the numbers and NSO," an NSO Group spokesperson said.

NSO Group has been implicated by previous reports and lawsuits in other hacks, including a reported hack of Amazon founder Jeff Bezos in 2018. A Saudi dissident sued the company in 2018 for its alleged role in hacking a device belonging to journalist Khashoggi, who had been murdered inside the Saudi embassy in Turkey that year.