NSO-AWS connection remains unclear


A response by AWS to the Motherboard website on disconnected accounts fails to specify whose accounts were involved.

The report that Amazon unit AWS disconnected Israeli spyware company NSO from its cloud servers spread rapidly in the Israeli and world media yesterday. The source of the report was a single item published on the Motherboard technology website of the Vice network that was based on a fairly vague response that the website received from AWS.

A spokesperson for AWS wrote in response to a question from Motherboard: "When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts." This response does not mention whose accounts were involved, and follow-up question to AWS from media outlets went unanswered.

NSO denied the report yesterday, and said that the claim that Amazon had closed its accounts were incorrect. The only conclusion that can be drawn is that AWS pulled the plug on activity connected to the investigative report on the use of NSO's Pegasus spyware product released this week, but it is not clear whose activity it was.

The investigative report, by the Forbidden Stories and Amnesty International organizations, again connected NSO to spying on journalists, human rights activists and politicians. It was based on a leak of 50,000 telephone numbers that apparently represented a pool of potential targets for governments that purchased the Pegasus program from NSO.

NSO denied the reports and called the investigation "divorced from reality." The company stressed that there was no proof of any connection between the telephone numbers and the use of its offensive cyber software.

As part of the project, Amnesty published results of a technical investigation that found that NSO's technology exploited a weakness in Apple applications such as iMessage and FaceTime to plant Pegasus on a telephone without needing the user to press on any link.

Amnesty claimed that in one case, that of a French human rights lawyer, his iPhone that had been hacked sent information to Amazon's CloudFront service. This is a service for rapid distribution of data, video and applications. According to Amnesty, this indicates that NSO has switched to using AWS services in recent months.

The Citizen Lab organization, which checked Amnesty's findings, also reported that it had detected that NSO Group had started to make extensive use of Amazon's CloudFront services in 2021.

Nevertheless, from Amnesty and Citizen Lab's results it is not clear to whom the Amazon accounts to which the iPhone sent information belonged, and whether they were operated by NSO or by one of its customers, or by some third party.

In fact, it is probable that NSO, which has been under scrutiny for years, camouflages its activity well. The Amnesty report found that the activity connected to Pegasus used other cloud hosting services from companies such as OVH, DigitalOcean, and Linode.

Published by Globes, Israel business news - en.globes.co.il - on July 20, 2021

© Copyright of Globes Publisher Itonut (1983) Ltd. 2021

Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018