AWS bans NSO Group following Pegasus spyware accusations

Android phone malware
(Image credit: Shutterstock)

NSO Group has had its accounts with cloud computing provider Amazon Web Services (AWS) suspended following widespread allegations that its software is being used to spy on users across the globe.

The Israeli firm has been accused of selling its Pegasus spyware services to authoritarian governments around the world, which then used the tools to monitor figures such as journalists, activists and opposition politicians.

Initial analysis of the campaign by Paris-based NGO Forbidden Stories and human rights group Amnesty International estimates that tens of thousands of individuals may have been targeted by the malware.

AWS ban

AWS has now confirmed that NSO Group has had its AWS accounts banned, leaving it without a hefty chunk of its cloud infrastructure, possibly severely limiting its overall operations as a whole.

"When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts," an AWS spokesperson told Motherboard, which first reported the ban.

Amnesty's research found that the Pegasus malware was sending information to a service fronted by commercially available CDN service Amazon CloudFront.

Motherboard notes that a 2020 report had suggested NSO was a pre-existing AWS customer, despite Amnesty's findings "suggesting NSO Group has switched to using AWS services in recent months." 

A further investigation of the Amnesty findings by Citizen Lab backed up this finding, noting that it had "independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021."


(Image credit: Shutterstock)

CloudFront is a CDN offering from Amazon that allows customers to quickly and securely distribute content to users, with the report claiming that NSO allegedly favored using, “the European data centers run by American hosting companies.”

Amnesty added that moving to services such as CloudFront would suggest NSO was trying to keep some of its operations under wraps, as doing so would protect the company from certain online scanning techniques by security researchers or other third parties.

The group added that it had detected NSO also using services from Digital Ocean, OVH, and Linode - although none of these have yet commented on the report.

Pegasus was reportedly deployed by NSO to infect Android devices and iPhones, giving operators access to messages, photos and emails, as well as the ability to record calls and activate microphones without the victim knowing.

The spyware reportedly needs little activity to install itself on a victim's phone - which can in fact be done via a simple WhatsApp call, or by exploiting existing security weaknesses on services such as iMessage.

Using this, data packets are altered in the voice call sent to the target/victim, leading to an internal buffer in the WhatsApp application to overflow, which in turn will overwrite parts of the memory leading to the bypassing of the app’s security, allowing further control of the whole device and the data within it.

Via Motherboard

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.