In two separate reports, Amnesty International and Citizen Lab confirm Amazon’s connection to NSO’s Pegasus malware and provide the location of the servers used by the Israeli company.

Amazon Web Services (AWS) closed the infrastructure and accounts associated with Pegasus provider NSO Group on Monday, Amazon said in a statement Vice.

On Sunday, it emerged that communications from several Indian activists, journalists, politicians and their acquaintances may have been intercepted by the government using the NSO spyware Pegasus, which is only sold to nation states. These revelations are the result of a collaboration called the Pegasus Project that involves more than 80 journalists from 17 media organizations in 10 countries, coordinated by Forbidden Stories.

“We closed the infrastructure mentioned in this report, which has been confirmed to support the reported hacking activities in accordance with our terms of use,” an AWS spokesman told MediaNama.

Why is that important? Although India has long been suspected of being a Pegasus buyer, the level and type of surveillance it has embarked on, and the destinations it has apparently chosen, do not seem to suggest that there are concerns about the national security related to organized crime gives – for surveillance is usually sanctioned. Targets include journalists and activists critical of the government, opposition politicians, and officials from the Electoral Commission and the Supreme Court.

Read: Pegasus Spyware: All the Latest Facts on Audience, Modus Operandi, and More

What role does Amazon play here?

Amnesty International: Amnesty International’s security laboratory, which provided technical support for the Pegasus project, published a forensic examination on Sunday, which revealed that NSO’s Pegasus malware was sending information from an infected iPhone “to an Amazon CloudFront service.” Amnesty also found that the same CloudFront domain had been contacted to run, download and launch additional malicious components on an iPhone.

According to Amazons website, “CloudFront is a high-speed content delivery network (CDN) service that securely delivers data, videos, applications and APIs to customers around the world.”

After NSO’s version 3 infrastructure was abruptly shut down in August 2018 after Amnesty reported that one of its employees was affected by Pegasus, NSO began rolling out its version 4 infrastructure in September 2018, but the version 4 infrastructure went down Citizen Labs offline in early 2021 report which has disclosed multiple domains, Amnesty said. “The V4 infrastructure shutdown coincided with the NSO Group’s move to cloud services like Amazon CloudFront to deliver the early stages of their attacks. The use of cloud services protects the NSO Group from some internet scanning techniques, ”Amnesty said.

The report also found that the servers used by NSO were mainly located in European data centers operated by American hosting companies such as:

  • Digital Ocean (142 servers)
  • Linode (114 servers)
  • Amazon Web Services (73 servers)

Citizens Laboratory: University of Toronto Citizen Lab, the one Peer review of Amnesty’s findings, reported that “the method Amnesty described for linking the activity they observed with Amazon CloudFront servers to the NSO-Pegasus killchain is solid.” Extensive use of Amazon services including CloudFront by 2021 ”.

Vice: Amazon’s connection to NSO isn’t new. In May 2020, when Vice “uncovered evidence that NSO was using Amazon’s infrastructure to deliver malware, Amazon did not respond to a request for comment asking whether NSO had violated Amazon’s Terms of Use,” Vice specified.

Meanwhile, NSO groomed that it “does not operate the systems it sells to audited government customers and does not have access to the data of its customers’ targets”. The group also refused to identify its customers “for contractual and national security reasons”.

Updated (July 20, 2:20 p.m.): Added AWS spokesperson’s comments to MediaNama, removed comment to Vice.

Read more on Pegasus