AWS has kicked NSO Group from its infrastructure after the commercial hacking company was found to be ‘ extensively’ using Amazon’s cloud services to hack journalists, lawyers, and activists.

A report this week from Amnesty detailed the infrastructure and activities of the NSO Group; an Israeli company that offers hacking tools to governments and law enforcement. The report focused on its Pegasus spyware; a ‘no-click’ zero-day attack that has reportedly been used by Governments to spy on specific targets.

Nso-group-logo.jpg
– NSO Group via Wikipedia

AWS hosted Pegasus; others still do

Pegasus allows its users to extract messages, photos and emails, record calls and secretly activate microphones, and could have been used on up to 50,000 people globally.

As part of the report, Amnesty detailed the infrastructure used by the NSO Group to host the spyware, finding that it was an extensive user of a number of US cloud and hosting services, including Amazon.

“NSO Group begin to make extensive use of Amazon services including CloudFront in 2021,” said CitizenLab in its review of Amnesty’s report. Amnesty identified 700 domains it says are linked to the NSO Group and its Pegasus spyware.

Both Amnesty and Citizen Lab found that NSO were users of Amazon CloudFront, the company’s content delivery network (CDN) service, adding that the use of cloud services protected NSO Group from some Internet scanning techniques.

Amnesty also said it found NSO Group using DNS servers assigned to the US-owned hosting companies Digital Ocean, Linode, and AWS. It said NSO was likely rotating domains either to avoid risk of discovery or due to disruption of previous hosting infrastructure.

While NSO seemed to utilize the previously-mentioned companies most heavily, the non-profit also found links to infrastructure in facilities owned by OVHCloud, UpCloud, and Neterra.

“It appears that NSO Group is primarily using the European data centers run by American hosting companies to run much of the attack infrastructure for its customers," said Amnesty.

Amnesty said it reported this information to Amazon, with the cloud company saying it “acted quickly to shut down the implicated infrastructure and accounts.”

“When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts,” an AWS spokesperson subsequently told Vice’s Motherboard. Vice had previously reported the NSO Group as an AWS user, to which the company did not respond at the time.

The Register reports that AWS declined to say if it had previously spoken to NSO about the activity being conducted from the cloud company’s infrastructure. It also reports that Linode and Digital Ocean have not stopped working with NSO Group.

In a previous report looking into NSO and a previous iteration of Pegasus, CitizenLab found the company was using servers located in Germany, France, UK, and Italy using cloud hosting providers Aruba, Choopa, CloudSigma, and DigitalOcean.

DCD has reached out to Digital Ocean, OVHCloud, and Linode for comment.

Update:

A Linode spokesperson told DCD: "We are not aware of any of the activities described in the Amnesty International link, nor were we able to validate any of the claims. For example, the IP addresses listed in the report no longer resolve to the domains listed."

"However, we ask anyone with information regarding the use of our services for malicious purposes to immediately file an abuse complaint so we can investigate and take all necessary action."

Subscribe to our daily newsletters