NSO Group spyware used against Moroccan journalist - new investigation

Award-winning journalist Omar Radi was targeted with notorious Pegasus spyware days after Israel tech firm pledged to abide by human rights standards

Spyware already used against numerous journalists, reportedly including Jamal Khashoggi

‘NSO Group clearly cannot be trusted’ - Danna Ingleton

The Israeli technology company NSO Group’s notorious spyware was used by the Moroccan government to spy on Moroccan journalist Omar Radi, a new investigation by Amnesty International has revealed. 

Amnesty found that Radi’s phone was subjected to multiple attacks using a sophisticated technique that silently installs NSO Group’s Pegasus spyware. 

The attacks occurred during a period when Radi was repeatedly harassed by the Moroccan authorities, with one of the attacks taking place just days after NSO Group pledged to stop its products being used in human rights abuses. The cyber-attacks continued until at least January this year (see details below).

Radi - a vocal critic of Morocco’s human rights record who has reported on political corruption in the country - has been systematically targeted by the Moroccan authorities. On 17 March, he was given a suspended four-month prison term for a tweet criticising the unfair trial of a group of activists.

While the Moroccan authorities are ultimately responsible for the unlawful targeting of people like Radi, NSO Group contributed to these abuses by retaining the Moroccan government as an active customer until at least January. This appears to have given the Moroccan authorities continued access to the spyware.

When Amnesty shared its 16 pages of findings with NSO Group, the company did not confirm or deny whether the Moroccan authorities use their technologies and said only they would review the information submitted. NSO Group says it performs rigorous checks to identify human rights issues before selling its products, but these claims lack detail and appear to have been ineffective in numerous instances. 

NSO Group is currently the subject of several legal challenges. Amnesty is supporting a legal case in Israel seeking to force the Ministry of Defence to revoke NSO Group’s export licence, arguing the defence ministry is putting human rights at risk by allowing the firm to continue its exports. A judgment is expected in the case soon. Facebook is also suing NSO Group in California after the company exploited a vulnerability in Facebook-owned WhatsApp to target at least 100 human rights defenders. 

Danna Ingleton, Deputy Director of Amnesty Tech, said:

“NSO Group clearly cannot be trusted. 

“While it was undertaking a PR offensive to whitewash its image, its tools were enabling the unlawful surveillance of Omar Radi, an award-winning journalist and activist.

“If NSO won’t stop its technology from being used in abuses, then it should be banned from selling it to governments who are likely to use it for human rights abuses.”

Forensic analysis of a spyware attack

Amnesty Tech carried out a forensic analysis of Radi’s iPhone in February this year. This revealed that the device was subject to a series of “network injection” attacks. These attacks allow attackers to monitor, intercept and manipulate the internet traffic of the target. The phone’s web browser is redirected to a malicious website which silently installs Pegasus spyware on the target’s phone. When Pegasus is installed, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls and contacts. Network injection attacks are notoriously difficult for a victim to identify as they leave few clues. 

The browser on Radi’s phone was directed to the same malicious website Amnesty found in an attack against Moroccan academic and activist Maati Monjib. Forensic data extracted from Radi’s phone indicates network injection attacks occurred on 27 January, 11 February, and 13 September 2019. NSO Group publicly committed to abide by the UN Guiding Principles on Business and Human Rights on 10 September. 

With network injection spyware attacks, the attacker requires either physical proximity to the targets or access over national mobile networks (which only a government can authorise), further indicating that the Moroccan authorities were responsible for the attack against Radi. 

NSO marketed its sophisticated interception technology as recently as January 2020.  

NSO spyware used against numerous people 

Amnesty and others have documented a pattern of NSO Group’s Pegasus spyware being used to target numerous members of civil society around the world. The spyware has been used in attacks on journalists and parliamentarians in Mexico; against Saudi activists Omar Abdulaziz, Yahya Assiri and Ghanem Al-Masarir; against award-winning Emirati human rights campaigner Ahmed Mansoor; against an Amnesty staff member; and allegedly, used in connection with the murdered Saudi dissident and journalist Jamal Khashoggi. 

Under the UN Guiding Principles on Business and Human Rights, NSO and their primary investor (the UK-based private equity firm Novalpina Capital) have an obligation to take steps to ensure they are not causing or contributing to human rights abuses worldwide.