NSO Group spyware used against Moroccan journalist days after company pledged to respect human rights

NSO Group, the Israeli company marketing its technology in the fight against COVID-19, contributed to a sustained campaign by the government of Morocco to spy on Moroccan journalist Omar Radi, a  by Amnesty International reveals.

NSO Group clearly cannot be trusted. While it was undertaking a PR offensive to whitewash its image, its tools were enabling the unlawful surveillance of Omar Radi, an award-winning journalist and activist.

Danna Ingleton, Deputy Director of Amnesty Tech.

The organization found that Omar Radi’s phone was subjected to multiple attacks using a sophisticated new technique that silently installed NSO Group’s notorious Pegasus spyware. The attacks occurred over a period when Radi was being repeatedly harassed by the Moroccan authorities, with one attack taking place just days after NSO pledged to stop its products being used in human rights abuses and continued until at least January 2020.

“NSO Group clearly cannot be trusted. While it was undertaking a PR offensive to whitewash its image, its tools were enabling the unlawful surveillance of Omar Radi, an award-winning journalist and activist,” said Danna Ingleton, Deputy Director of Amnesty Tech.

“Even after being presented with chilling evidence of its spyware being used to track activists in Morocco, it appears that NSO chose to keep the Moroccan government on as a customer. If NSO won’t stop its technology from being used in abuses, then it should be banned from selling it to governments who are likely to use it for human rights abuses.”

Journalist Omar Radi was repeatedly targeted with NSO Group’s notorious Pegasus spyware.

While the Moroccan authorities are ultimately responsible for the unlawful targeting of activists and journalists like Omar Radi, NSO Group contributed to these abuses by keeping the government on as an active customer until at least January 2020. This appears to have given the authorities continued access to the company’s spyware.

Omar Radi has been systematically targeted by the Moroccan authorities due to his journalism and activism. He is a vocal critic of the government’s human rights record and has reported on corruption as well as links between corporate and political interests in Morocco. On 17 March 2020, he was handed a  for a tweet he posted in April 2019 criticizing the unfair trial of a group of activists.

“The Moroccan authorities are increasingly using digital surveillance to crack down on dissent. This unlawful spying, and the wider pattern of harassment of activists and journalists must stop,” said Danna Ingleton.

Silent attack method

Amnesty Tech carried out a forensic analysis of Omar Radi’s iPhone in February 2020. This revealed that the device was subject to a series of ‘network injection’ attacks.

With network injections, attackers are able to monitor, intercept and manipulate the internet traffic of the target. The phone’s web browser is then redirected to a malicious website, without requiring any action by the target. The malicious website then silently installs Pegasus spyware on the target’s phone.

For network injections, the attacker requires either physical proximity to the targets or access over mobile networks in the country which only a government could authorize, a further indication that the Moroccan authorities were responsible for the attack against Omar Radi. NSO marketed such sophisticated interception technology as recently as January 2020.

A model of a rogue cell tower sold by NSO Group – a tool which could be used in a network injection attack. Becky Peterson/Business Insider

When Pegasus is installed, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls and contacts. Network injection attacks are notoriously difficult for a victim to spot as they leave few clues.

Forensic data extracted from Omar Radi’s phone indicates network injection attacks occurred on 27 January, 11 February, and 13 September 2019. NSO Group publicly committed to abide by the  on 10 September 2019.

The browser on Omar Radi’s phone was directed to the same malicious website Amnesty International found in an attack against Moroccan academic and activist Maati Monjib, as revealed in the report 

NSO Group was provided with an advanced copy of that report on 2 October 2019. The malicious website was shut down on 6 October, days before Amnesty made its findings public. However, new evidence shows similar network injection attacks against Omar Radi’s phone continued until 29 January 2020, using a different website.

NSO Group has serious questions to answer as to what actions it took when presented with evidence its technology was used to commit human rights violations in Morocco.

Danna Ingleton

With NSO Group claiming it only sells its spyware to government intelligence and law enforcement agencies, the evidence revealed by Amnesty International indicates that the Moroccan government remained an active customer of NSO Group, and was able to continue to use the company’s technology to track, intimidate and silence activists, journalists and critics.

When Amnesty International shared its latest findings with NSO Group, the company did not confirm or deny whether the Moroccan authorities use their technologies and stated that they will review the information submitted.

“NSO Group has serious questions to answer as to what actions it took when presented with evidence its technology was used to commit human rights violations in Morocco. Why did it not terminate its contract with the Moroccan authorities? Subjecting journalists and activists to intimidation through invasive digital surveillance is a violation of their rights to privacy and freedom of expression,” said Danna Ingleton.

NSO Group says it undertakes a rigorous review to identify human rights before sales of its products, but these claims lack detail and, considering the number of attacks on civil society, appear to have been ineffective in numerous cases.

Pattern of abuse

Amnesty International and others have documented a pattern of NSO Group’s Pegasus spyware being used to target civil society. The spyware has been used in attacks on journalists and parliamentarians in Mexico; Saudi activists Omar Abdulaziz, Yahya Assiri, Ghanem Al-Masarir; award-winning Emirati human rights campaigner Ahmed Mansoor; an Amnesty International staff member; and allegedly, used in connection with murdered Saudi dissident Jamal Khashoggi.

Under the UN Guiding Principles on Business and Human Rights, NSO Group and their primary investor, the UK-based private equity firm Novalpina Capital, have a clear obligation to take urgent steps to ensure that they are not causing or contributing to human rights abuses worldwide.

Legal action

Amnesty International is supporting  being brought in Israel that seeks to force the Israeli Ministry of Defence (MOD) to revoke NSO Group’s export license. The organization argues that the Israeli MOD is putting human rights at risk by allowing NSO to continue to export its products to governments worldwide. A judgment is expected in the case soon.

Facebook is also suing NSO Group in courts in California after the spyware firm exploited a vulnerability in WhatsApp to target at least 100 human rights defenders.

“The legal battles against NSO Group continue because the company refuses to accept responsibility for its role in human rights abuses. The new evidence is the latest red flag as to why NSO should be blocked from selling its surveillance technology, including to tackle the COVID-19 pandemic,” said Danna Ingleton.

NSO Group's record of human rights abuses