Since Amnesty Tech created an innovative Security Lab in 2019, the team has been putting a stop to spyware hacks by Governments intent on threatening activists and violating human rights. Technologists were brought on board to work alongside other researchers, with the aim of exposing how new spyware tools were being used to hack into the phones of activists, investigative journalists, human rights lawyers and other members of civil society.
Here Donncha Ó Cearbhaill, Amnesty International’s Head of the Security Lab, reveals how the team is supporting those at risk of being hacked and why the likes of Apple and Google are acting on Amnesty’s findings.
“When Amnesty discovered a staff member working on Saudi Arabia had been a Pegasus target – a type of spyware developed by the then little-known Israeli cyber-arms company NSO Group – there was a moment of horror.
In 2018, the malicious link – connected to the NSO Group’s Pegasus spyware – was delivered through a WhatsApp message to the staff member’s personal phone. They weren’t the only target. At the time, Amnesty’s research identified a Saudi critic targeted in the same campaign. The initial WhatsApp link was the key clue, unravelling a network of 600 different domains that had been used to deliver Pegasus attacks in dozens of countries.
Once the spyware had wormed its way into the phones, it was able to pull out all the data on the device, including photos, messages, GPS locations, Signal messages – it could even film you through the phone’s camera.
Following the attack, a formal Security Lab was created under the leadership of Claudio Guarnairi, who had years of experience investigating digital attacks under his belt. From there, a range of talented technologists were recruited to work alongside other Amnesty researchers, investigating spyware, phishing scams and other kinds of digital attacks. The aim? To uncover attacks targeting civil society, publish the findings and develop ways for civil society to protect themselves. The cybersecurity industry was focused on protecting corporates and there were few efforts to tackle the sophisticated threats some governments directed at human rights defenders.
As a teenager, I was passionate about activism and technology. It was natural for me to see that emerging technology and technical approaches could be used to tackle human rights abuses. I moved to Berlin in 2014, shortly after the Snowden surveillance revelations, which is where I live now. At the time, there was a movement of hackers, activists and privacy activists, passionate about tackling abuses of technology and surveillance systems. This community was an inspiration and there is still a vibrant collective of people like me who are tackling surveillance, spyware and other abuses enabled by tech. Joining the Security Lab was a perfect match for me with the opportunity to use my skills to research and expose technological abuses by States, as well as companies providing technology to keep tabs on activists.
Uncovering a hack
Amnesty’s Security Lab carries out research in several ways, with strategies and tools that have evolved over the years.
At the start, we would wait for activists to approach us and share suspicious emails or links they had received. From there, we would decipher whether it was a spam message or a money-stealing cyber-crime. Occasionally it was more targeted attack, and we could confirm the person accounts were being specifically targeted or an attempt was being made to hack the person’s phone.
However, some spyware is so sophisticated it does not send the victim a link – instead, it uses “a zero click attack”, meaning your phone is hacked without you knowing.
As you sleep at night, your phone next to you, the government using spyware tools can send specially crafted silent messages. These messages will take advantage of a subtle flaw in the phone’s software, allowing the attacker to burrow into the phone, enabling access to all the data on the device. It will start pulling out photos, GPS locations, Signal messages – everything on the phone. Often there is no easy way to for individuals to protect themselves as the phone is hacked through an unpatched vulnerability in the phone, unknown to the manufacturer.
After discovering phones were being hacked using zero-click attacks, we developed innovative forensic tools including the Mobile Verification Toolkit (MVT) to analyse devices of potential targets for any tell-tale traces of spyware. These tools are now being used by civil society organisations around the world to identify new victims and uncover spyware campaigns. It is a complex process – a bit like cat and mouse – as every time we find spyware and publish findings, the company will read our reports and adjust the spyware to avoid getting detected in the future. There is always a fight on our hands which gets more difficult over time.
Tackling tech violations
The Security Lab is going from strength to strength. While it can be tiring to go through 30 or 50 phones to find nothing, when we uncover a new attack, and help protect those being targeted, it makes all our work and effort worth it.
While it can be tiring to go through 50 phones to find nothing, when we uncover a new attack, and help protect those being targeted, it makes it worth it.
Donncha Ó Cearbhaill
In 2021, Amnesty International worked with a dozen media partners around the world on the Pegasus Project, revealed forensic evidence proving NSO Group’s spyware had been used to hack hundreds of people around the world included on a leaked list of 50,000 spyware targets, including heads of state, activists, journalists, and government critics including Jamal Khashoggi’s family.
Most recently, the organization published a report on a new mercenary spyware company believed to be developing surveillance tools to sell to unscrupulous governments.
Through their proactive investigations, the researchers identified a new spyware campaign targeting Android and iPhone users. Information shared by Amnesty with Google, which maintains the Android operating systems, allowed Google security researchers to find and fix the vulnerabilities used in the attacks across a billion Android devices. Working with Google researchers, the Amnesty team also identified a related exploit chain being used to target iPhone users. The exploit was reported to Apple who rolled out an emergency fix for all iPhone users, stopping the attack in its tracks.
Another notable case involved Azerbaijani journalist named Khadija Ismayilova, an outspoken activist who was harassed and jailed for her work on corruption within the Government. Amnesty found that her phone was being hacked over and over on a weekly basis with Pegasus zero click exploits. The exploits would burrow into her phone so they could see all her messages and photos, putting her and those close to her at huge risk. When we uncovered and identified evidence of the hack, Khadija was devastated as she was already doing everything possible to protect her devices, herself and her sources. But a billion-dollar spyware company coupled with a powerful rights-abusing government can override the strongest security measures.
After uncovering the hack, we helped her to protect her phone and information. Amnesty’s findings in the Pegasus Project also upped the pressure on Apple to take proactive steps to protect individuals specifically targeted with advanced sophisticated spyware tools, and to use their resources to help protect these at-risk groups. Since then, Apple has started a notification program where they themselves will figure out who has been targeted by spyware tools and every few months, they will send out a new round of notifications to people at risk, along with advice on how to stay protected. This has been helpful to highlight which individuals or groups may be targeted by the spyware systems.
Protecting yourself from sophisticated spyware attacks
It is difficult to fully project yourself from attacks, as many are subtle and difficult to identify. If you are an iPhone user, you can enable ‘Lockdown Mode’ – a new feature released by Apple following investigations by Amnesty and other civil society partners. Lockdown Mode is an opt-in enhanced-security mode which can prevent many forms of advanced spyware attacks. If you feel at risk of device hacking or seizure, it can be helpful to minimize the sensitive data you put on your phone – for example, using disappearing messages on Signal. Civil society members with concrete concerns about spyware targeting can reach out for expert support including from Access Now’s Digital Security Helpline as well as Amnesty’s own Security Lab.
I am proud of what we are achieving. Although challenging times, it is encouraging when you expose a new spyware campaign or fix a zero-day exploit chain, allowing a company like Apple to fix the issue for all iPhone users. It makes for a good day for human rights defenders who have one less threat to deal with, and a bad day for rights-abusing spyware companies who may have lost a zero-day chain worth millions of dollars or more!”
Top Image: Amnesty International members and supporters demonstrate against the presence of the NSO Group at the International Security Expo in London, 28 September 2021. The NSO Group’s Pegasus spyware has been used to target human rights defenders, journalists and Amnesty staff. © Amnesty International