Witness from Amnesty International: Episode 6 – Unknown Number

Amnesty International has launched a brand new podcast series ‘Witness from Amnesty International’. The series introduces listeners to the organization’s Research and Crisis Response teams – whose investigations take them to some of the most dangerous and volatile places on earth.

TANYA: An activist working on human rights in Saudi Arabia receives a text message from an unknown number. My brother’s in trouble, it reads. Please look at our case. Here’s a link for more information. The message itself is not unusual or weird. The activist receives information about new cases in Saudi Arabia all the time, but something doesn’t feel right.

We’ve all had that feeling. Receiving a phishing e-mail message.  But for this activists, the stakes are way higher. Clicking this link could jeopardise not only that work, but the lives of people that trying to protect. Their guts say something isn’t right. And so they decide to send the message off for analysis.

DANNA: I always wonder what triggers that for people. Whatever it was this person was like, that’s a bit weird. I’m going to send it to the tech team.

TANYA: Danna Ingleton is the Deputy Director of Amnesty Tech, the research programme I run here, Amnesty.

Her job is supporting human rights activists in the face of repressive surveillance and the activists who received the fishy message in this case was actually an Amnesty staff member.

DANNA: Their work was so important and so disruptive for a repressive regime that they paid a lot of money to specifically try and target them.

They really wanted this staff member.

What our technologists did was basically clicked on the link and when you clicked on it, he basically was able to follow where in the internet they went and it went to what had already been previously exposed as part of the NSO Pegasus network.

And I remember just like pause, pause this. Are you telling me that this staff member was actually targeted with Pegasus? And he was like, yep, that’s what we have.

TANYA: Pegasus. A fairly anodyne name for computer software programme, but this is in fact, a highly sophisticated cyberweapon, the flagship software of Israeli security company, NSO group.

Their website says they developed spying technologies to help, quote, government agencies prevent and investigate terrorism, saving thousands of lives. But the past few years, the seen Pegasus showing up on an increasing number of phones belonging to activists and journalists.

I’m Tanya O’Carroll and this is Witness in this episode – how Amnesty’s team of hackers detect spyware that’s designed to be undetectable and take on one of the world’s most sophisticated cyber security companies.

DANNA: I laugh a little bit because I’m so keen on following the stuff that when news comes about, I think it’s a big deal. But I think the reality is, is that the world doesn’t understand yet why it’s a big deal.

TANYA: You know, I work on a team essentially of hackers, which isn’t exactly traditional fpr Amnesty International. So how did you get to the point where in your career you found yourself working with a team of hackers?

DANNA: Yeah, it’s a really good question. And I think I came to it out of pure necessity. I was getting really frustrated that we were always responding right. The risk happened. Then we did something. And often it meant the repressive regime winning. So, I just personally started getting really interested in how we do preventative work, how do we identify those threats? How do we identify those risks? I mean, spyware and malware are used by pretty much all governments around the world. And that’s actually what’s really tricky about the work that we do, because this stuff isn’t, by its nature, illegal. Governments use this stuff to fight terrorism, bust major crime rings. The problem is, is that because it’s used for those things, it’s often licensed or protected under national security laws and regimes. So we don’t have any accountability. There is no due diligence. We don’t know what judges are making decisions on who are legitimate targets. But the interesting piece about spyware and malware and the international surveillance industry, is that most governments don’t have the capability to make it themselves. So there’s a number of companies and their sole business is developing spyware, selling it to governments to use and helping them use it. And what we’ve been finding lately is that a lot of human rights defenders and civil society are actually being targeted with this stuff.

And that’s why it’s become a major source of human rights issue.

TANYA: All around the world human rights activists and journalists are under attack because of the work they do. Many live with the threat of arrest, of their offices being raided or relentless harassment by organized troll campaigns on social media. The kind of spyware NSO has built has changed the game, introducing a whole new landscape of threat.

In a small room full of computers and mobile phones in central Berlin, tech expert and hacker Raed Labassi is examining a phone which may have been targeted by Pegasus.

This is the Amnesty Security Lab and while it gets a reputation as some kind of batcave for good hackers, it doesn’t look much different from a regular office.

RAED: We’re just, we’re just people sitting all day in front of laptops and computers and playing with phones, playing with some devices. All the technical work is done here. Also, the planning, strategizing about how to tackle certain missions and research missions, especially when it’s dealing with surveillance, is done here.

TANYA: The security lab has been tracking Pegasus for more than a year, trying to build up an understanding of how this intrusive spyware operates. At its most basic, it’s relatively simple.

RAED: It’s just an sms message. Honestly, it’s just an SMS message first that contains links that point to what we call the payload. The aim is to make the person click on these things. So once the person clicks on this link, the exploit is executed and access is granted to the device.

DANNA: If you do click on the link, it basically takes you to a place in the internet that is a website. And when you access that website that URL, it will download the spyware onto your phone. But those websites are disguised. It looks like BBC. It looks like Reuters. I mean, it looks like websites that you would totally expect, except for when you get there, they install the spyware and then they direct you to that actual site. So you don’t even know this has happened.

RAED: Then once the spyware is delivered, it gives complete access to the device.

So no matter if you use, like, end to end encryption signal, whatsapp… anything… they will see what you are typing because they have access to the device.

They have everything on the device. Access to the microphone, to the camera, to the  passwords and IDs that you use for your e-mails.

DANNA: And then the operator can look around, find whatever they want and give information to their client. So the operator being NSO group, the client being whatever country has purchased the spyware.

TANYA: So it’s like carrying spy around in your pocket?

DANNA: And it’s a spy that sometimes, you know, it’s there. Sometimes you don’t know it’s there. But they can literally get anything about you. I mean, think about the emails to your children, the emails to your parents, your financial information, your tax information. I mean, everything on your phone, they can have access to. And then not to mention just live action listening like, they can turn the mic on, they can turn the camera on. And you can you imagine the fear of thinking that actually at any moment you could be being recorded. This is a purchased big brother and nobody’s batting an eyelash that this is going on.

TANYA: The targeting of one of our own staff members with Pegasus Spyware hit home. We already knew the NSO posed a major threat to human rights activists around the world. But now we had direct evidence that amnesty was a target. We could take things to a new level.

DANNA: Actually, we’ll never forget that meeting was just like, holy shit, this. I mean, that is insane. Like we are one of the biggest human rights organizations in the world. We talk about events, repressive regimes all over the place. That was really stupid of them to actually target us because we can initiate a huge campaign and activism against them.

Sometimes when we work in technology, everyone thinks it’s just about the computer and just about the code. But actually, our work is about human interaction, human response, human feelings. I mean, we have to navigate that constantly. So, I had spent a lot of time after that really going through with a staff member…this is what I’m talking about. This is what I mean. This is what it is. And really starting to also understand the fear that comes out when you think you are targeted. Right, you just get so scared.

TANYA: We decided to send the case to NSO and ask for a response.

And we got one.

DANNA: We sell to governments and we sell to them to fight crime and terrorism. And we’re not involved in targeting. For me, it was kind of a strange dichotomy.

TANYA: So in a sense, that response is basically we just provide the software, the government did the bad thing. Take it to the government. How did you then, like knowing that that’s a very slippery response, where did you take this next?

DANNA: We basically submitted the affidavit of evidence. Israeli citizens putting forward the petition with our lawyer based on our story.

TANYA: Then on the very day that the team were going to publicly announce they were taking NSO to court, Danna got another phone call.

DANNA: Someone from WhatsApp wanted to chat. There was something happening and they were talking to a number of other security researchers and security advocates and had discovered that NSO had basically changed the way they could target activists.

So normally you would get a link and you would have to click on it. What they figured out, though, was that now by exploiting a certain vulnerability in WhatsApp code, they could basically just send it like you would get a missed call on WhatsApp and then your phone would be infected with Pegasus. No, like zero click, no action from you. Just a missed call. And what they discovered is that this was happening at night when they assume people’s phones would be off. So they were doing it, specifically at times where they know that where that defender was and that they would be asleep.

TANYA: And one of the targets of this new zero click bait? Another lawyer involved in bringing a case against NSO in Israel. At this moment, it became clear the NSO were going to put up a serious fight.

DANNA: For a really long time, it was really weird for NSO to make any public kind of comments. With the escalating cases against them, with escalating evidence is coming out. And then the WhatsApp vulnerability where they were really in the spotlight. And like, let’s remember, they are secretive spyware company. They don’t want to be in the spotlight. Like, that is bad. And they really started engaging. The game changed. They were making comments. They were talking to journalists. They were talking about human rights. And what happened next was really interesting.

TANYA: NSO began to wage a PR offensive, even putting out a human rights policy, a first of its kind in the industry. But even as they started paying lip service to human rights, the thrust of their argument basically stayed the same. Don’t blame us. We’re not responsible for what our clients do.

Then a new lead emerged. Pegasus appeared to be live in Morocco. The team knew a number of high profile Moroccan activists in France and decided to reach out to do some device testing and see if they could gather new evidence.

RAED: Morocco is very interesting case because it is well-known in the community that Morocco is one of the countries that invest a lot in surveillance technology, that we were very certain that Morocco was a client of NSO group.

TANYA: What was the brief that you were given? What was this mission?

RAED: Yeah. You had the occasion to go in and collect evidence on NSO use and NSO spyware. But actually going going and meeting someone was was under surveillance and then contacting someone who was under surveillance is not as easy as it looks.

You can’t say anything about the subject on the phone. You need them to confirm meeting with you without really knowing why why they are meeting you. These kinds of spyware, have they have the capacity of deleting all the evidence and deleting even itself. So if they know that we are looking for this, they would delete all the evidence and we will not have anything. So I took a plane to go and meet these two contacts in France.

We had arranged to meet the first person in this hotel. The rendezvous point was in crowd, the downtown model.

It was very, very crowded.

We had arranged with the hotel to have like some private space for the afternoon, and I wanted to get him comfortable to talk to me about anything like just start with anything. I don’t want to get to cut to the chase directly because I need an introduction before saying anything about surveillance and all. And also, I needed to say it away from the phone. Of course, we had coffee talking a little bit about Tunisia, Morocco and everything and all the common points.

And then I told him, OK, I have something I want to discuss with you and I want to do it away from the phones. So he was like, Yeah, why? I told him, yeah, let me explain it to you away from the phone. Just can you give me your phone? So I put the phones in the other room and then I told him, OK, so I’m a technologist. I’m interested in analysing your device.

TANYA: The next step was for Raed to analyse the phone for any suspicious messages urging the client to click on certain links.

RAED: I don’t remember how many messages I collected, but all of them were sent like same day to the lab, directly to the lab.

And some of them came positive, that they contained and NSO domain’s so like the first day we had this information. But like, targeting does not give you enough knowledge to come up with solution to prevent intrusion and to prevent infection.

TANYA: NSO had targeted the first activist, but he hadn’t clicked anything. Pegasus wasn’t live on the phone. Donna and Raed’s hope was that a second activists provide the opportunity to catch a live infection. They had to work or the mission would have been wasted.

RAED: I said to myself, yeah, the second one has to be well done and then we need to collect as much evidence as we can. And so I prepared everything the day before with the guys in contact with the guys from the lab who were like on the line during this whole mission. I was in constant contact with the guys here. We had all the tools ready. We tested them on my phone. And then we were like, yeah, this one, we’ll get it. We’ll get it right this time.

We had to take many trains to go and meet this person at his family- in- law house in this really, really, really small village in in the south of France.

And all his family like really Amnesty activists and members of Amnesty that knew about amnesty and all.

So we got directly to the chase. Hey, let’s analyse the phone.

DANNA: There was something wrong, something fishy about the log codes on the phone. They were gone. They were disappeared. And it was like, wait. Those should be there.

TANYA: If a device is exploited, crash log files should be created. The fact that they were completely gone in this case meant it was likely that the attacker had cleaned up after themselves.

DANNA: Going back to how Pegasus works, it communicates with websites that put the spyware on the device. So we can catch a live infection if we can prove that the device is communicating with those websites, if it’s communicating with the Pegasus network.

So what they ended up doing was backing up the entire device. And then in real time…. I mean, think about this. Raed was sitting with defenders, looking at their phone, trying to figure out how would we get more information. And at the exact same time, our technologists in Berlin were sitting behind their computers writing a bunch of code to help solve the problems that were in front of Raed.

And what they ended up doing was writing a code where we would back up the device, run this code against it, and it would basically search all of the messages, the SMS’ and  the whatapps on the phone to see if there was an any nefarious links… to see if they had been sent something. We haven’t done that before. And then they realised, well, actually with the zero click vulnerability that was exposed in the WhatsApp incident, there might not be a link. So we’re searching for something that is old school technology.

So then they figured out that they would want to actually run a different script that would check the browser history of the computer just to see if the computer in its history had ever communicated with anything in that in the Pegasus network.

RAED: Took me two full days to do this. Three full days and then next thing up with the contact like until 1:00 or 2:00, 2:00 a.m.. I did transfer some of it to the lab so that they could analyse it on the fly because the person was very aware of phishing attacks and SMS attacks. So he was not clicking on all the baits that were sent to him. So they tried something else on him. They tried this new type of attack that did not involve him clicking on the link. It’s what we call an injection attack. They can, like, intercept the network communication of the victim and replace it. For example, if you if you ask for Yahoo.com, another address gets sent to you with the malicious website. We finally had evidence of not only targeting but evidence that the targeting had occurred in novel way. We knew now a new way of infecting human rights activists in Morocco.

TANYA: Not only had they found evidence of targeting an infection with the second activist, they now also had evidence the NSO were using a new method to target victims.

DANNA: There’s this I don’t know how I can tell, but when I get that message from Raed like, hey, do you have a sec? Hey, can you talk? It’s like I get chills. I’m like, well, what did you find? Like, I can tell in his tone, even in texts when it’s like, I want to actually get some random thing or it’s like I’ve got something and I’ll get that text message and I just drop everything. So I get to a private secure location. What do you got? What did you find?

They have figured out a way to kind of watch your phone, inject the spyware onto the phone, get what they want and uninstall itself. So there’s no way that anyone would be able to prove live infections. But they can just pop into your phone, get whatever they want, and then they can leave.

It is an escalation of the dangerousness of this technology. It’s an escalation in their ability to violate human rights. And it’s really dangerous.

TANYA: So you’ve been working for about a year on this kind of cat and mouse game with NSO. What’s that process been for you psychologically?

DANNA: It’s one of those things about working in human rights is that you’re really passionate about what you’re doing. This isn’t just a job. I really, truly believe that NSO needs to be held accountable. And every time we discover something or when we take a major action, the case was filed. We published the report. It felt like winning. It felt like finally like we have impact. But then they just keep coming back at us with an answer. And, you know, I do get worried, obviously. I mean, they did target another lawyer working on cases against them. You know, every time I got a suspicious message, I’m immediately sending it to my colleagues. I have briefed my friends that if they receive strange messages to tell me and that’s you know, that’s a difficult conversation to have with people. They’re playing a pretty dirty game with us. And I’m not quite ready to let that intimidate us from continuing the work.

RAED: I mean, I can protect myself maybe. And I’m aware of these risks. But many people who work on this field, they don’t know this and they don’t know how to protect themselves. My mission is to come up with solutions against this and to reduce the risk of them being attacked or being hacked, because using this kind of technology, this is very high end technology. And the exciting part in this work is that we always like face evolving technology, that technology evolves who we need to be up to date and to also evolve in our protection against these attacks.

TANYA: The case Amnesty helped bring against NSO went to court in January. Unfortunately, despite our efforts, a gag order was instated, meaning none of the court proceedings are public.

We are anxiously awaiting a verdict still. In the meantime, it’s more vital than ever that the shady surveillance industry be reined in. You can join our campaign by visiting amnesty.org/stopspying.

Amnesty’s Witness is hosted by me, Tanya O’Carroll, and this episode was produced by Sarah Cuddon with original music by Stephen Coates. Special thank you to Danna Ingleton and Raed Lebassi.

Update since recording of this episode

On 12 July, Tel Aviv District Court rejected a legal action, supported by Amnesty International that sought to force Israel’s Ministry of Defence to revoke NSO Group’s export license. Please see here for more information. The campaign to stop NSO selling its technology to human rights abusers continues.