Amnesty International revealed this week that its Security Lab has uncovered a “sophisticated hacking campaign by a mercenary spyware company.” They say it has been running “since at least 2020” and takes aim at Android smartphones with a number of “zero-day” security vulnerabilities. (A “zero day” vulnerability is an exploit that is previously undiscovered and unmitigated.)
Amnesty International disclosed the details of the campaign to Google’s Threat Analysis Group, so it—as well as other affected companies, including Samsung—have since been able to release the necessary security patches for their devices.
Amnesty International’s Security Lab is responsible for monitoring and investigating companies and governments that employ cyber-surveillance technologies to threaten human rights defenders, journalists, and civil society. It was instrumental in uncovering the extent to which NSO Group’s Pegasus Spyware was used by governments around the world.
While the Security Lab continues to investigate this latest spyware campaign, Amnesty International is not revealing the company it has implicated (though Google suggests it’s Variston, a group it discovered in 2022). Either way, Amnesty International claims that the attack has “all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.”
As part of the spyware campaign, Google’s Threat Analysis Group discovered that Samsung users in the United Arab Emirates were being targeted with one-time links sent over SMS. If they opened the link in the default Samsung Internet Browser, a “fully featured Android spyware suite” that was capable of decrypting and capturing data from various chat services and browser applications would get installed on their phone.
The exploit relied on a chain of multiple zero-day and discovered but unpatched vulnerabilities, which reflects badly on Samsung. A fix was released for one of the unpatched vulnerabilities in January 2022 and for the other in August 2022. Google contends that if Samsung had released the security updates, “the attackers would have needed additional vulnerabilities to bypass the mitigations.” (Samsung released the fixes in December 2022.)
With that said, one of the zero-day vulnerabilities would also allow hackers to attack Linux desktop and embedded systems, and Amnesty International suggests that other mobile and desktop devices have been targeted as part of the spyware campaign, which has been ongoing since at least 2020. The human rights group also notes that the spyware was delivered from “an extensive network of more than 1000 malicious domains, including domains spoofing media websites in multiple countries,” which lends credence to its claims that a commercial spyware group is behind it.
Although it is not yet clear who the targets of this attack were, according to Amnesty International, “human rights defenders in the UAE have long been victimized by spyware tools from cyber-surveillance companies.” For example, Ahmed Mansoor was targeted by spyware from the NSO Group and jailed as a result of his human rights work.
As well as the UAE, Amnesty International’s Security Lab found evidence of the spyware campaign in Indonesia, Belarus, and Italy, though it concludes that “these countries likely represent only a small subset of the overall attack campaign based on the extensive nature of the wider attack infrastructure.”
“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” says Donncha Ó Cearbhaill, head of Security Lab, in the statement on Amnesty International’s website. “While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis. We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists.”
At least in the United States, the government seems to agree. President Biden signed an executive order on March 27 blocking federal agencies from using spyware “that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”