wordpress blog stats
Connect with us

Hi, what are you looking for?

Amazon Web Services shuts down infrastructure linked to Pegasus vendor NSO Group

In two separate reports, Amnesty International and Citizen Lab confirm Amazon’s connection to NSO’s Pegasus malware and include the location of servers used by the Israeli company. 

Amazon Web Services (AWS) on Monday shut down infrastructure and accounts linked to Pegasus vendor NSO Group, Amazon said in a statement to Vice.

On Sunday, it emerged that several Indian activists, journalists, politicians, and their acquaintances may have had their communications targeted for interception by the government with the help of NSO’s Pegasus spyware, which is only sold to nation-states. These revelations are the outcome of a collaboration called Pegasus Project comprising more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories.

“We shut down the infrastructure referenced in this report that was confirmed to be supporting the reported hacking activity, in accordance with our terms of use,” an AWS Spokesperson told MediaNama.

Why this matters?  While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns of organised crime dealings — for which surveillance is usually sanctioned. The targets include journalists and activists critical of the government, politicians from the opposition, and officials in the Election Commission and Supreme Court.

Advertisement. Scroll to continue reading.

Read: Pegasus Spyware: All The Latest Facts On Who Was Targeted, The Modus Operandi, And More

What is Amazon’s role here?

Amnesty International: Amnesty International’s Security Lab, which provided technical support to the Pegasus Project, published a forensic investigation on Sunday that revealed NSO’s Pegasus malware sent information from an infected iPhone “to a service fronted by Amazon CloudFront.” Amnesty also found that the same CloudFront domain was contacted to execute, download and launch additional malicious components onto an iPhone.

According to Amazon’s website, “CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally.”

After NSO’s Version 3 infrastructure was abruptly shut down in August 2018 following Amnesty’s report that one of its staff members was targeted with Pegasus, NSO began rolling out its Version 4 infrastructure in September 2018. But the Version 4 infrastructure began going offline in early 2021 following the Citizen Lab’s report which disclosed multiple domains, Amnesty stated. “The shutting down of the V4 infrastructure coincided with NSO Group’s shift to using cloud services such as Amazon CloudFront to deliver the earlier stages of their attacks. The use of cloud services protects NSO Group from some Internet scanning techniques,” Amnesty said.

The report also stated that the servers used by NSO were mostly located in European data centers run by American hosting companies like:

  • Digital Ocean (142 servers)
  • Linode (114 servers)
  • Amazon Web Services (73 servers)

Citizen Lab: University of Toronto’s Citizen Lab, which conducted a peer review of Amnesty’s findings, reported that “Amnesty’s described methodology for linking the activity they observed involving Amazon CloudFront servers to the NSO Pegasus killchain is sound.” The lab also “independently observed NSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”

Vice: Amazon’s connection to NSO is not new. In May 2020, when Vice “uncovered evidence that NSO used Amazon infrastructure to deliver malware, Amazon did not respond to a request for comment asking if NSO had violated Amazon’s terms of service,” Vice stated.

Advertisement. Scroll to continue reading.

Meanwhile, NSO has maintained that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” The group also refused to identify its customers “due to contractual and national security considerations.”

Updated (20 July, 2:20 PM): Added comments from AWS Spokesperson to MediaNama, removed comment given to Vice.

More reading on Pegasus

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ