In October 2019 Amnesty International published the report “Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware”, where we detailed the targeting of Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui using surveillance technology produced by the company NSO Group. In this current report, Amnesty International now reveals that Omar Radi, another prominent human rights defender and journalist from Morocco was also targeted using NSO Group’s tools.
Omar Radi. Photo Fanny Hedenmo
The Moroccan authorities have lately intensified their crackdown on peaceful dissent , with arbitrary arrests and prosecutions of individuals, including journalist Omar Radi, rappers and Youtubers, many of whom have been targeted simply for criticizing the King or other officials. Since November 2019, Amnesty International documented ten cases of activists who have been unlawfully arrested and prosecuted. All ten individuals have been charged with "offending" public officials or institutions, the King or the Monarchy, which are all crimes under Morocco’s Penal Code. Between November 2019 and March 2020, all ten individuals and activists-were handed prison sentences ranging from a four months suspended sentence and a four year prison sentence. Amnesty International has called on the Moroccan authorities to drop charges and free those sentenced for exercising their right to free expression, and to reform the criminal code to decriminalize these forms of protected expression.
Omar Radi is a Moroccan award-winning investigative journalist and activist who worked for several national and international media outlets, including Atlantic Radio, TelQuel. His work investigated the links between corporate and political interests in Morocco and touched upon questions of corruption and other human rights abuses in Morocco and often tackled the persistence of impunity and lack of justice in the country.
Amnesty International’s Security Lab performed a forensic analysis of Omar Radi’s phone and found traces suggesting he was subjected to the same network injection attacks we first observed against Maati Monjib and described in our earlier report. Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.
Network Injection, rogue cell towers and NSO
The lack of transparency around the surveillance industry makes it difficult to know what tools are being used, sold, purchased and abused, and therefore for victims and watchdogs to seek accountability. Despite this, our research so far has shed light on how NSO’s technologies have evolved. Until early 2018, NSO Group’s customers were found primarily using SMS and WhatsApp messages in order to trick targets into opening a malicious link, which would result in exploitation and infection of their mobile devices. As we documented in our October 2019 report, Amnesty International first observed attackers adopting new techniques to more stealthily and effectively deliver the malware. Using what we describe as “network injections”, attackers are now capable of installing the spyware without requiring any interaction by the target.
Whereas previous techniques relied to some extent on tricking the user into taking an action, network injections allow for the automatic and invisible redirection of targets’ browsers and apps to malicious sites under the attackers’ control, most likely unknown to the victim. These will rapidly leverage software vulnerabilities in order to compromise and infect the device.
This is only possible where attackers are able to monitor and manipulate the Internet traffic of the target. In both Omar and Maati’s cases all injections happened while using their LTE/4G mobile connection.
This type of attack is possible using two techniques: deploying a device commonly referred to as a “rogue cell tower”, “IMSI Catcher” or “stingray”, or by leveraging access to the mobile operator’s internal infrastructure. It is currently unclear which of these two options have been used against Omar and Maati.
However, NSO Group’s network injection capabilities were briefly described in a document named "Pegasus – Product Description" – apparently written by NSO Group – that was found in the 2015 leak of the competing Italian spyware vendor, Hacking Team. Specifically, in January 2020, Business Insider reported about mobile interception technology NSO Group exhibited during Milipol, an event and trade show on homeland security held in Paris in November 2019.
Photo Becky Peterson/Business Insider
The picture displays what appears to be a model of rogue cell tower sold by NSO Group – a tool which could be used in one of the two above-identified techniques to bring about a network injection attack.
These devices act as portable base stations and impersonate legitimate cellular towers in order to trick phones in the vicinity to connect to them and enable the attacker to manipulate the intercepted mobile traffic. The rogue cell tower in the picture seems to be composed of different cards stacked horizontally, likely to allow the operators to intercept over multiple frequency bands for GSM, 3G, 4G networks etc. Just as NSO Group simulated for their exhibition booth at Milipol, this electronic equipment can be quite small in size and easily transported and hidden on small vehicles.
Alternatively, attackers can similarly intercept and hijack mobile Internet traffic of targeted smartphones if they can leverage access to the victim’s mobile operator. In this case, instead of placing a rogue cell tower in the vicinities of the target, attackers would rely on the existing network infrastructure of the mobile operator in use by the target.
In sum, previous attacks against HRDs documented by Amnesty in Morocco have raised the possibility of NSO tools being used in network injection attacks. It is also clear from publicly available information that NSO Group sells network injection capabilities. Taken together with the technical evidence that we detail in the next section, showing overlaps in timing, recovered forensic artifacts and attack infrastructure linked to previous surveillance attacks in Morocco using NSO tools, this strengthens the evidence linking NSO's network injection tools to this attack.
Omar Radi targeted with network injections between January 2019 and January 2020
Our previous analysis of Maati Monjib’s phone indicated the execution of malicious software on it from early 2018 until at least June 2019. While between 2017 and 2018 he was targeted through SMS messages carrying malicious links tied to NSO Group, in our report from October 2019 we described how Maati Monjib’s phone appeared to have been subjected to malicious redirects while he was navigating the Internet using the Safari browser. We argued that those redirects were symptomatic of network injection attacks which manipulated unencrypted web traffic in order to force Maati Monjib’s browser to visit an exploitation site, located at the domain free247downloads[.]com, without his knowledge.
While analysing Omar Radi’s iPhone, we found traces of the same domain. Forensic artefacts that Amnesty International extracted from the device suggests network injection attacks occurred on 27th January, 11th February, and 13th of September 2019.
In addition to the same exploitation site, we identified the same evidence of execution of malicious software we recovered from Maati Monjib’s phone in Radi’s too. This provides us additional evidence that the same spyware was used in both cases, which we believe – based on infrastructure overlaps and characteristics of the links used - to be NSO Group’s Pegasus.
The following timeline records the key dates linked to NSO Group’s spyware in Morocco. Forensics evidence recovered from both phones shows the links between the different stages of the attacks.
And below, a graphic depicting the network injection attack on Omar’s phone observed while he was visiting a website in clear text (HTTP and not HTTPS):
On 2nd October 2019, as part of our publication process, we provided NSO Group with an advanced copy of our findings from our report “Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware” and gave them an opportunity to respond to the revelations in the report. According to data collected by the Internet survey serviceCensys.io, the attackers-controlled infrastructure associated with subdomains of free247downloads[.]com were shut down by 6th October 2019, after nearly uninterrupted operation since its first appearance a year earlier, just days after we notified NSO of our findings but before our publication on 10th October 2019.
Additionally, our analysis of Omar’s phone revealed traces of similar network injections as recently as 29th January 2020. These most recent attempts involved the new, previously undisclosed, domain name urlpush[.]net.
The domain name urlpush[.]net was only registered on 6th November 2019, several weeks after our previous publication, suggesting that our publication may have pushed the attackers to change infrastructure.
In sum, while the timing is suggestive of a link to NSO, technical details of the attacks, including that both sites redirect to the same website, and operate attacks with several matching execution and forensic artefacts, is strong evidence to link NSO Group’s tools to the targeted attack on Omar Radi.