The human rights organization suspects the attack against its employee this summer was conducted by a "government hostile to its work," it said on Wednesday.
The attacks against the employee came in the form of WhatsApp messages in Arabic, apparently urging the staffer to attend a protest in Washington, DC, outside the Saudi Arabian embassy. The messages contained links to an external website; the group's technology team traced the linked URL back to a website that installs Pegasus software on the devices of those who visit it. Pegasus, a powerful surveillance tool, basically takes over an entire mobile device.
Pegasus was discovered just two years ago in August 2016 after a failed attempt to install it on the phone of United Arab Emirates human rights activist Ahmed Mansoor via a message promising him the goods on UAE torture. The spyware, once in effect, secretly allows a third party to review text messages, track calls, collect passwords, trace GPS locations, and review information from Gmail, Facebook, WhatsApp, Telegram and Skype accounts from the victims' phones.
Pegasus was made by the Israeli firm NSO Group. According to a New York Times review of internal documents, the company charges governments $650,000 to hack 10 iPhone or Android phone users; $500,000 for five BlackBerry users; and $300,000 for five Symbian users — all in addition to a one-time $500,000 installation fee. The company also cuts deals to governments with big target lists, only charging $800,000 to hack 100 phones.
The company's commercial proposals say that Pegasus offers "unlimited access to a target's mobile devices" and "leaves no traces whatsoever."
"Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism," NSO Group said in a statement to Amnesty. "Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts and the values that we stand for as a company," they added, promising to investigate the claims.
At least one other attempt was made to hack the Amnesty staffer's device, and a third is suspected but unconfirmed. They all came in June 2018 as Amnesty was campaigning for the release of six jailed women's rights activists in Saudi Arabia. One of the messages copied word for word an Amnesty press release about women's' newly granted rights to drive in the country.
Amnesty said they identified another Saudi activist who received a message similar to one of the ones sent to their staffer.
"The message sent to us seems to be part of a much broader surveillance campaign, which we suspect is being used to spy on human rights activists worldwide and prevent their vital work," said Joshua Franco, Amnesty's head of technology and human rights. "The potent state hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance."
"Defending human rights is not a crime," he said.