Cyber Incident Victim: NSO Group
Date:
Oct 2017
Location:
Morocco
Summary
Human rights defenders in Morocco were targeted using NSO Group’s Pegasus spyware through malicious SMS messages and suspected network injection attacks aimed at compromising their mobile devices. The victims included a prominent academic and a lawyer involved in defending protesters from a social justice movement, with digital attacks intensifying during periods of state repression. These surveillance operations facilitated unlawful privacy violations and contributed to a restrictive environment that hindered freedoms of expression, association, and peaceful assembly for activists. The incidents reflected a broader pattern of Moroccan authorities deploying intrusive spyware against dissident voices, despite NSO Group’s claims of lawful use.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Beginning in at least 2017, two prominent Moroccan human rights defenders were subjected to targeted digital attacks utilizing NSO Group’s Pegasus spyware. Maati Monjib, an academic and freedom of expression activist, and Abdessadak El Bouchattaoui, a lawyer representing participants in the 2016-2017 Hirak El-Rif social justice protests, received malicious SMS messages containing links associated with Pegasus infrastructure. These messages were timed to coincide with heightened state repression against the protest movement, particularly during peak periods of legal activism and public dissent. Amnesty International’s forensic analysis confirmed Monjib’s devices showed traces of repeated targeting through these SMS-based exploits, which attempted to compromise mobile devices and install spyware upon interaction. Additionally, technical evidence suggested network injection attacks aimed at Monjib’s mobile network, though conclusive attribution of these specific attacks to NSO Group remained undetermined due to insufficient evidence. The attacks persisted over an extended period, reflecting a sustained surveillance campaign against individuals engaged in human rights advocacy.
The surveillance operations directly impacted the targeted individuals’ ability to exercise fundamental rights, exacerbating existing state repression documented through penal code misuse against activists. Amnesty International verified that at least one network injection attack successfully compromised Monjib’s iPhone, enabling unauthorized access to private communications and data. The targeting correlated with the victims’ professional activities: Monjib’s advocacy on freedom of expression and El Bouchattaoui’s legal defense work during the Hirak El-Rif crackdown. These incidents formed part of a broader pattern where Moroccan authorities systematically restricted civic space through both legal harassment and covert surveillance tools. Amnesty International publicly documented the technical indicators of compromise, including malicious domain associations and attack timelines, while urging potential victims to report similar targeting. NSO Group’s stated policies restricting spyware use to lawful purposes were contradicted by these documented cases of abuse against civil society actors, though the company provided no transparency regarding internal investigations or corrective actions following these disclosures. The operations demonstrated how commercially developed spyware facilitated violations of privacy and freedom of expression through targeted digital surveillance.