Cyber Incident Victim: Amnesty International
Date:
Jun 2018
Location:
Saudi Arabia
Summary
Amnesty International was targeted in a sophisticated cyber espionage campaign involving malicious WhatsApp messages containing Saudi Arabia-related bait, which delivered links distributing mobile spyware. A staff member and a Saudi activist abroad received these messages, with forensic analysis revealing connections to over 600 suspicious domains linked to Pegasus spyware infrastructure operated by NSO Group. The organization later publicly disclosed the domain network to aid security research.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2018, Amnesty International identified a targeted digital attack when a staff member received a malicious WhatsApp message containing Saudi Arabia-themed bait content with embedded links. Forensic analysis indicated these links were designed to distribute advanced mobile spyware. During their investigation, Amnesty discovered a Saudi activist residing outside Saudi Arabia had also been subjected to identical malicious messaging attempts. Technical examination of the attack infrastructure revealed connections to a network of over 600 suspicious domain names. These domains exhibited significant overlap with previously documented Pegasus spyware infrastructure, a commercial surveillance system developed and sold by the Israel-based NSO Group. The Pegasus platform was known for enabling sophisticated device exploitation and persistent monitoring capabilities. Amnesty's findings confirmed the exploitation attempts leveraged infrastructure consistent with NSO Group's operational patterns, though the specific intrusion success rate against targets wasn't disclosed. The malicious messages represented a direct attempt to compromise devices belonging to individuals associated with the organization's human rights work.
Amnesty International conducted a comprehensive technical investigation into the incident, systematically mapping the attack infrastructure and confirming its association with Pegasus spyware. Following evidence collection, the organization maintained the domain information privately for two months as a grace period before public disclosure. On 01 October 2018, Amnesty released the complete list of identified domains to the cybersecurity research community through GitHub and PassiveTotal platforms. This public disclosure aimed to facilitate broader analysis of NSO Group's infrastructure and enhance collective defense mechanisms against similar attacks. The incident demonstrated the operational targeting of human rights defenders using commercially available surveillance tools, though specific impacts on Amnesty's systems or data breaches weren't detailed in the available reporting. Amnesty's response focused on technical attribution and coordinated vulnerability disclosure rather than internal containment measures.