This story was originally published on Dec. 9, 2021
The phones of at least four activists who are critical of their government in Kazakhstan were found to have been infected with software developed by Israeli spyware firm NSO Group, a forensic analysis by Amnesty International’s Security Lab said Thursday.
Three of the four had received prior warning from Apple at the end of November that their iPhones could have been infected by a “state-sponsored attacker.” NSO’s clients are usually state intelligence agencies from around the world. Its Pegasus spyware can provide clients with remote access to successfully hacked phones.
Amnesty did not identify who the client could be in this case.
An NSO spokesperson told Haaretz that as “Amnesty chose to publish accusations in the media, rather than provide us with the information for the purpose of thorough investigations … we cannot refer to an alleged report we have not seen, published by an organization that has been known for publishing false accusations against NSO.”
An Israeli man was killed in clashes in Kazakhstan on Friday, the day the country's president ordered forces to use lethal fire amid anti-government protests. The demonstrations, which began Januray 2 as a response to a fuel price hike have swelled into a broad movement against the government and ex-leader Nursultan Nazarbayev.
Over the summer, an international consortium of journalists, led by Paris-based NGO Forbidden Stories in collaboration with Amnesty International’s Security Lab, published a major investigation into a leak of 50,000 potential targets selected for possible snooping by NSO’s clients. Reports at the time said that up to 2,000 of them were linked to Kazakhstan, with potential targets including a former prime minister and current President Kassym-Jomart Tokayev.
- ‘Trust the Dictator’: Israel’s New Method of 'Supervising' Cyber Arms Exports
- Targeting U.S. Officials Could Mean Death Sentence for Israeli NSO
- Israel Issues Stricter, but Vague, Guidelines for Cyber Exports After NSO Scandal
Tokayev became president of the Central Asian country in 2019 after being named the successor of strongman Nursultan Nazarbayev, who nominally resigned after almost three decades’ rule. Nazarbayev still retains key leadership roles and remains head of the country’s security council, maintaining what Reuters terms ”sweeping powers.”
According to Amnesty International’s Security Lab, the four devices were “infected from as early as June 2021” – just as the global investigation, which Haaretz was a part of, was being published.
Amnesty’s lab examined nine phones in all, and four were found to have been infected. The victims belong to a progressive civil society group called “Wake up, Kazakhstan” (“Oyan, Qazaqstan”) and their phones were “infected with the spyware between 3 and 5 June 2021,” Amnesty stated. It added that the “surveillance campaign continued until at least July 2021.”
Apple began notifying victims at the end of November that their phones may have been compromised. Three of the four targets had received such messages but the fourth had not, indicating that there may be additional victims in Kazakhstan.
The notifications followed news that the U.S.-based tech giant had filed a lawsuit against NSO, accusing it of helping its clients break into Apple’s mobile software, iOS, through an “exploit” of its iMessage service.
Last week, Reuters and others reported that anywhere between nine and 11 U.S. State Department officials working in Uganda and using non-U.S. phone numbers were also targeted.
NSO has recently been blacklisted by the U.S. Department of Commerce, along with another Israeli cyberware firm called Candiru. NSO was likely placed on the U.S. blacklist because its software was allegedly used by one of its clients to target the U.S. officials.
NSO Group told Reuters last week that it did not have any indication that its tools were being used against U.S. officials, but said it canceled access for the relevant customers and would investigate the claims made in the report.
“If our investigation shall show these actions indeed happened with NSO’s tools, such customers will be terminated permanently and legal actions will take place,” an NSO spokesperson said, adding that NSO will also “cooperate with any relevant government authority and present the full information we will have.”
NSO has long said it only sells its products to government law enforcement and intelligence clients, helping them monitor security threats, and is not directly involved in surveillance operations.
Historically, some of its best-known clients have included Saudi Arabia, the United Arab Emirates and Mexico.
Israel’s Defense Ministry must approve export licenses for NSO – which has close ties to Israel’s defense and intelligence communities – in order for it to sell its technology globally.
In a statement given to Reuters, the Israeli Embassy in Washington said the targeting of U.S. officials would be a serious breach of its rules.
“Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counterterrorism and severe crimes,” an embassy spokesperson said. “The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions.”
Kazakhstan is in the midst of a crackdown on social media, claiming recently that it had reached a deal with Facebook’s Meta to allow it to take down posts. Meta denied the claim, which came as the country advanced “data localization” legislation that would allow such actions.
Reuters contributed to this report.