Amazon Web Services (AWS) has blocked cloud accounts and shut down all the infrastructure belonging to NSO Group, Vice reported on Monday, citing the company's statement.
The above-mentioned publication was dedicated to the investigation into NSO's malware and phone numbers that may be targeted by NSO's government clients.
According to an investigation by seventeen media outlets from the United States, the United Kingdom, France, Germany and other countries, NSO Group's software Pegasus was used to hack smartphones that belonged to human rights activists and lawyers, journalists, business executives, and even two women who were close to journalist Jamal Khashoggi, who was assassinated at the Saudi consulate in Istanbul in October 2018.
"When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts," a spokesperson for AWS is quoted in the report as saying.
Amnesty International's forensic report published on Sunday said that NSO Group's software was found utilizing AWS's CloudFront infrastructure, a content-delivery network, "to deliver the earlier stages of their attacks" against targeted mobile devices during the forensic examination that resulted in the reports.
CloudFront infrastructure was reportedly utilized in the deployment of NSO's malware against targets, including on the phone of a French human rights lawyer. The switch to CloudFront also shields NSO from investigators and other outsiders attempting to look into the company's infrastructure.
"The use of cloud services protects NSO Group from some Internet scanning techniques," Amnesty's report added.
Previously, Amazon has reportedly been quiet on NSO's use of its infrastructure. The tech giant purportedly did not respond to media claims and requests regarding the reports of NSO using Amazon infrastructure to distribute malware in May 2020.
According to the Amnesty analysis, NSO also uses services from firms including Digital Ocean, OVH, and Linode.
On Sunday, the investigative organization Forbidden Stories alongside multiple media outlets released a series of reports based in part on a leak of more than 50,000 phone numbers reportedly chosen for possible surveillance by NSO's clients.
Later on Sunday, the UK news outlet the Guardian published a compilation of public statements by NSO and national governments regarding the Pegasus malware project.
"NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets. NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers," the statement read. "Due to contractual and national security considerations, NSO cannot confirm or deny the identity of our government customers, as well as identity of customers of which we have shut down systems."
According to the revelations made by outlets and activist groups, the spyware, which allows attackers to read all types of stuff on a target's phone, including encrypted messages, images, and GPS location data, can also activate microphones and cameras, effectively turning phones into mobile bugs that users are unaware of.
On installation, the malware is virtually untraceable, infecting phones using a zero-click attack, which requires no input from the phone's user to install and begin collecting data. However, Amnesty International said that the spyware leaves some traces that can be traced to tampering with the phone.