On Thursday, Amnesty International released a new report exposing attempted hacks against two Serbian journalists, allegedly carried out using NSO Group‘s spyware Pegasus. 

The two journalists, employed by the Serbia-based Balkan Investigative Reporting Network (BIRN), received suspicious text messages containing a link, which was essentially a phishing attack, according to the nonprofit. In one instance, Amnesty’s researchers were able to click on the link in a secure environment and discovered that it led to a domain previously identified as part of NSO Group’s infrastructure. 

“Amnesty International has been tracking NSO Group’s Pegasus spyware and its use in targeting activists and journalists for years,” said Donncha Ó Cearbhaill, the head of Amnesty’s Security Lab, in an interview with TechCrunch. “This technical research has enabled Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign.”

As Ó Cearbhaill pointed out, security researchers who have been monitoring NSO’s activities for years have become adept at detecting signs of the company’s spyware, often requiring only a quick glance at a domain involved in an attack. 

In essence, NSO Group and its customers are struggling to maintain their covert operations.

“NSO has a fundamental problem: they are not as skilled at hiding as their customers believe,” John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, told TechCrunch. 

There is concrete evidence supporting the views of Ó Cearbhaill and Scott-Railton. 

In 2016, Citizen Lab published the first technical report documenting an attack carried out with Pegasus, which targeted a United Arab Emirates dissident. Since then, in under 10 years, researchers have identified at least 130 individuals worldwide who have been targeted or hacked with NSO Group’s spyware, according to a running tally by security researcher Runa Sandvik. 

The large number of victims and targets can be partially attributed to the Pegasus Project, a collective journalistic initiative to investigate abuse of NSO Group’s spyware, which was based on a leaked list of over 50,000 phone numbers that were allegedly entered into an NSO Group targeting system. 

However, dozens of victims have also been identified by Amnesty, Citizen Lab, and Access Now, a nonprofit that helps protect civil society from spyware attacks, without relying on the leaked list of phone numbers. 

An NSO Group spokesperson did not respond to a request for comment, which included questions about Pegasus’ invisibility, or lack thereof, and whether NSO Group’s customers are concerned about it. 

Apart from nonprofits, NSO Group’s spyware continues to be detected by Apple, which has been sending notifications to victims of spyware worldwide, often prompting those who received the notifications to seek help from Access Now, Amnesty, and Citizen Lab. These discoveries have led to more technical reports documenting spyware attacks carried out with Pegasus, as well as spyware made by other companies.

Perhaps NSO Group’s problem lies in the fact that it sells to countries that use its spyware indiscriminately, including reporters and other members of civil society. 
“The OPSEC mistake that NSO Group is making here is continuing to sell to countries that are going to keep targeting journalists and end up exposing themselves,” Ó Cearbhaill said, using the technical term for operational security.