WhatsApp: AWS leased infrastructure to NSO Group beginning in 2018

The manufacturer of the powerful zero-click Pegasus software allegedly rented space on Amazon Web Services (AWS) servers from December 2018 through at least October 2020, a longer and earlier time frame than has previously been reported.

In July 2021, Amnesty International’s Security Lab indicated the relationship between the two companies began in “recent months.” However, messaging service WhatsApp discovered NSO Group’s leasing of AWS storage space actually began in 2018 by subpoenaing the cloud computing giant, according to an NSO Group court filing on Friday.

NSO Group partially acknowledged WhatsApp’s claim, saying in the filing that at “certain times” prior to January 2021, the AWS server was “being used by NSO’s research and development department, to house computer code that comprised part of the Pegasus system.”

AWS’s relationship with NSO Group continued until December 2021, though NSO Group said in the filing that after January 2021 “the AWS Server was leased to NSO but was unused and contained no data.” From December 2021 to October 2023, NSO said it leased space from AWS to support only its information technology department’s work maintaining internal computer networks.

After Amazon was alerted by Amnesty researchers in May 2021 that its services were being used to target human rights officials with Pegasus spyware, the company “acted quickly to shut down the relevant infrastructure and accounts,” an AWS spokesperson said.

WhatsApp sued NSO Group in 2019, alleging it had facilitated Pegasus surveillance of about 1,400 of its users across a period of two weeks. Journalists, human rights activists, political dissidents, diplomats and senior foreign government officials are among the alleged victims.

WhatsApp and NSO declined to comment. 

The U.S. government has become increasingly focused on combating spyware and in 2021 placed the NSO Group on its entities list, which requires companies to adhere to strict licensing requirements and other regulations. 

For most of the time AWS allegedly hosted Pegasus source code, the spyware was far less significant a concern for policymakers than it is today. This dynamic may partially explain why the U.S. government would not have sought to force a U.S.-based cloud company to turn over the code in July 2021, when the AWS relationship to NSO Group was first revealed by Amnesty, experts said.

It is unlikely AWS knew its infrastructure was storing Pegasus source code, said Winnona DeSombre, a non-resident fellow at the Atlantic Council.

“Cloud services may scan for malware hosted across their services, but they won’t be looking for source code,” DeSombre said. 

She added that NSO Group may not have used its real corporate name to sign up for the cloud services, which underscores arguments made by proponents of a stalled “know your customer” executive order which would require cloud providers to do more to verify the identity of those they allow to use their infrastructure.

In the next several weeks, NSO Group said it will produce “documents showing the full functionality of what the Court has defined as the ‘relevant spyware,’” according to the Friday filing.

The judge in the case previously ruled that the “relevant spyware” encompasses “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access target devices.”

Learn more.