{
	"id": "61822cfe-bfa1-4ad0-a414-6b460c24b9fd",
	"created_at": "2026-04-06T00:16:35.101495Z",
	"updated_at": "2026-04-10T03:22:03.866673Z",
	"deleted_at": null,
	"sha1_hash": "be8a6e8a43ff25241494ec23a5f62f75a98b1a79",
	"title": "Amazon Shuts Down NSO Group Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50694,
	"plain_text": "Amazon Shuts Down NSO Group Infrastructure\r\nBy Joseph Cox\r\nPublished: 2021-07-19 · Archived: 2026-04-05 14:56:52 UTC\r\nAmazon Web Services (AWS) has shut down infrastructure and accounts linked to Israeli surveillance vendor\r\nNSO Group, Amazon said in a statement.\r\nThe move comes as a group of media outlets and activist organizations published new research into NSO’s\r\nmalware and phone numbers potentially selected for targeting by NSO’s government clients.\r\nVideos by VICE\r\n“When we learned of this activity, we acted quickly to shut down the relevant infrastructure and accounts,” an\r\nAWS spokesperson told Motherboard in an email.\r\nAmnesty International published a forensic investigation on Sunday that, among other things, determined that\r\nNSO customers have had access to zero-day attacks in Apple’s iMessage as recently as this year. As part of that\r\nresearch, Amnesty wrote that a phone infected with NSO’s Pegasus malware sent information “to a service fronted\r\nby Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months.” The\r\nAmnesty report included part of the same statement from Amazon, showing Amnesty contacted the company\r\nbefore publication.\r\nCitizen Lab, in a peer review of Amnesty’s findings, said in its own post that the group “independently observed\r\nNSO Group begin to make extensive use of Amazon services including CloudFront in 2021.”\r\nDo you work at NSO Group, did you used to, or do you know anything else about the company? We’d love to\r\nhear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR\r\nchat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.\r\nCloudFront is a content delivery network (CDN) that allows customers, in this case NSO, to more quickly and\r\nreliably deliver content to users. \r\n“Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos,\r\napplications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly\r\nenvironment,” CloudFront’s website reads.\r\nCloudFront infrastructure was used in deployments of NSO’s malware against targets, including on the phone of a\r\nFrench human rights lawyer, according to Amnesty’s report. The move to CloudFront also protects NSO\r\nsomewhat from researchers or other third parties trying to unearth the company’s infrastructure.\r\n“The use of cloud services protects NSO Group from some Internet scanning techniques,” Amnesty’s report\r\nadded.\r\nhttps://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure\r\nPage 1 of 2\n\nAmazon has previously remained silent on NSO using its infrastructure. In May 2020 when Motherboard\r\nuncovered evidence that NSO had used Amazon infrastructure to deliver malware, Amazon did not respond to a\r\nrequest for comment asking if NSO had violated Amazon’s terms of service.\r\nThe Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and\r\nLinode.\r\nOn Sunday, journalistic organization Forbidden Stories and its media partners published a series of stories based\r\nin part on a leak of more than 50,000 phone numbers that were allegedly selected by NSO’s clients for potential\r\nsurveillance.\r\nIn a statement to The Guardian, NSO said “NSO does not operate the systems that it sells to vetted government\r\ncustomers, and does not have access to the data of its customers’ targets. NSO does not operate its technology,\r\ndoes not collect, nor possesses, nor has any access to any kind of data of its customers. Due to contractual and\r\nnational security considerations, NSO cannot confirm or deny the identity of our government customers, as well\r\nas identity of customers of which we have shut down systems.”\r\nSubscribe to our cybersecurity podcast, CYBER.\r\nSource: https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure\r\nhttps://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure"
	],
	"report_names": [
		"amazon-aws-shuts-down-nso-group-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be8a6e8a43ff25241494ec23a5f62f75a98b1a79.pdf",
		"text": "https://archive.orkl.eu/be8a6e8a43ff25241494ec23a5f62f75a98b1a79.txt",
		"img": "https://archive.orkl.eu/be8a6e8a43ff25241494ec23a5f62f75a98b1a79.jpg"
	}
}