Facebook has filed a lawsuit against Israeli company NSO Group, creator of the Pegasus spyware, alleging that it was behind the massive WhatsApp hack earlier this year.
In May 2019, a zero-day vulnerability was found in WhatsApp’s messaging platform, exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. A new lawsuit by WhatsApp owner Facebook alleges that NSO Group developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices.
“As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and internet-hosting services that were previously associated with NSO,” said Will Cathcart, head of WhatsApp, in a Tuesday post. “In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
The court documents say that the attack targeted at least 100 human rights defenders, journalists and other members of civil society worldwide. Cathcart says that NSO Group’s alleged moves violate various U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act. The lawsuit seeks to bar NSO Group from using Facebook and WhatsApp services, among seeking other unspecified damages.
“This should serve as a wake-up call for technology companies, governments and all internet users,” said Cathcart. “Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”
WhatsApp discovered in early May that attackers were installing surveillance software on iPhones and Android phones – by calling victims using the popular messaging service’s call function. WhatsApp is owned by Facebook and is used by 1.5 billion people globally. The messaging platform touts itself as a secure end-to-end encryption app for communications.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” a WhatsApp spokesperson said in a statement at the time.
While at the time WhatsApp did not specify the “private company,” reports pointed to the NSO Group, which is known for selling mobile spyware to governments and other third-parties.
At the time, NSO Group denied involvement in a statement to the BBC: “NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror…Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation.”
WhatsApp on Tuesday said that cyber security experts at the Citizen Lab, an academic research group based at the University of Toronto’s Munk School, helped them launch the investigation into the alleged WhatsApp hack.
Citizen Lab for its part said that during its investigation it identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, stemming from NSO Group’s spyware.
“The WhatsApp incident, and the more than 100 cases of abusive targeting that are associated with it, clearly verify the serious concerns Citizen Lab and others have raised,” according to Citizen Lab. “NSO Group spyware is being sold to government clients without appropriate controls over how it is employed by those clients. They are, in turn, using NSO’s technology to hack into the devices of members of civil society, including journalists, lawyers, political opposition, and human rights defenders—with potential lethal consequences.”
Neither Facebook nor NSO Group responded to a Threatpost request for comment.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
