WhatsApp Spyware Attack: Uncovering NSO Group Activity

pegasus spyware

John Scott-Railton with Citizen Lab, who helped WhatsApp investigate the NSO Group over the alleged WhatsApp hack, said the subsequent lawsuit is a “certified big deal.”

On the heels of Facebook filing a lawsuit against Israeli company NSO Group — alleging that it was behind the massive WhatsApp hack earlier this year — privacy experts say that the move is “popping the unaccountable bubble” that commercial spyware companies have carved out for themselves.

After disclosing the lawsuit,WhatsApp said that cyber security experts at the Citizen Lab, an academic research group based at the University of Toronto’s Munk School, helped them launch the investigation into the alleged hack, which so far has impacted approximately 1,400 mobile devices. Citizen Lab for its part said that during its investigation it identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, stemming from NSO Group’s spyware.

John Scott-Railton, senior researcher at Citizen Lab, led the charge on the investigation into NSO Group and the alleged WhatsApp hack. The lawsuit by WhatsApp parent company Facebook into NSO Group, he said, is a “certified big deal” and will have widespread implications for commercial spyware companies in general.

For the full podcast, listen below or download direct here.

Below is a lightly-edited transcript of the podcast.

Lindsey O’Donnell: Hi, everyone. Welcome back to the Threatpost Podcast. You’ve got Lindsey O’Donnell here with Threatpost and I’m joined today by John Scott-Railton, senior researcher at Citizen Lab. Hi, John, thanks so much for joining us.

John Scott Railton: Hi, how are you? Good to be here.

LO: Good. So we’re going to talk a bit about a big news item that broke this week, which was WhatsApp owner Facebook filing a lawsuit against the NSO Group for allegedly hacking WhatsApp back in May. And before we start, I wanted to just give a quick intro to John for our listeners. As I mentioned, he’s a senior researcher at the Citizen Lab. His work focuses on technological threats to civil society, including targeted malware operations, cyber militias and online disinformation. And John has done everything from investigating the “Great Cannon” which was – if anyone remembers – the government of China’s nation-scale DDoS attack, all the way to investigating the Pegasus spyware developed by the NSO Group, which led to the uncovering of the first iPhone zero day and remote jailbreak seen in the wild. So broad scale overview there, John, hopefully I covered most of it.

JSR: Sure. I think so. And it’s important to point out to my work benefits from having excellent colleagues. And everything that we do at the Citizen Lab is highly collaborative. So for example, the work that we’ve done on the NSO Group and on commercial spyware, all of it is done in close partnership with my colleagues, especially Bill Marczak, a senior fellow at the Citizen Lab.

LO: Absolutely. So speaking of the Pegasus spyware and NSO Group, let’s just set the context a little bit here because you’ve been studying and investigating trends around the NSO Group for a long, long time here. Can you tell us, just to start, what is the NSO Group?

JSR: NSO Group, which sometimes goes by other names, like Q Cyber Technologies, is one of the many companies that has sprung up to sell what they refer to as lawful intercept spyware, but what I think is more correctly described as spyware that they allegedly only sell to governments. They’re most known for this product called Pegasus, which again, sometimes goes by other names. It’s basically a sophisticated package of different forms of access to phones, different vectors. And then, you know, kind of full access to a telephone – anything a user can do, plus a few things that users can’t really do, like remotely enabled microphone, playing off group chats and photos, and so on.

LO: Now, I believe it was back in 2018, you did a study about the Pegasus spyware and reported that at that point in time, it had infiltrated at least 45 different countries around the globe. And by the way, six of those countries had used surveillance malware in the past to abuse human rights. So this is a pretty big issue and it really ties into that civil society and human rights issue, as well, that we’re seeing with tech too.

JSR: Yeah. So if you look at this case, we spent the last several months volunteering to help WhatsApp understand the civil society implications of the targeting that was taking place. And one of the things that we discovered is that there was this extensive targeting of folks and civil society in at least 20 countries, ranging from journalists and human-rights defenders, to lawyers, to women who’ve been the victims of cyber-violence, to prominent religious figures of multiple faiths.

I think our conclusion at this point is that we’ve got this kind of unique window into what happens when governments get unaccountable access to people’s private communications. And the answer is, some of them will abuse and some of them will abuse a lot.

LO: Right. That’s a really good point. And I want to talk a little bit more about your investigations around this case, but just to give our listeners context here, this is all springing out of a zero-day vulnerability that was found in May 2019 in WhatsApp’s messaging platform, and that was exploited by attackers, who were able to then inject spyware onto victims’ phones. As John was saying, various different targets were impacted by this. And what was scary about the vulnerability to me was that attackers were able to install surveillance software on iPhones and Android phones just by calling victims. So after this happened, John, can you tell us a little bit about the steps that took place and how Citizen Labs launched its investigation into this incident?

JSR: So the initial incident was reported back in May, when WhatsApp said that it had been looking and found something that concerned missed video calls, and that it was looking into it but it had shut down the vulnerability. Since that time, we’ve spent months working with data given lawfully and under some pretty confidential protections from WhatsApp to the Lab, to try to understand the scope and scale of the civil society targeting, as well as to get a better understanding of what has happened.

More recently, we’ve been conducting outreach with the sets of victims in this case that fit within Citizen Lab’s mandate. And the picture that’s coming out is this broad-scale global abuse problem, folks who really maybe had no idea that their governments were targeting them or others who had been the victim of lots of other kinds of threats and harassment; including assassination attempts, or the family members of people who’ve been assassinated. So these things started coming out, and we realized the scale of the problem that we were looking at. At the same time, what’s remarkable about what has happened — and I think it’s pretty precedent setting — is that WhatsApp went ahead and filed suit against NSO, which is a certified big deal.

A lot of companies do a lot of work behind the scenes to try to protect their users from NSO — WhatsApp is no exception. What is exceptional is the fact that they put their litigators where their mouth is, and are taking this very muscular approach to user privacy.

It’s also really interesting to think that companies that sell spyware have tried to construct an unaccountable bubble for themselves. On the one hand, they’d like the world to think that they have a certain credibility by virtue of the fact that they sell to governments. By the same token, they want to disclaim any responsibility for the abusive things that governments wind up doing with their technology. So it’s kind of a “have their cake and eat it too.” And WhatsApp has said, A, that doesn’t fly. But B, if you read WhatsApp’s complaint, it looks like they’re saying that NSO itself is responsible for a lot of this activity. So it’s not just customers using a product. It’s NSO itself, facilitating and enabling this. It’s a huge deal, very precedent setting.

LO: Right. That’s a really good point about putting out this lawsuit and the impact that will have and I know too there have been previous lawsuits against the NSO Group. I think it was back in 2018, there was a Saudi dissident who had been targeted by this Pegasus spyware who filed a lawsuit. So how do you think that this one will be different? Is it because WhatsApp and Facebook and those combined forces are so much bigger and have more of the brand impact there?

JSR: Well, I think there are a couple things that are different. One of the first things to think about is that WhatsApp has a lot of resources. And they’re also sitting on evidence. The past lawsuits come from a place where victims have been notified, say, by Amnesty International or the Citizen Lab, that something has happened, that they’ve been targeted. And this has permitted NSO to  claim, well, the evidence is questionable [and] turn it into a debate about that. What’s different is that WhatsApp has the logs, right? They’ve got the tapes, and this is just a very different legal position to be in. It’s also the case that commercial spyware firms like to be bullies and like to use the legal system and legal threats sometimes to bully. And in this case, suddenly, there’s a much bigger player in the room. It’s like somebody’s cousin has showed up on the playground. And has told the bully, hold on, not so fast.

LO: So in the complaint, Facebook mentioned that so far the malware was discovered to be on 1,400 mobile devices. And then you guys had looked further into specifically the human-rights defenders and journalists who were targeted. And as you said, you found at least 100 cases of that. Can you talk a little bit more about those specific human rights targets there and what you found there?

JSR: Yeah, so the targeting set is distressingly predictable at this point for anybody looking into the victimology of commercial spyware. You have prominent religious figures. You’ve got human-rights defenders, journalists who have investigated official corruption. People who’ve clearly run afoul of powerful interests. You’ve got lawyers defending victims of human-rights abuses. The Financial Times reported yesterday that some of the targets who’ve been contacted include people who have been the targets of what appears to be a coordinated extrajudicial killing program, linked to an African country. So the cases are deeply troubling.

It’s also really important to note that while we’ve talked about a certain number of these cases, we think the total number of abuse cases will grow now that victims have been contacted by WhatsApp. It’s also really important to realize that there are multiple things that go on with this spyware, and that the companies that sell it would have you believe that primarily, these are tools for fighting crime, and that abuses are kind of unexpected. What you do see though, when you look into the victimology of the targeting by private surveillance companies, what you end up seeing is a lot of state-on-state surveillance. So something closer to guerrilla signals intelligence conducted with mobile phone malware. And I think you can expect that this case is not that different. In other words, don’t assume that there’s a dichotomy between crime fighting versus abuses. Assume that this is a powerful tool that states in many cases will want to use for espionage against other states. And they will also want to use it for espionage sometimes against their own citizens. Of course, this doesn’t mean there aren’t cases of criminal investigations. It just means that we shouldn’t fall into a simplistic way of thinking about what’s going on. And we certainly shouldn’t buy the marketing hype that this is just for investigating terrorists or evildoers.

LO: That’s interesting that you mentioned that, because that’s exactly what NSO outlined in their statement coming out against the lawsuit yesterday. I’ll quote part of the statement:

The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies the law-enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.

So I think that’s a interesting statement, in that it ties back to your thoughts earlier on spyware being marketed as a legitimate tool here. And there’s really not a way to reel that in and find any sort of regulation around that.

JSR: And in a sense, here’s part of the problem with that statement. Big technology platforms do provide lawful mechanisms to request user data, but this ain’t that. And so to suggest that they’re providing a lawful mechanism, what they’re really just doing is providing a hacking tool, and then claiming that they’re really not responsible for how it’s used. And it’s just the case that this stuff has a baked-in problem with abuse. As ever is, if you provide an unaccountable surveillance technology, it will get abused and we can see this brief window which is not that long of a period, and there’s just a surprising amount of abuse and targeting. And most of it, we don’t think really looks like what NSO is describing.

More importantly, and this is, again, something that shows up in WhatsApp’s lawsuit, what NSO does is provide not only this technique, but as the lawsuit seems to suggest, and again, I’m no lawyer, but that actually the data is first going to stop at what NSO controls rather than governments. So this is very different than what happens when a government makes a lawful request of a company to get information. And we know that companies have those mechanisms in place. This is really something that subverts that. And sure enough, when you provide certain governments with the ability to subvert a process that has any kind of oversight, you’re going to get abuse. I think we should be very careful when you see these claims. It’s been the case for almost a decade, that when commercial surveillance technologies are confronted with abuse, they talk about terrorists, child pornography and drug rings — and nobody is going to say that those groups of people are not a problem that states shouldn’t be technologically equipped to investigate. The issue is here that you try to wrap in something with this abuse potential again and again, it will look increasingly hollow. And I think that’s what’s happening with within those claims.

LO: I guess looking at NSO Group and looking at other commercial spyware vendors, is there going to be a way to hold them accountable in the future? Do you think that this is going to be kind of a staple case that will will change things, or do you think that a lot more is going to need to happen? And if so, what what else needs to happen? I mean, between regulations, laws, is there anything really that can mitigate this issue?

JSR: As our director Ron points out, the way to solve this kind of thing is with all the different stakeholders, governments and companies and civil society. Unfortunately, because of the way that the surveillance industry is wired, its abuses happen as much as possible in total darkness and as NSO’s statement suggested, right, it’s difficult to investigate in the context of encrypted messaging. Truth is a pretty scarce commodity. And what we and others are trying to do is bring a little bit of truth to light to this obscure, deliberately obscure world, so that all different stakeholders can engage in a serious conversation about what needs to happen. If you look at NSO’s statement, another thing that they claim is that they’re aligned and working to align themselves with U.N. principles. What’s interesting is that the U.N. Zone Special Rapporteur has cast serious doubt on the seriousness with which they’re doing that.

I think in practice, the problem here is that right now, its a bit of a Wild West. And up until this point, spyware companies have carved out an unaccountable bubble for themselves. I think WhatsApp is popping that bubble. I think we can expect to see a lot of other companies taking a look at what WhatsApp has done, and probably wondering about whether they should do something similar.

LO: You know, when I was looking at this case, it reminded me [of] the FTC last week coming out and saying that it banned the sale of three “stalkerware” apps that were marketed to monitor kids and employees, unless the developers of those apps could prove that the apps would be used for legitimate purposes. So while those two situations are different, I think that the fact that an agency is trying to hold the developers here accountable, and trying to propose solutions to make this more legal, I thought there were some ties in there.

JSR: So I think that in general, one thing to to think about this case is that it provides a window into what happens when states get unaccountable access. And this is all happening in the context of a larger discussion about whether there should be baked-in backdoors to encrypted technology platforms. And I think what’s interesting about this is, this is the first case we’ve gotten where we have a bit of an objective overview and a sample of what happens when states think that they have this discreet access that they completely control. And I think the answer is, you just have a huge problem with abuse. And I think that this really needs to be part of the conversation and part of the evidence-driven conversation about how abuses happen. We shouldn’t take folks’ words that these technologies are only used to go after a certain kind of criminal evildoer.

LO: Was there anything else regarding your investigation into NSO Group as it relates to the WhatsApp case that you wanted to mention — anything else that stuck out to you that was really interesting?

JSR: It is continually surprising to us as we work through these cases, just how bad and depraved some of the targeting is. So multiple prominent women in multiple countries who were the victims of cyber-violence getting targeted with this stuff adjacent to that. It’s troubling. It looks unaccountable. And frankly morally abhorrent. I think that there’s a deep moral problem with the surveillance industry right now.

And the writing is clearly on the wall that the world has taken notice. Clearly also, it’s become apparent that companies like WhatsApp are willing to take a pretty muscular approach towards protecting their users. For years, there have been legal claims against spyware companies. And those claims have had the challenge that the evidence comes from researchers and others. What is such a historic milestone is that one of the companies on whose platforms which NSO’s technology has clearly been used and abused at scale, is willing to bring their resources and their evidence to the table and I think it’s a pretty historic win for human rights, wherever the lawsuit goes, that they would do it. It sends a very clear signal.

LO: Right? Well, we will see what happens in the future, especially with the impact of this lawsuit from Facebook and WhatsApp towards NSO Group. That’s to be seen at this point. But for now, John, thank you again for joining us on the Threatpost podcast. Really appreciate it.

JSR: Thanks so much and watch the space as we continue investigating this case.

LO: Absolutely. And once again, this is Lindsey O’Donnell here with John Scott Railton, a senior researcher at the Citizen Lab. Catch us next week on the Threatpost podcast.

Suggested articles