Facebook sues Israel’s NSO on alleged WhatsApp malware hack
WhatsApp and its parent Facebook Inc. sued spyware manufacturer NSO Group, alleging that the Israeli company used malware to hack into the mobile phones of 1,400 people and conduct surveillance.
Between January 2018 and May of this year, NSO created WhatsApp accounts that it used to send malicious code to targeted devices, according to the lawsuit filed Tuesday in federal court in San Francisco. The bogus accounts were created using telephone numbers registered in different countries, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands. Between roughly April 29 and May 10, NSO unleashed its code over WhatsApp servers targeting attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials, the suit said.
While NSO was unable to break WhatsApp’s encryption, the company developed its malware to access messages and other communications after they were decrypted on the targeted devices.
NSO Group disputed the allegations and said it would “vigorously fight them.”
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” the company said in a statement. “Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
Human rights groups and researchers have raised alarms for years about NSO Group, which makes mobile device surveillance software that ostensibly helps governments combat “terror and crime.” Activists, however, say governments misuse NSO’s products to target human rights defenders, journalists and critics.
Spyware makers don’t want to accept that their products are used by bad actors, said John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy.
“They want the credibility of having powerful intelligence services as their customers, but at the same time they want to take credit only for the alleged successes while disclaiming responsibility for any of the alleged abuses,” Scott-Railton said. “This lawsuit shatters the illusion of this unaccountable bubble.”
NSO said its technology helps government intelligence and law enforcement agencies thwart major terrorist attacks, bring home abducted children and stop pedophiles and other criminals.
“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited,” NSO said in the statement. “We take action if we detect any misuse. This technology is rooted in the protection of human rights – including the right to life, security and bodily integrity – and that’s why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.”
But U.S. whistle-blower Edward Snowden last fall accused the company of helping Saudi Arabia track and kill government critic Jamal Khashoggi.
Banks that arranged the buyout of NSO Group earlier this year have struggled to place the $500 million of debt they had committed to provide for the deal as many investors deemed the company too risky to touch. They were forced to fund the loans with their own cash before being able to offload the debt at a discount of 90 cents on the dollar.
WhatsApp is seeking an injunction against NSO Group that would bar the company from using WhatsApp and Facebook services. In a Washington Post op-ed, WhatsApp Chief Executive Officer Will Cathcart said that leaders of tech firms should, at a minimum, “call for an immediate moratorium on the sale, transfer and use of dangerous spyware.”
The lawsuit comes after WhatsApp revealed a security flaw in May that allowed “an advanced cyber actor” to deliver malware via WhatsApp by placing a call to a user. WhatsApp said it had patched the vulnerability. While it didn’t name NSO Group for exploiting the vulnerability, the Israeli group was widely believed to have been behind it.
Human rights groups, including Amnesty International and Citizen Lab, have accused the NSO Group of selling its malware to oppressive regimes for the purpose of watching dissidents. In December 2018, Saudi dissident Omar Abdulaziz sued NSO Group, claiming the company’s software enabled the Kingdom of Saudi Arabia to hack his phone and track his communications with Khashoggi, the murdered Washington Post journalist. NSO has said the Abdulaziz lawsuit makes a number of false claims.