WhatsApp sued Israeli surveillance firm NSO Group, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials.
In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook, accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.
WhatsApp said that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse”.
NSO denied the allegations.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
WhatsApp said the attack exploited its video calling system to send malware to the mobile devices of a number of users.
The malware would allow NSO’s clients – said to be governments and intelligence organisations – to secretly spy on a phone’s owner, opening their digital lives up to official scrutiny.
The lawsuit said the software could hijack devices using the Android, iOS, and BlackBerry operating systems.
“A user would receive what appeared to be a video call, but this was not a normal call,” WhatsApp head Will Cathcart said.
“After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”
NSO Group’s flagship malware, called Pegasus, allows spies to effectively take control of a phone – remotely and surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal and geolocation data.
WhatsApp is used by some 1.5 billion people monthly and has often touted a high level of security, including end-to-end encrypted messages that cannot be deciphered by WhatsApp or other third parties.
- TikTok removed nearly 90 million videos globally in the second half of 2020
- Mastercard, MTN partner To enable payments on global platforms with Mobile Money
- Using lessons learnt in 2020 to combat the security threats in 2021
- Cybercrime and the pandemic – Read Now!
- Here is why enterprise security isn’t just an IT problem
Citizen Lab, a cybersecurity research laboratory based at the University of Toronto that worked with WhatsApp to investigate the phone hacking, said that the targets included well-known television personalities, prominent women who had been subjected to online hate campaigns and people who had faced “assassination attempts and threats of violence”.
Neither Citizen Lab nor WhatsApp identified the targets by name.
Governments have increasingly turned to sophisticated hacking software as officials seek to push their surveillance power into the furthest corners of their citizens’ digital lives.
Companies like NSO say their technology enables officials to circumvent the encryption that increasingly protects the data held on phones and other devices.
But governments only rarely talk about their capabilities publicly, meaning that the digital intrusions like the ones that affected WhatsApp typically happen in the shadows.
Lawyer Scott Watnik called WhatsApp’s move “entirely unprecedented”, explaining that major service providers tended to shy away from litigation for fear of “opening up the hood” and revealing too much about their digital security.
He said other firms would be watching the progress of the suit with interest.
“It could certainly set a precedent,” said Watnik, who chairs the cybersecurity practice at the Wilk Auslander law firm in New York.
The lawsuit seeks to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services and seeks unspecified damages.
NSO’s phone hacking software has already been implicated in a series of human rights abuses across Latin America and the Middle East, including a sprawling espionage scandal in Panama and an attempt to spy on an employee of the London-based rights group Amnesty International.
NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.
Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology.
Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defence revoke NSO’s export license to “stop it profiting from state-sponsored repression”.
NSO has recently tried to clean up its image after it was bought by London-based private equity firm Novalpina Capital earlier this year.
In August, NSO co-founder Shalev Hulio appeared on 60 Minutes and boasted his spyware had saved “tens of thousands of people”.
He provided no details.
In another interview early this year with Israeli daily Maariv, Hulio said Khashoggi was “not targeted by any NSO product or technology”.
“As a human being and as an Israeli, what happened to Khashoggi was a shocking murder,” he said.
NSO has also brought on a series of high-profile advisers, including former Pennsylvania governor Tom Ridge and Juliette Kayyem, a senior lecturer in international security at Harvard University.
Last month, NSO announced it would begin abiding by UN guidelines on human rights abuses.