Facebook has filed a lawsuit against the NSO Group, accusing the Israeli cybersurveillance firm of using WhatsApp to spread spyware to 1,400 mobile devices in 20 countries from April through May. While the tech giant didn't say who it believes NSO's client was, the attacks focused on devices located in Mexico, Bahrain and the UAE. WhatsApp did reveal, however, that the victims included 100 journalists, some prominent female leaders, human rights activists and political dissidents.
In a statement sent to Engadget, the NSO Group has strongly denied that it had a hand in the attacks. It also claimed that its surveillance technology called Pegasus, which it sells to governments around the world, is being used to save lives:
"In the strongest possible terms, we dispute today's allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.
The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO's technologies provide proportionate, lawful solutions to this issue.
We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights -- including the right to life, security and bodily integrity -- and that's why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights."
The WhatsApp attackers inserted Pegasus into victims' phones by calling them -- the victims didn't even have to pick up the phone to be infected. Facebook's lawsuit says that while the spyware isn't capable of breaking WhatsApp's encryption, it can access the messages after they've been decrypted on the receiver's device.
The NSO Group previously confirmed that Pegasus was used to target the phone of a British lawyer, who contacted Citizen Lab and kickstarted the investigation that led to this lawsuit. That lawyer had represented plaintiffs who accused NSO of providing the tools to hack the phones of a Saudi Arabian dissident, as well as of Mexican journalists, among others. The company, however, denied that it uses its own technology to "target any person or organization." Pegasus, it said, is solely operated by "intelligence and law enforcement agencies," or its clients, in other words.
WhatsApp head Will Cathcart, however, explained that the company is confident NSO was behind the attacks in a piece published by The Washington Post. "[W]e learned that the attackers used servers and Internet-hosting services that were previously associated with NSO," he wrote. "In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful."
He also wrote:
"NSO has previously denied any involvement in the attack, stating that 'under no circumstances would NSO be involved in the operating... of its technology.' But our investigation found otherwise. Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act...
...NSO said in September that 'human rights protections are embedded throughout all aspects of our work.' Yet it maintains that it has no insight into the targets of its spyware. Both cannot be true. At a minimum, leaders of tech firms should join U.N. Special Rapporteur David Kaye's call for an immediate moratorium on the sale, transfer and use of dangerous spyware."