WhatsApp is suing an Israeli company that it claims was behind a cyberattack that installed spyware on users’ phones and targeted human rights defenders, journalists, political dissidents, diplomats and government officials.
The Facebook-owned messaging service filed the complaint against NSO Group in US federal court on Tuesday.
“This should serve as a wake-up call for technology companies, governments and all internet users,” WhatsApp chief Will Cathcart wrote in an op-ed in The Washington Post on Tuesday.
“Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk,” he said.
NSO, a company that manufactures, distributes and operates surveillance technology, used WhatsApp servers located in the United States and elsewhere to send spyware to about 1,400 smartphones and devices in April and May, according to the WhatsApp complaint. The targets included “at least 100 human rights defenders, journalists and other members of civil society across the world,” according to Cathcart.
The malware was intended to conduct “surveillance of specific WhatsApp users,” the complaint said. Targets were located in places such as Mexico, the United Arab Emirates and the Kingdom of Bahrain. NSO’s clients include government agencies in those countries, as well as private entities, according to the complaint. The complaint, however, does not name any defendants aside from NSO Group and its parent company, Q Cyber Technologies.
NSO Group said in a statement Wednesday that it disputes the allegations and “will vigorously fight them.”
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists,” the company added.
WhatsApp first acknowledged the attacks in mid-May, saying at the time that it had discovered and fixed the vulnerability exploited by the hackers. It asked users to update their apps to close the loophole.
The attack prompted WhatsApp to launch a months-long investigation, working with the University of Toronto’s Citizen Lab, which volunteered to help the messaging platform identify cases where suspected targets of the attack were members of civil society.
The investigation revealed that attackers installed NSO’s flagship spyware, known as Pegasus, on smartphones by making a WhatsApp call to victims, according to WhatsApp and Citizen Lab. The victims didn’t even have to answer the call for their phones to be infected.
Citizen Lab says that there are multiple ways the devices could be infected, and not all are known yet.
Once Pegasus was installed, it began contacting servers controlled by Pegasus operators and sending back the victim’s private data. That data included passwords, contact lists, calendar events, text messages and live voice calls from popular mobile messaging apps, according to Citizen Lab, which published the findings of its research on its website Tuesday.
An operator could even turn on an infected smartphone’s camera and microphone to capture activity happening near the phone, and use the GPS function to track a target’s location and movements.
WhatsApp chief Cathcart wrote that the attacks were “highly sophisticated,” but the attackers’ attempts to cover their tracks weren’t entirely successful.
They “used servers and internet-hosting services that were previously associated with NSO. In addition … we have tied certain WhatsApp accounts used during the attacks back to NSO,” Cathcart said.
Citizen Lab said that among the many companies it has tracked, “NSO Group stands out in terms of the reckless abuse of its spyware by government clients.”
Although NSO’s technology is marketed as a tool to assist governments in lawful investigations into crime and terrorism, Citizen Lab said it “has identified dozens of cases where journalists, human rights activists and defenders, lawyers, international investigators, political opposition groups, and other members of civil society have been targeted with Pegasus.”
In the statement issued by NSO Group, the company says its technology has helped save thousands of lives in recent years by aiding law enforcement, and respects all fundamental human rights.
“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse,” it said.
WhatsApp and parent company Facebook are asking the court for damages of at least $75,000 plus attorneys’ fees and any other damages to be proven at trial.
The companies are also asking for an injunction against NSO Group, which would bar the company and anyone affiliated with it from accessing WhatsApp or Facebook’s services, which includes creating and maintaining accounts on the messaging and social media platforms.