In May 2019, Facebook revealed its discovery of an “advanced cyber actor” that was spying on some users of its massively popular, end-to-end encrypted WhatsApp messaging app.
WhatsApp users were getting hacked due to what’s known as a zero-click vulnerability: one that allowed attackers to silently install spyware just by placing a video call to a target’s phone.
WhatsApp quickly fixed the vulnerability, and now it’s going after the maker of the cyberweapon it says is behind the attack – an attack that let somebody or somebodies call vulnerable devices to install spyware that could listen in on calls, read messages and switch on the camera.
On Tuesday, WhatsApp publicly attributed the attack to NSO Group, an Israeli company that sells off-the-shelf spyware and which also goes by the name of its parent company, Q Cyber Technologies.
Also on Tuesday, WhatsApp filed a complaint in the US District Federal Court in Northern California, accusing NSO of “unlawful access and use” of WhatsApp computers.
In a statement published by the Washington Post, Will Cathcart, head of the Facebook-owned WhatsApp, said that responsible companies report vulnerabilities, instead of exploiting them, and that companies have no business selling services to anybody who launches attacks.
At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us. Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others.
Pegasus allegedly flies again
The lawsuit specifically refers to NSO Group’s notorious Pegasus – a type of spyware known as a remote access Trojan (RAT).
Pegasus enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.
According to the lawsuit, NSO couldn’t get its spyware past WhatsApp encryption. In order to hack the messaging app, NSO created a Pegasus version that didn’t require that targets be spearphished with a rigged link.
Rather, NSO allegedly formatted call initiation messages containing malicious code to make the calls look legitimate, as if the calls originated from its signaling servers. By concealing the code within call settings, NSO allegedly used WhatsApp’s own servers – relay and signaling – to route the company’s spyware.
WhatsApp managed to tie certain WhatsApp accounts used during the attacks back to NSO, as it describes in the complaint. The accounts were created to place the calls that injected the spyware, the lawsuit says.
WhatsApp had first been tipped off to the attack by suspicious calls, but because of its privacy and data-retention rules, it had no idea whose numbers they were. Citizen Lab, a cybersecurity research laboratory based at the University of Toronto, volunteered to find out: as the New Yorker reports, its experts worked to determine whether any of the numbers belonged to civil society members.
Citizen Lab told Reuters that the targets included well-known TV personalities, prominent women who had been subjected to online hate campaigns, and people who had faced “assassination attempts and threats of violence.”
From Citizen Lab’s post:
As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses.
Neither Citizen Lab nor WhatsApp have identified the targets by name.
NSO’s Pegasus and other spyware products have already been implicated in a series of human rights abuses. WhatsApp’s is just the latest to result from hacks allegedly tied to NSO’s products.
Pegasus has been unleashed against Mexican political activists and targeted at the human rights-focused NGO Amnesty International in a spearphishing attack.
NSO’s spyware also allegedly played a part in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago. In December 2018, Omar Abdulaziz – a Saudi Arabian dissident who was close to Khashoggi – joined with a group of seven activists and journalists who filed a lawsuit against NSO in Israel and Cyprus, charging that NSO helped the royal court take over the murdered journalist’s smartphone and intercept his communications and that all their phones had similarly been compromised.
Amnesty International is also suing NSO, calling a June 2018 spearphishing attack on an Amnesty staff member “the final straw.”
WhatsApp’s suit is looking for a permanent injunction to bar NSO from accessing or attempting to access WhatsApp and Facebook’s services. It also seeks unspecified damages.
NSO denies it all
NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.
From the statement it put out in response to WhatsApp’s lawsuit:
In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.