Facebook filed a lawsuit against the Israeli hacker-for-hire company NSO Group on Tuesday in U.S. federal court for targeting some 1,400 users of its encrypted messaging service WhatsApp with highly sophisticated spyware.
The lawsuit filed in San Francisco is the first legal action of its kind, according to Facebook, involving a nearly totally unregulated realm.
Facebook said that NSO Group used WhatsApp servers to spread malware to 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials and other parties. The targeted phone numbers were in countries including Bahrain, United Arab Emirates and Mexico.
The malware was unable to break the Facebook-owned app’s encryption, according to the lawsuit, and instead infected customers’ phones, giving NSO access to messages after they were decrypted on the receiver’s device.
NSO used its flagship software, “Pegasus,” Facebook alleges, not only to access messages sent via WhatsApp, but also messages sent on competing platforms, including Apple’s iMessage, Microsoft’s Skype, Telegram, WeChat and Facebook Messenger.
In a statement issued on Wednesday, the NSO group denied being involved in the attacks and claimed that its surveillance technology called Pegasus, which it sells to governments around the world, is being used to save lives:
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.
The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.
We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights — including the right to life, security and bodily integrity — and that’s why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.”
Facebook says NSO group workers created WhatsApp accounts to send malware components to the targetted devices. They also initiated calls to “secretly inject malicious code” in the targeted devices.
Facebook demands in the suit that NSO Group be denied access to Facebook’s services and systems and seeks unspecified damages.
WhatsApp head Will Cathcart said leaders of tech firms “should join U.N. (free speech) Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.”
NSO Group Technologies is an Israeli technology firm focused on cyber intelligence. It reportedly employs around 500 people and is based in Herzliya, near Tel Aviv. According to the company, NSO provides “authorized governments with technology that helps them combat terror and crime”.
NSO’s spyware has repeatedly been found deployed to target such people. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.
The NSO Group previously confirmed that Pegasus was used to target the phone of a British lawyer, who contacted Citizen Lab and kickstarted the investigation that led to this lawsuit.