Facebook sues Israeli spyware NSO for allegedly hacking WhatsApp


According to the lawsuit, NSO has hacked more than 1400 journalists and human rights activists in Israel, Palestine, Cyprus, Brazil, Indonesia, Sweden, and the Netherlands.

Facebook is suing the Israeli cyber intelligence company NSO Group for alleging a breach into WhatsApp’s computer systems, which it says has been used in helping governments hack, and track at least 1,400 mobile phones and devices belong to journalists and human rights activists.

WhatsApp Director Will Cathcart said in a Washington Post article: “In May, WhatsApp announced that it had identified and blocked a new type of cyberbullying that included a video call service vulnerability. Now, after months of investigation, we can say with certainty who is behind the attack. Today we filed a lawsuit in a federal court that explains what happened and attributes the breach to the NSO.”

Cathcart said the link to the NSO was made after it became clear the attackers had used servers previously linked to the company. “In addition, we linked several WhatsApp accounts used in the attack back to the NSO. While their attack was very sophisticated, their attempts to cover their footprints were not entirely successful,” he added.

Here’s how it worked: Between in and around April 2019 and May 2019, WhatsApp users were notified of an alleged incoming video call, but in fact, it was a regular call. After the phone rang, the attacker passed a malicious code designed to infect the victim’s phone with NSO spy software, Pegasus.

This software provides access to all information on the device and allows the attacker to remotely control and retrieve information in real-time. For example, he can secretly operate the microphone and camera and detect in real-time after his activity. The victim does not even have to answer the call for the device to be infected.

Facebook also identified the victims of the attack, which she said included at least 1400 human-trafficking activists, journalists and other activists in civil society organizations. “It’s a wake-up call for tech companies, governments and all internet users,” said Cathcart. “Tools that enable our private lives to be tracked are being misused, and getting the technology into the hands of irresponsible companies and governments is putting us all at risk.”

He mentioned that in the past, the NSO denied it was related to the attack: “But our investigation has proved otherwise. Now we ask that it be enforced under US law. At WhatsApp, we believe that people have a fundamental right to privacy and that no one else should have access to our private conversations, not even us. Mobile phones provide a great service to us, but when they are turned against us they reveal our location and private messages, and record our sensitive conversations with others. ”

Cathcart noted some lessons learned from this, including technology companies’ commitment to avoiding deliberate backdoors in their products, deepening corporate collaboration to protect and promote human rights, and the failure of technology companies to counter cyber attacks. “Finally, much more has to be done to define proper cyber weapons supervision. NSO said in September that” human rights protection is embedded in all aspects “of its work.

However, NSO firmly claims she has no knowledge of her spy goals. Both things cannot be true. At the very least, leaders of tech companies should join UN Special Commissioner David Kaye, who called for an immediate ban on the sale, transfer, and use of dangerous spyware.

In the lawsuit itself, Facebook notes the federal court in the Northern District of California has jurisdiction to hear the case because the NSO targeted California residents. That’s because some of Whatsapp’s servers are located in California.

NSO has previously claimed that it does not conduct surveillance on US phone numbers, a claim that the Facebook indictment is now in doubt. The company also claimed that it does not spy on Israeli numbers.

The prosecution provides a description of how NSO is operating in this case. “About January 2018 to May 2019, the Defendants created Whatsapp accounts through which they sent the malicious code to the target devices in April and May 2019,” it said. “The accounts are created using phone numbers from different countries, including Cyprus, Israel, Brazil, Indonesia, Sweden and the Netherlands.

In 2019, defendants also leased servers in various states, including the United States, to connect the target devices to a network of remote servers designed to distribute the damage and pass orders to the target device. This network included proxy and relay servers (“malicious servers”). Owned by Choopa, Quadranet and Amazon, among others. The IP address of one of these malicious servers was previously linked to defendants. ”

According to Facebook, NSO has reverse-engineered WhatsApp and developed software that allowed it to forge legitimate traffic on the app’s traffic network in order to send the malicious code through the WhatsApp servers itself. “The software was sophisticated, and was developed to exploit specific components of the WhatsApp protocol and code. To breakthrough, the defendants routed the malicious code through the plaintiffs’ servers.”

According to Calcalist NSO provided a lengthy response that is largely irrelevant to the lawsuit and claims raised therein.  The newspaper chose to bring only the relevant section which reads: “We firmly reject Facebook’s claims.”

Read more about: , , , , , ,