Facebook sued the Israeli hacker-for-hire company NSO Group on Tuesday in U.S. federal court for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with highly sophisticated spyware.
The lawsuit filed in San Francisco is the first legal action of its kind, according to Facebook, involving a nearly totally unregulated realm.
Facebook says NSO Group violated laws including the U.S. Computer Fraud and Abuse Act with a crafty exploit that took advantage of a flaw in the popular communications program allowing a smartphone to be penetrated through missed calls alone.
“It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world,” the head of WhatsApp, Will Cathart, wrote in an op-ed published by The Washington Post.
He said that since discovering the malware operation in May, Facebook learned that the attackers were using servers and internet-hosting services previously associated with NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.
NSO Group issued a statement in which it did not directly deny hacking WhatsApp but which said it disputed the allegations and vowed to “vigorously fight them.”
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” the company said. “Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
It said strongly encrypted platforms are used by pedophile rings, drug traffickers and terrorists and that NSO’s technologies “provide proportionate, lawful solutions.”
Facebook demands in the suit that NSO Group be denied access to Facebook’s services and systems and seeks unspecified damages.
Cathart said leaders of tech firms “should join U.N. (free speech) Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.”
“This is huge. I am really glad to see a tech company put their massive litigation team on the field on behalf of users,” tweeted Alex Stamos, a Stanford University researcher and former Facebook chief security officer.
WhatsApp is the world’s most popular communications software, with about 1.5 billion users in 180 countries.
John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability” when it was discovered. “There’s nothing a user could have done here, short of not having the app.”
Citizen Lab subsequently volunteered to assist Facebook in the investigation.
The lawsuit alleges that malicious code from NSO was sent from April 29 through May 10 over WhatsApp servers. The aim was to infect some 1,400 devices whose users included attorneys, journalists, human rights activists, political dissidents, diplomats and other government officials. It said the targeted phone numbers were in countries including Bahrain, United Arab Emirates and Mexico.
NSO’s spyware has repeatedly been found deployed to target such people. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.
In the lawsuit, Facebook alleges that after it publicly announced that it had identified and closed the vulnerability an NSO employee complained “You just closed our biggest remote for celluar …. It’s on the news all over the world.”
The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle.
NSO Group’s flagship malware, called Pegasus, allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal and geolocation data.
A European private equity firm, Novalpina Capital LLP, bought a majority stake in NSO Group in February. It claimed in a May statement that “highly targeted interception technologies” of the kind NSO Group produces “play a critical role in protecting the public” and can do so without undermining privacy rights or free speech.