Photo by Amelia Holowaty Krales / The Verge
WhatsApp is suing notorious spyware vendor NSO Group, saying the company was actively involved in hacking users of the encrypted chat service.
Attack targeted journalists and human rights advocates
In May, a major software vulnerability in WhatsApp was revealed. Using the flaw, hackers could load spyware onto a phone through a video call, even if the person never answered the call. Citizen Lab, the organization that discovered the vulnerability, said at the time that the attack was being used to target journalists and human rights advocates. The spyware used in the attacks, called Pegasus, was developed by the Israel-based NSO Group, whose software has been employed by repressive governments around the world.
When the WhatsApp flaw was revealed, NSO Group said it wasn’t involved in the direct use of its software, and merely provided it to governments. But in a Washington Post opinion article published today, WhatsApp head Will Cathcart says the company has evidence of NSO Group’s direct involvement in the attack. “Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the US Computer Fraud and Abuse Act,” Cathcart writes.
According to Cathcart, Facebook-owned WhatsApp linked servers and services used in the attack with NSO Group, and also uncovered evidence tying WhatsApp accounts used in the attack to the spyware vendor. “While their attack was highly sophisticated,” Cathcart writes, “their attempts to cover their tracks were not entirely successful.” About 1,400 devices were infected by the malicious code, according to WhatsApp.
In a related announcement, Citizen Lab said it has been working with WhatsApp since the attack to identify suspected targets.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO Group said in a statement. The company went on to say it takes action when one of its products is used for purposes other than fighting crime or terrorism.
WhatsApp is asking a court to stop NSO Group from taking similar action in the future and to award damages. “WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere,” Cathcart writes.
Update, 5:37 PM ET: Includes statement from NSO Group spokesperson.
Correction, 4:25PM ET: An earlier version of this article stated that Citizen Lab attributed the attack to NSO Group. The organization cited WhatsApp in its announcement.