WhatsApp Alleges NSO Was ‘Deeply Involved’ In Hack – Report

New court filings have been filed by Facebook-owned WhatsApp, which allege that NSO Group was actively involved in the hack of 1,400 users.

According to the Guardian newspaper report, Israeli surveillance specialists NSO was “deeply involved” in carrying out the mobile phone hacks of 1,400 WhatsApp users, including senior government officials, journalists in India, and Rwandan human rights activists.

WhatsApp had in May 2019 urged all of its users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.

WhatsApp Hack

WhatsApp said that it had discovered the vulnerability earlier in May 2019 and released a fix. The Financial Times reported at the time that the bug was used to implant NSO-developed spyware called ‘Pegasus’.

For the record, NSO develops surveillance tools that are intended for use by governments and law enforcement agencies around the world.

But the allegation was that when the hackers rang up a target’s phone, the malicious code would automatically infect the device (even if the call was not answered), WhatsApp said last year in a technical document on the issue.

The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VoIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said in May 2019.

At the time, WhatsApp acknowledged that the vulnerability had been used to install spyware, without mentioning NSO by name.

But that stance changed a few months later, and in October 2019 WhatsApp filed a lawsuit against NSO, alleging that NSO was behind the cyberattack in 2019 that infected devices with advanced surveillance tools.

A further twist came when NSO in March 2020 failed to show up in the American court after efforts were made to serve legal papers against it.

A California court clerk entered a notice of default against the Israeli firm.

NSO responded and asked the US court to sanction Facebook for allegedly failing to abide by international law with regards to its lawsuit against the surveillance software maker.

NSO alleged it had not been served in accordance with international law known as the Hague Convention

Deeply involved?

NSO has always maintained that it sells its Pegasus software to governments and agencies for the purpose of tracking down terrorists and other criminals.

According to the Guardian, NSO said it had no independent knowledge of how those clients use its software.

The Guardian says that court documents filed by WhatsApp last week, says that the Facebook unit’s own investigation into how Pegasus was used against 1,400 users last year showed that servers controlled by NSO Group – not its government clients – were an integral part of how the hacks were executed.

WhatsApp reportedly said victims of the hack received phone calls using its messaging app, and were infected with Pegasus.

Then, it said: “NSO used a network of computers to monitor and update Pegasus after it was implanted on users’ devices. These NSO-controlled computers served as the nerve centre through which NSO controlled its customers’ operation and use of Pegasus.”

According to WhatsApp’s filing, NSO gained “unauthorised access” to its servers by reverse-engineering the messaging app and then evading the company’s security features that prevent manipulation of the company’s call features.

According to the Guardian, one WhatsApp engineer who investigated the hacks said in a sworn statement submitted to the court that in 720 instances, the IP address of a remote server was included in the malicious code used in the attacks. The remote server, the engineer said, was based in Los Angeles and owned by a company whose data centre was used by NSO.

NSO has reportedly said in legal filings that it has no insight into how government clients use its hacking tools, and therefore does not know who governments are targeting.

NSO response

But one expert, John Scott-Railton of Citizen Lab, who reportedly worked with WhatsApp on the case, said NSO’s control of the servers involved in the hack suggests the company would have had logs, including IP addresses, identifying the users who were being targeted.

“Whether or not NSO looks at those logs, who knows? But the fact that it could be done is contrary to what they say,” Scott-Railton reportedly said.

But NSO defended its role in the incident.

“Our products are used to stop terrorism, curb violent crime, and save lives,” NSO told the Guardian in a statement. “NSO Group does not operate the Pegasus software for its clients. Our past statements about our business, and the extent of our interaction with our government intelligence and law enforcement agency customers, are accurate.”

The company said it would file its response to the court in coming days.

Do you know all about security? Try our quiz!