NSO Ordered To Hand Over Spyware Code To WhatsApp

Israeli cyber intelligence specialist NSO Group has been ordered by a US judge to hand over its code for Pegasus and other spyware products to Meta ‘s WhatsApp.

The Guardian reported that the judge’s order is part of the ongoing lawsuit between the two parties, and represents a significant decision in WhatsApp’s favour.

NSO Group and its Pegasus spyware had become notorious within cybersecurity circles a few years back, after the firm insisted it only sold its technology to authorised governments and law enforcement to help them combat terror and crime, despite its spyware being found on the devices of activists, journalist and politicians.

NSO scandal

The legal trouble for NSO began in October 2019, when Meta’s Whatsapp sued the Israeli firm, and alleged NSO was behind the cyberattack that had infected 1,400 WhatsApp users with advanced surveillance hacks in May 2019.

Matters became even more serious in December 2020, after a report by Citizen Lab alleged that dozens of Al Jazeera journalists had been hacked with the help of Pegasus, by exploiting a vulnerability in the iPhone operating system.

Worse was to come in July 2021, when the Pegasus Project (a collaboration of more than 80 journalists and media organisations – including the Guardian newspaper) alleged that NSO’s Pegasus had been used “to facilitate human rights violations around the world on a massive scale.”

It allegedly uncovered evidence that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had appeared in a leaked database at the heart of the investigative project.

In September 2021 the investigative website Mediapart alleged that traces of Pegasus spyware had even been found on the mobile phones of at least five French cabinet ministers – deepening the diplomatic fallout.

In April 2022, it was alleged that the UAE may have used NSO Pegasus spyware on Downing Street and Foreign Office computer systems.

During this time in November 2021 NSO was blacklisted and placed on the export Entity List by the US Department of Commerce, which meant exports to NSO Group from US companies was restricted.

Apple also sued NSO in November 2021, alleging NSO engaged in surveillance and targeting of iPhone users in the US.

WhatsApp lawsuit

In its lawsuit, WhatsApp has accused NSO of spying on 1,400 users over a two-week period back in 2019.

According to the Guardian, Judge Phyllis Hamilton has ordered NSO to hand over the code for Pegasus, and code for other surveillance products it sells, which are seen as a closely and highly sought state secret.

NSO is closely regulated by the Israeli ministry of defense, which must review and approve the sale of all licences to foreign governments.

In reaching her decision, judge Hamilton reportedly considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.

Ultimately, however, she sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020.

NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.

Hamilton did, however, decide in NSO’s favor on a different matter: the company will not be forced at this time to divulge the names of its clients or information regarding its server architecture.

“The recent court ruling is an important milestone in our long running goal of protecting WhatsApp users against unlawful attacks. Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” a WhatsApp spokesperson said.

NSO declined to comment on the decision. The litigation is continuing.

NSO future

In December 2021 NSO reportedly said it was exploring its strategic options, that included shutting the Pegasus unit or selling the entire company, amid financial turmoil due to the spyware publicity.

Then in June 2022 it was reported that US defence contractor L3Harris was in talks to takeover NSO Group’s Pegasus surveillance technology. But that deal would have faced significant challenges, not least of which would be the approval from the US and Israeli governments.

In August 2022 NSO’s CEO stepped down in an reorganisation that saw the Israeli firm refocus to only sell to countries within the NATO alliance.