The lawsuit, filed on Tuesday, alleges that NSO Group’s software was behind a sophisticated campaign to hack the phones and messages of religious figures, lawyers, journalists, and human-rights advocates in 20 countries.
Facebook, Inc. says the purpose of the lawsuit is to hold NSO accountable under US state and federal laws, including the Computer Fraud and Abuse Act (CFAA). The social media giant also names Q Cyber, a company affiliated with NSO, as a second defendant in the case.
“Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices,” Facebook wrote in the complaint. “Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers.”
WhatsApp Zero-Day Exploited
Facebook, Inc. first disclosed the WhatsApp hack attack in May. A security flaw ‘Zero-Day’ in WhatsApp’s encryption enabled potential hackers to install spyware through a phone call. The victims didn’t need to answer the phone or take any action in order for the attack to succeed. In the same month, Facebook issued a patch to fix the security vulnerability that enabled the attack in both iPhones and Android devices. In an advisory, Facebook wrote that “a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.”
WhatsApp’s Global Head Will Cathart said the hackers behind the Zero-Day exploit were using services and internet hosting services associated with the NSO Group.
The social media giant alleges NSO’s flagship software ‘Pegasus,’ also sent messages on competing platforms, including Microsoft’s Skype, Apple’s iMessage, Facebook Messenger, WeChat, and Telegram.
WhatsApp wrote in a blog post on Tuesday that it had contacted all 1,400 users in 20 countries. The Facebook-owned messaging platform worked with human-rights research group Citizen Lab to inform victims about what had happened.
This is the second lawsuit Facebook, Inc. has filed this week to protect its digital security. On Monday, the social media giant sued two domain hosts over phishing websites targeting its platform.
NSO Group’s Cyberweaponry
Israeli spyware company NSO Group has come under fire for how its spyware ‘Pegasus’ has been used to spy on journalists, dissidents, and critics of governments in Bahrain, Mexico, and Saudi Arabia. In 2016, NSO’s spyware was used to track an Amnesty International researcher in the United Arab Emirates. In the attack, the software exploited previously unknown in Apple’s iPhone which is known to have the world’s most secure operating system.
The firm’s spyware Pegasus has a bigger role to play in the assassination of Jamal Khashoggi by Saudi government hitmen. Khashoggi’s phone was infiltrated by the spyware which was used to track his conversations before his death in October 2018.
If Facebook’s allegations are found to be true, the federal government could have grounds for a criminal case against NSO Group. The social media giant is seeking a permanent injunction to ban the NSO Group from using WhatsApp again.
The NSO Group has denied the allegations and plans to fight them.