Imagine receiving a video-call request from a stranger on WhatsApp. Of course, you ignore it. But what you don’t know is that the call was used to hack into your phone even without you answering it, and to access your personal data on the device including text messages and location.
This is what happened to some 1,400 phones and devices whose users included lawyers, journalists, human rights activists, political dissidents, and diplomats in multiple countries, according to a lawsuit filed on Tuesday (Oct. 29) by Facebook, owner of the popular WhatsApp messaging app, accusing Israeli spyware developer NSO Group of perpetrating the attack. WhatsApp said it worked closely with Citizen Lab, a cybersecurity research group housed at the University of Toronto that has been studying the use of the Israeli firm’s “government-exclusive” spyware product called Pegasus for years, to link the attacks to NSO.
The breach was first revealed by the Financial Times (paywall) in May, whose reporting linked it to the NSO, which also goes by Q Cyber Technologies. WhatsApp alerted users to the suspicious video calls that month, and updated the app, but did not identify the Israeli company as behind the attack at the time. WhatsApp has since “learned that the attackers used servers and Internet-hosting services that were previously associated with NSO… While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” wrote Will Cathcart, the head of WhatsApp, in an op-ed in the Washington Post shortly after the lawsuit was filed.
Facebook and Citizen Lab did not identify any of the targeted users, but two Moroccan activists, Maati Monjib, an academic and Abdessadak El Bouchattaoui, a human rights lawyer, were identified as among the victims of NSO’s hack by Amnesty International this month. Meanwhile, the Financial Times spoke with at least six Rwandan dissidents (paywall) who were targeted in the May hack.
Lawyers say the lawsuit, which WhatsApp described as the “first time that an encrypted messaging provider is taking legal action” over such an attack, is an unusual step for a tech firm to take, because the litigation could expose information about how WhatsApp’s encryption works. Facebook wants to bar NSO from using its platforms and is seeking damages.
According to Facebook’s filing in San Francisco federal court, the Israeli spyware firm created WhatsApp accounts using numbers registered in countries like Israel, Brazil, and Sweden, and used them to target users between April and May this year. While the malware did not manage to break WhatsApp’s own encryption, the hack was able to access to the text messages and other communications after they were decrypted on the devices. Facebook says the fact the the firm agreed to WhatsApp terms and conditions to set up the accounts gave the US court standing to hear the case.
The screenshot of a suspicious video call allegedly from NSO, provided by Citizen Lab. The +46 country code belongs to Sweden.
NSO disputed the claims in the Facebook lawsuit, and said it would “vigorously fight them” in court. It said it technology was mainly used by law enforcement and intelligence agencies to fight crimes like terrorism and child abuse. “The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity,” it said. The group counts on former senior officials, including Tom Ridge, former secretary of the US Department of Homeland Security, as one of its advisers.
The techniques used by NSO to infect devices have previously also included tricking targets into clicking on a link, according to Citizen Lab, which has tracked the group for at least four years. Journalists in Mexico, and their family members and associates, have been among those most heavily targeted. A Canada-based Saudi dissident close to the assassinated journalist Jamal Khashoggi sued NSO last year alleging they infected his phone with Pegasus via text message to spy on Khashoggi, which the group also disputes.
US private equity firm Francisco Partners in February sold its 70% stake to NSO’s co-founders and management team and London-based private equity firm Novalpina Capital. Novalpina said in a letter to Citizen Lab at the time that it was satisfied that NSO, which earned $250 million in revenues in 2018, operates “with the highest degree of integrity and caution.” Because the malware is so invasive, it’s classified as a weapon, the New York Times has reported, and the Israeli government has to approve its sale to foreign governments.
We have identified over 100 cases of abusive targeting in at least 20 countries that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses. https://t.co/1SFxr16hVe
— Citizen Lab (@citizenlab) October 29, 2019
Facebook’s lawsuit comes as cybersecurity experts and human rights groups worldwide express increasing concern about governments exploiting spyware and techniques provided by tech companies to monitor dissidents or activists.
“This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk,” wrote Cathcart.
Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.
More stories from Quartz: