Facebook sues Israeli surveillance vendor over WhatsApp zero-day

Facebook says NSO Group developed WhatsApp zero-day used in May 2019 attacks against attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.
Written by Catalin Cimpanu, Contributor

Facebook filed a lawsuit today in a US court against NSO Group, an Israeli company that sells spyware products. The social media giant claims that NSO Group has sold and had direct involvement in the deployment of a WhatsApp zero-day against more than 1,400 users.

The WhatsApp zero-day came to light in May this year. A Financial Times report claimed that NSO Group had developed an exploit that abused a feature in WhatsApp's VoIP calling feature.

Targets would get a WhatsApp call, but specially crafted RTCP packets allowed an attacker to run malicious code that installed the NSO Group's Pegasus spyware kit on targeted devices -- regardless if they were using Android or iPhones.

At the time, Facebook deployed urgent updates to fix the vulnerability but did not issue any official statements, besides a simple advisory.

Facebook concludes investigation, files lawsuit

"Now, after months of investigation, we can say who was behind this attack," Will Cathcart, Head of WhatsApp at Facebook, said today in an op-ed on the Washington Post.

"Today, we have filed a complaint in federal court that explains what happened and attributes the intrusion to an international technology company called NSO Group," Cathcart added.

"As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO.

"In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful," Cathcart said.

WhatsApp zero-day used against 1,400 devices

According to court documents, the attack targeted more than 1,400 devices belonging to attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

Facebook said that based on country codes of the targeted WhatsApp numbers, the targeted users were located in the Kingdom of Bahrain, the United Arab Emirates, and Mexico.

In a FAQ page published on the WhatsApp website today, Facebook said it sent "a special WhatsApp message" to notify all device holders about the May attacks.

Facebook said the purpose of the lawsuit was to hold NSO accountable under US state and federal laws, including the Computer Fraud and Abuse Act (CFAA).

In the past, the company has stated many times that it only sells its hacking tools to customers, but cannot be held responsible for what they do with its code. However, the Facebook lawsuit wants to prove the opposite and link the company to an active hacking campaign.

After UN security experts called for a worldwide moratorium on the sale of surveillance software, NSO Group pledged in September to follow the UN's human rights policy and fight against customers who use its tools to spy on innocents, political opponents, and journalists.

Answering to a request for comment from ZDNet, NSO Group provided the following statement on today's lawsuit:

"In the strongest possible terms, we dispute today's allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.

"The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO's technologies provide proportionate, lawful solutions to this issue.

"We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights - including the right to life, security and bodily integrity - and that's why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights."

The world's most famous and dangerous APT (state-developed) malware

Editorial standards