Judge: Lawsuit Against Israeli Spyware Firm NSO Group Can Proceed

Judge: Lawsuit Against Israeli Spyware Firm NSO Group Can Proceed

July 17, 2020 – A United States judge has ruled that the case brought against Israeli spyware firm NSO Group by Whatsapp, Inc. can proceed to trial. Whatsapp is a messaging app owned by Facebook. The products that NSO Group sells are designed for law enforcement and intelligence agencies for use combating things like terrorism.

According to Stephanie Kirchgaessner of the Guardian, in an article entitled “US Judge: Whatsapp Lawsuit Against Israeli Spyware Firm NSO Can Proceed“:

An Israeli company whose spyware has been used to target journalists in India, politicians in Spain, and human rights activists in Morocco may soon be forced to divulge information about its government clients and practices after a judge in California ruled that a lawsuit against the company could proceed.

NSO Group was sued by WhatsApp, which is owned by Facebook, last year, after the popular messaging app accused the company of sending malware to 1,400 of its users over a two-week period and targeting their mobile phones.

In a ruling that the case could proceed in a US district court in California, Judge Phyllis Hamilton said she had not been entirely persuaded by NSO Group’s argument that it had no role in the targeting of WhatsApp’s users. Instead, Judge Hamilton said it appeared that NSO Group ‘retained some role’ in the targeting of individuals, ‘even if it was at the direction of their customers’. The case will now proceed to discovery, in which both sides can request documents and records.

WhatsApp, which has said that 100 members of civil society from around the world were targeted in the ‘unlawful’ 2019 attack, said it was pleased with the court’s decision.

‘The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices,’ a WhatsApp spokesperson said.

Judge Hamilton also pointed out that the underlying facts in the case – that someone sent malicious code and malware through WhatsApp’s servers – did not appear to be disputed. Instead, the lawsuit revolved around whether NSO Group’s ‘sovereign customers’ were to blame, or the company itself.

NSO Group has said it only sells spyware to government clients and law enforcement agencies to track terrorists and criminals. It has argued that critics of the company’s practices, including privacy advocates, have ignored a grave problem facing law enforcement agencies around the world: the proliferation of encrypted communications applications like WhatsApp, which it argues have made it easier for terrorists and other criminals to evade detection. NSO Group has retained the law firm of King & Spalding to represent it in the case. Its legal team includes the Trump administration’s former deputy attorney general, Rod Rosenstein.

NSO Group said in a statement: ‘Our legal team is reviewing the court’s decision, so we are not in a position to comment in detail at this time. Our technology is used to save lives and prevent terror and crime worldwide, and we remain confident that our conduct is lawful.’

NSO Group’s past customers have reportedly included Saudi Arabia, Mexico, and the United Arab Emirates, and its spyware is alleged to have been used against human rights campaigners, including Omar Abdulaziz, a close associate of the murdered Washington Post journalist Jamal Khashoggi. NSO Group has strenuously denied its software was ever used to target Khashoggi personally and has said Abdulaziz, who is suing the company in Israel, had a history of ‘unfounded claims’ against NSO Group. – The Guardian

The company’s stance is that the allegations against it are unfounded, claiming the company should not be held responsible for the actions of their clients. The judge seemed to think their argument was not sufficient.

There are allegations NSO Group spyware was used to target journalists, political dissidents and politicians around the world.

The latest allegations are that Spain was a customer of NSO Group, if the case does indeed go to trial, discovery could provide a massive trove of information about the use of technology by governments around the world to target dissidents and political opposition.

Another disturbing story about NSO Group comes from Joseph Cox of Motherboard for Vice News, “NSO Employee Abused Phone Hacking Tech to Target a Love Interest.” The report reveals how this technology can be misused and abused:

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO’s can ultimately be abused by the humans who have access to it.

‘There’s not [a] real way to protect against it. The technical people will always have access,’ a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source’s account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company’s system. Motherboard granted multiple sources in this story anonymity to speak about sensitive NSO deliberations and to protect them from retaliation from the company.

NSO sells a hacking product called Pegasus to government clients. With Pegasus, users can remotely break into fully up-to-date iPhone or Android devices with either an attack that requires the target to click on a malicious link once, or sometimes not even click on anything at all. Pegasus takes advantage of multiple so-called zero day exploits, which use vulnerabilities that manufacturers such as Apple are unaware of.

After infecting a device, Pegasus can track the target’s location, read their texts, emails, social media messages, siphon their photos and videos, and turn on the device’s camera and microphone. Researchers have previously tracked installations of Pegasus to Saudi Arabia, the United Arab Emirates, Mexico, and dozens of other countries. NSO says its tool should exclusively be used to fight terrorism or serious crime, but researchers, journalists, and tech companies have found multiple instances of NSO customers using the tool to spy on dissidentsand political opponents. David Kaye, the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has noted that there is a ‘legacy of harm’ caused by Pegasus.

This latest case of abuse is different though. Rather than a law enforcement body, intelligence agency, or government using the tool, an NSO employee abused it for their own personal ends.

Several years ago, an at-the-time NSO employee travelled to the UAE for work, a former employee explained to Motherboard. NSO sent the employee ‘to do on site support,’ a second former employee said. While on location, the employee broke into the client’s office; the client received an alert that someone had logged into the Pegasus system out of normal office hours and investigated, one of the sources with knowledge of the incident added. Authorities detained the NSO employee, two sources said.

‘The client was pissed,’ the first former employee said.

‘He used the system while nobody was looking,’ the second former employee added. The client-facing side of the Pegasus system is very easy to use; in some cases a user simply enters the phone number of the target, and the process of breaking into the device starts.

The target was a woman the employee knew personally, the sources said.

NSO fired the employee, those two sources added. The company’s leadership held a meeting to tell employees about the incident to make sure it would not happen again, they said.

Two sources said the abuse happened in 2016, while NSO was majority-owned by U.S. investment firm Francisco Partners. In February 2019 NSO’s founders bought back their company from the firm.

The sources did not specify which UAE agency’s NSO installation the employee abused. UAE has three intelligence agencies: UAE State Security, the Signals Intelligence Agency, and the Military Intelligence Security Services.

The UAE Embassy in Washington did not respond to a request for comment. NSO declined to speak on the record about the incident.

Though well-known in the security world for years, NSO entered the broader public consciousness after selling its hacking technology to Saudi Arabia, which used the tool to break into the phones of political dissidents, including contacts of Washington Post columnist Jamal Khashoggi. The CIA believes Saudi agents murdered Khashoggi in Istanbul, Turkey, in 2018 at the behest of the country’s Crown Prince.

Eva Galperin, director of cybersecurity at the EFF, and who has extensively researched not just government hacking campaigns but also how abusive partners use malware to spy on their spouses, told Motherboard, ‘It’s nice to see evidence that NSO Group is committed to preventing unauthorized use of their surveillance products where ‘unauthorized’ means ‘unpaid for.’ I wish we had evidence that they cared anywhere near as much when their products are used to enable human rights violations.’

‘You have to ask, who else may have been targeted by NSO using customer equipment?’ John Scott-Railton, a senior researcher from University of Toronto’s Citizen Lab, which has extensively researched NSO’s proliferation, told Motherboard. ‘It also suggests that NSO, like any organisation, struggles with unprofessional employees. It is terrifying that such people can wield NSA-style hacking tools,’ he said.

NSO has repeatedly painted itself as hands-off when it comes to actual hacking of phones in the wild, saying it only develops a capability that its clients then use. This case of abuse, however, ‘is devastating to NSO’s claims that it cannot conduct hacking. It proves that its employees have conducted illegal hacking, unsupervised,’ Railton added. Motherboard has also previously reported how NSO helps clients craft effective phishing messages tailored to their targets to increase the chance of a successful infection.

Kaye, the United Nations special rapporteur, and who has called for a worldwide pause on the export of hacking technology before more regulation can be put in place, told Motherboard the incident raises a number of questions around NSO. – 

One of the first things that came to mind after hearing about this “employee” was, how many other employees have abused or misused these tools and have not been caught? There seems to be a security disconnect here, which is odd coming from a surveillance technology firm. NSO Group claims that after this case, they instituted changes internally to ensure this type of abuse cannot happen again.

The allegations about NSO get far more disturbing. Another report by Joseph Cox entitled “NSO Group Impersonated Facebook to Help Clients Hack Targets,” details some of the more shady things the company was engaged in:

Infamous Israeli surveillance firm NSO Group created a web domain that looked as if it belonged to Facebook’s security team to entice targets to click on links that would install the company’s powerful cell phone hacking technology, according to data analyzed by Motherboard.

It is not uncommon for hackers working for governments to impersonate Facebook, perhaps with a phishing page that displays a Facebook login screen but which secretly steals a target’s password. But NSO’s approach complicates its ongoing conflict with the tech giant. NSO is currently embroiled in a lawsuit with Facebook, which is suing the surveillance firm for leveraging a vulnerability in WhatsApp to let NSO clients remotely hack phones. Motherboard has also found more evidence that NSO used infrastructure based in the United States; a server used by NSO’s system to deliver malware was owned by Amazon.

A former NSO employee provided Motherboard with the IP address of a server setup to infect phones with NSO’s Pegasus hacking tool. Motherboard granted the source anonymity to protect them from retaliation from the company. Pegasus can target modern iPhone and Android devices, and once installed on a device it can steal text and social media messages, track the GPS location of the phone, and remotely turn on the camera and microphone. NSO sells Pegasus in either 0- or 1-click versions, with the former needing no interaction from the target, and the latter requiring the target to click a link.

The IP address provided to Motherboard related to a 1-click installation of Pegasus, the former employee said. Motherboard reviewed multiple databases of so-called passive DNS records from cybersecurity services DomainTools and RiskIQ, which show what web domain an IP address related to at different points in time. Throughout 2015 and 2016, the IP address resolved to 10 domains. Some of these seem to have been designed to appear innocuous, such as a link a person could click on to unsubscribe themselves from emails or text messages. Others impersonated Facebook’s security team and package tracking links from FedEx.

In late 2016, a company called MarkMonitor acquired the Facebook impersonating domain, according to online WHOIS records. MarkMonitor is a brand protection firm that works to obtain domains that may relate to fraud. Two months later, Facebook itself took control of the domain, the WHOIS records showed.

Some of the domains unearthed by Motherboard bear resemblance, but are not identical to those previously published by researchers at the University of Toronto’s Citizen Lab.

John Scott-Railton, a senior researcher from Citizen Lab, told Motherboard that the information provided by the former employee does appear to be NSO infrastructure.

Facebook told Motherboard it gained ownership of the domain to stop others from misusing it.

NSO is most well known for selling its Pegasus technology to authoritarian regimes like Saudi Arabia, which used the tool to target associates of murdered Washington Post journalist Jamal Khashoggi. NSO says it only sells Pegasus to law enforcement and intelligence agencies. Motherboard recently revealed NSO tried to sell its hacking technology to local U.S. police, and that an NSO employee abused access to an installation of the Pegasus tool in the United Arab Emirates to target a love interest.

Although several NSO clients have clearly abused the Pegasus system by targeting human rights dissidents, journalists, and political opponents, some of the infection domains discovered by Motherboard may have been used in legitimate law enforcement or anti-terror investigations. With that in mind, Motherboard is not publishing the full list of domains.

But the domains still show NSO has been willing to impersonate Facebook and use U.S.-based infrastructure to launch its malware. – Joseph Cox, Motherboard for Vice

These allegations are particularly alarming. Regardless of whether NSO was aware that clients were misusing and abusing these tools to target innocent civilians and journalists, as the creator of the tools they should retain ultimate liability. The lawsuit launched by Facebook aims to look closer into NSO’s connections to the U.S.

There was an interesting statement made by the CEO of NSO Group regarding Facebook, according to an article by Motherboard “Facebook Wanted NSO Spyware to Monitor Uses, NSO CEO Claims“:

Facebook representatives approached controversial surveillance vendor NSO Group to try and buy a tool that could help Facebook better monitor a subset of its users, according to an extraordinary court filing from NSO in an ongoing lawsuit.

Facebook is currently suing NSO for how the hacking firm leveraged a vulnerability in WhatsApp to help governments hack users. NSO sells a product called Pegasus, which allows operators to remotely infect cell phones and lift data from them.

According to a declaration from NSO CEO Shalev Hulio, two Facebook representatives approached NSO in October 2017 and asked to purchase the right to use certain capabilities of Pegasus.

At the time, Facebook was in the early stages of deploying a VPN product called Onavo Protect, which, unbeknownst to some users, analyzed the web traffic of users who downloaded it to see what other apps they were using. According to the court documents, it seems the Facebook representatives were not interested in buying parts of Pegasus as a hacking tool to remotely break into phones, but more as a way to more effectively monitor phones of users who had already installed Onavo. – Motherboard

This is not the first time Facebook has been accused of spying on its users. Facebook claims that this allegation however is simply being used as a distraction from the current lawsuit between the two companies.

Interestingly, Facebook was looking into connections between NSO and the United States.

According to Scott Stedman, there are connections between NSO and the U.S.

NSO tried to make the claim that they had Sovereign Immunity; the judge declined to agree.

With the Motion to Dismiss denied, the case will be allowed to go forward with Discovery and Production as well.  This has been a major week for NSO, with the dismissal of the Amnesty International in Israel case requesting the NSO export license revocation, a major scandal in Spain that Catalan politicians were targeted with Pegasus, and then Spain confirmed as an NSO customer.

Does NSO have all the information about illegal spying by governments around the world? It’s a question worth asking in light of recent revelations.

If these allegations are true, that is a tremendous abuse of the software.

The above tweet has a link to the whole 45-page ruling from Judge Hamilton.

Earlier this month the Election Frontier Foundation (EFF) run by Edward Snowden launched a database called “ATLAS of Surveillance,” a compilation of police agencies and the “tech tools they use to spy on communities” which includes NSO.

For more information please see the short video above. This story is still developing; please  check back for updates.

See a spelling or grammar error? Let us know! Highlight the text and press Ctrl+Enter.

Notify of
Inline Feedbacks
View all comments