WhatsApp on Thursday won a legal victory by persuading a US federal judge to release three court documents containing new revelations about the inner workings of Pegasus, a spyware made by Israeli surveillance technology maker NSO Group. .
The newly unsealed documents include information gleaned from NSO employee depositions and internal documents during legal proceedings, as well as WhatsApp messages exchanged between NSO employees (ironically). In particular, it also includes information obtained by WhatsApp by subpoenaing NSO.
The documents also reveal that NSO has blocked access to Pegasus spyware for 10 government customers in recent years due to misuse of the service.
The new revelations are the latest development in a lawsuit filed by WhatsApp in 2019, in which NSO violated the Anti-Hacking Act and the Computer Fraud and Abuse Act by accessing WhatsApp servers and targeting individual users. They are accusing the company of violating WhatsApp's terms of service. Spyware is sent via chat app. The charges are based on a series of cyberattacks against WhatsApp users, including journalists, dissidents, and human rights activists.
“The evidence uncovered shows exactly how NSO's activities violate US law and launch cyberattacks against journalists, human rights defenders, and civil society,” a WhatsApp spokesperson said. Zade Alsawah said in a statement to TechCrunch. “We will continue to work hard to hold NSO accountable and protect our users.”
“Tens of thousands” of potential targets
According to court documents obtained by TechCrunch, NSO has developed a suite of hacking tools to use against targets using WhatsApp, giving it access to personal data on their phones. The hacking suite was called “Hummingbird,” and the suite's two exploits were called “Eden” and “Heaven.”
The suite will cost NSO's government customers, including police departments and intelligence agencies, up to $6.8 million for a one-year license, and one court document says NSO will have “at least $31 million in 2019. “I earned a profit of $1,000.''
Thanks to these hacking tools, NSO installed Pegasus on “hundreds to tens of thousands” of targeted devices, according to testimony from NSO's head of research and development, Tamir Gazneri.
Until now, it was unclear who was actually sending malicious WhatsApp messages targeting individuals using spyware. NSO has long maintained that it has no knowledge of its customers' operations and is not involved in carrying out targeted cyberattacks. Newly released court documents cast doubt on some of NSO's claims.
WhatsApp said in one court document that “NSO customers' His role is minimal.” The agent is remotely on the device without any interaction. ”
“In other words, customers simply order data for the target device and NSO controls every aspect of the data acquisition and distribution process through Pegasus’ design,” WhatsApp claimed.
The court filing quotes an NSO official as saying, “It was our decision whether or not to activate.” [the exploit] WhatsApp messages or not,” he said, referring to one of the exploits the company provided to its customers.
When asked for comment, NSO spokesperson Gil Reiner said in a statement to TechCrunch: “NSO stands by its previous statements, which have repeatedly detailed that the system is operated solely by our customers and that neither NSO nor its employees have access to the information collected” by the system. ”
“We are confident that these allegations, like many in the past, will be proven wrong in court, and we look forward to that opportunity,” NSO's Reiner said in a statement.
Three NSO exploits target WhatsApp users
As explained in a document, one of the techniques used by NSO to allow its customers to target WhatsApp users was through what the company calls “WhatsApp installation servers,” or what WhatsApp calls “fake clients.” It was about setting up something called WIS. This was essentially a modified version of the WhatsApp app developed by NSO and used to send messages containing malicious exploits to regular WhatsApp users. According to one of the court documents, NSO admitted to setting up real WhatsApp accounts for its customers.
According to NSO's internal communications, WhatsApp was able to thwart both NSO's 'Eden' and 'Heaven' exploits through patches and security updates.
“Peaceful Announcement of Eden/Heaven/Hummingbird,” said a message sent to NSO staff.
According to court documents, NSO's Heaven exploit has been active since before 2018 and was designed to force targeted WhatsApp devices to communicate with a malicious WhatsApp relay server controlled by NSO.
After WhatsApp patched its systems against NSO's Heaven exploit, NSO developed a new exploit called “Eden.” NSO employees cited in court documents say this is “necessary.”[ed] It goes through a WhatsApp relay server, which is what the Heaven exploit was trying to get around. According to another NSO employee, it was the use of the Eden exploit that led WhatsApp to file a lawsuit against NSO.
The third NSO-developed exploit disclosed in the document is called “Erised,” and is a so-called “zero-click” exploit that can compromise a victim's mobile phone without any interaction from the victim. . WhatsApp blocked NSO from using the Erised exploit in May 2020, months after filing the lawsuit.
Customer termination
Another interesting detail that came to light this week was the admission by one of the expelled NSO employees during the course of the lawsuit that Pegasus was used against Dubai's Princess Haya, an incident that was reported in the Guardian in 2021. It was reported by the paper and the Washington Post, and so on. New Yorker magazine in 2023.
The same NSO official said the spyware maker had “cut off” 10 customers' access to Pegasus due to spyware misuse.
At this point in the lawsuit, WhatsApp has asked a judge to grant summary judgment in the case and is awaiting a ruling.
Meanwhile, details revealed in this week's lawsuit could help others who have sued NSOs in other countries, said technology lawyer Access Now, a nonprofit that has investigated several abuse cases. Natalia Krapiva said. Out with NSO spyware.
“WhatsApp's persistence in legal action finally gives it some benefit,” Krapiva told TechCrunch. “Although it is true that NSO has not shared much information (particularly the Pegasus code, customer list, etc.), the information that NSO has shared is already very useful not only in this case, but also in the case against NSO. world.”
“And the fact that NSO is hiding information has negative effects on both sides because it makes it very difficult for them to present a solid defense,” Krapiva said.