According to a lawyer working for an Israeli spyware manufacturer, governments in Mexico, Saudi Arabia and Uzbekistan were behind a 2019 hacking campaign targeting more than 1,200 WhatsApp users on NSO group Pegasus Spyware.
At a hearing of a lawsuit between WhatsApp and the NSO group last Thursday, NSO group lawyer Joe Akrotirianakis specifically appointed three governments as clients using Spyware, according to a transcript of the hearing obtained this week by TechCrunch.
This is the first time an NSO group representative has publicly confirmed who the spyware manufacturer's customers are. For example, after an NSO group spokesperson refuses to acknowledge or discuss the customer, claiming it “can't” it.
The revelation came as part of a lawsuit filed by meta-owned WhatsApp in 2019, accusing the NSO group of hacking around 1,400 WhatsApp users of exploiting vulnerabilities in the messaging app system around April-May that same year.
Contact Us Do you have any more information about the NSO Group or other spyware companies? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email.
The contents of last week's hearing were first reported by Courthouse News Service.
In its legal complaint, WhatsApp allegedly claimed there were more than 100 eligible victims who work as human rights activists, journalists and “other members of civil society.” Citizen Lab, a digital rights group that has been investigating government spyware abuse for over a decade, said in a report from the time that WhatsApp could help identify those victims.
Last week, NSO Group lawyer Akrotirianakis told the judge “In this case, there are at least eight clients whose names are part of the discovery,” but only three were appointed at the hearing.
At the same time, the lawyers also suggest that the list of countries included in court documents, which were unsealed last week, shows which countries are the 1,223 victims of the 2019 SPYware campaign.
“Pegasus is approved for its territory and can only be used in these regions,” Acrotilia Akis said, referring to the NSO group's marquee spyware.
Apart from Mexico and Uzbekistan, the list of 51 countries includes Bahrain, India, Morocco, Spain, the UK and the US. However, Saudi Arabia mentioned at the NSO group hearing is not listed.
This can be explained by the fact that some NSO groups' customers can target individuals outside their territory. For example, in 2017, Citizen Lab reported that there was “circumstantial evidence” suggesting that one or more government clients of the Mexican NSO group targeted multiple individuals, including the child of a well-known Mexican journalist in the United States at the time he was targeted.
Gil Lainer, a spokesman for the NSO group that reached TechCrunch, declined to comment. When asked, Raynor did not dispute that Mexico, Saudi Arabia and Uzbekistan were three companies' customers at the time of the WhatsApp Spyware campaign.
Whatsapp spokesman Zade Alsaway told TechCrunch that the company “looks forward to future trials to determine damages and will secure an injunction against the NSO to protect WhatsApp and People's private communications.”
On Tuesday, a judge before the suit said the NSO Group's documents provided as part of the suit identifies “at least four NSO customers,” but the company has not confirmed that those countries are their customers.
“The evidence records are unclear about which ones are [NSO’s] The client was responsible for the attack in question, [WhatsApp] The judge wrote: “To the extent that we discuss the facts about clients who have been found to misuse Pegasus, these facts appear to come from media reports, not from the defendant.”
For years, organizations such as Citizen Lab and Amnesty International have documented cases where Pegasus was used to target or hack journalists, dissidents and human rights advocates in several countries mentioned on victim lists, including Mexico, Hungary, Spain and the United Arab Emirates.
TechCrunch will contact embassies in Mexico, Saudi Arabia and Uzbekistan in the US for comment and update the story if they receive a response.