Israeli Spyware Company that Used US-Based Servers Involved in Hacking WhatsApp Users

In new court filings, WhatsApp has revealed that an “Israeli” spyware company used US-based servers and was “deeply involved” in carrying out mobile phone hacks of 1,400 WhatsApp users, including senior government officials, journalists, and human rights activists.

The new revelations about NSO Group state that the “Israeli” company bears responsibility in serious human rights violations, including the hacking of more than a dozen Indian journalists and Rwandan dissidents.

For years, NSO Group has claimed that its spyware is purchased by government clients for the purpose of tracking down “terrorists” and that it had no independent knowledge of how those clients – which in the past have reportedly included Saudi Arabia and Mexico – use its hacking software.

But a lawsuit filed by WhatsApp against NSO Group last year – the first of its kind by a major technology company – is revealing more technical details about how the hacking software, Pegasus, is deployed against targets.

In the court filings last week, WhatsApp said its own investigation into how Pegasus was used against 1,400 users last year showed that servers controlled by NSO Group – not its government clients – were an integral part of how the hacks were executed.

According to WhatsApp’s filing, NSO gained “unauthorized access” to its servers by reverse-engineering the messaging app and then evading the company’s security features that prevent manipulation of the company’s call features. One WhatsApp engineer who investigated the hacks said in a sworn statement submitted to the court that in 720 instances, the IP address of a remote server was included in the malicious code used in the attacks. The remote server, the engineer said, was based in Los Angeles and owned by a company whose data centre was used by NSO.

NSO has said in legal filings that it has no insight into how government clients use its hacking tools, and therefore does not know who governments are targeting.

But one expert, John Scott-Railton of Citizen Lab, who has worked with WhatsApp on the case, said NSO’s control of the servers involved in the hack suggests the company would have had logs, including IP addresses, identifying the users who were being targeted.

“Whether or not NSO looks at those logs, who knows? But the fact that it could be done is contrary to what they say,” Scott-Railton said.

The new developments in the case come as NSO is facing separate questions about the accuracy of a tracking product it has launched following the outbreak of Covid-19. The new program, called Fleming, uses mobile phone data and public health information to identify who individuals infected with coronavirus may have come into contact with. A report by NBC last weekend said NSO’s new tool was being marketed in the US.

But in a Twitter thread, Scott-Railton said his analysis showed it was relying on data that appeared very imprecise.

“When you are working with data with this much built-in inaccuracy, it would be pretty intense to issue alerts each time this happened. Or to require quarantines. Or testing. The rates of false positives here would be through the roof. But … so would false negatives,” he said.