Facebook Sues Israel's NSO Group Over Alleged WhatsApp Hack

Facebook is seeking to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services after hacking spree that targeted journalists, diplomats, activists and others

The logo of the Israeli NSO Group on a building where they had offices in Herzliya, Israel, August 25, 2016.
Daniella Cheslow,AP

Facebook Inc. on Tuesday sued Israeli cyber surveillance firm NSO Group, alleging it hacked users of messaging platform WhatsApp earlier this year.

The hacking spree targeted journalists, diplomats, human rights activists, senior government officials and others, Facebook said in its lawsuit, filed in U.S. District Court in San Francisco.

Facebook is seeking to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services and is seeking unspecified damages.

>> Read more: Revealed: Israel's cyber-spy industry helps world dictators hunt dissidents and gays

NSO’s representatives in Washington and Tel Aviv did not immediately return messages seeking comment.

NSO’s alleged use of a flaw in WhatsApp to hijack phones caused international consternation when it was made public in May of this year.

At the time, WhatsApp said the flaw was used to target a “select number of users” but gave little further detail.

NSO’s phone hacking software has been implicated previously in a series of human rights abuses across Latin America and the Middle East, including a sprawling espionage scandal in Panama and an attempt to spy on an employee of the London-based rights group Amnesty International.

Pegasus, NSO’s flagship product, enables almost total and clandestine control over a cellphone. It can determine the phone’s location, tap the phone and record calls. It can also be used as a microphone to listen to anything nearby and can enable the camera remotely. All mail and text messages can be read – and written – and apps can be downloaded. Any other information on the phone, such as pictures, videos, reminders, calendars, contacts, and so on may also be accessed.

Human rights at risk

In May, human rights groups filed a petition in an Israeli district court asking to revoke NSO's defense export license, while WhatsApp urged users to upgrade their apps to correct a vulnerability to NSO's software.

The suit claimed the defendants have put human rights at risk by allowing NSO to continue exporting its products, undermined the foundations of democratic government, violated Israel’s international commitments and exceeded the authority of the Defense Ministry.

The petition against the Defense Ministry claimed that in the summer of 2018 an attempt was made to take control of the mobile phone of an Amnesty staff member, a Saudi human rights worker, using Pegasus – though it is not clear whether this attempt was successful.

In its response, NSO said it investigated "any credible allegations of misuse and if necessary, we take action, including shutting down the system."

Under no circumstances, said the statement, "would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies." 

"NSO would not or could not use its technology in its own right to target any person or organization, including this individual."

Amnesty says that in August 2018, a staff member received a message in Arabic which contained a link “purporting to be about a protest outside the Saudi Arabian embassy in Washington. It was sent at a time when Amnesty International was campaigning for the release of Saudi women human rights activists. If clicked, the link would have secretly installed Pegasus software, allowing the sender to obtain near-total control of the phone.”

Such attempts could have a “chilling effect” on activists, said the plaintiffs. They also refer to a lawsuit filed in September 2018 requesting to revoke NSO’s export license to Mexico based on reports that its software was being used to target human rights activists there. A gag order was imposed on the ruling, but the present suit claims the necessary conclusions from the previous suit were not implemented.