The social media giant Facebook has lodged a lawsuit in a US court against NSO Group which is an Israeli company that sells spyware products. The company claims that NSO Group has sold and had direct involvement in the deployment of a WhatsApp zero-day against more than 1,400 users.
Earlier this year, it was found that WhatsApp had a critical vulnerability which was exploited by the attackers in the wild to remotely install Pegasus spyware on targeted Android and iOS devices. In this WhatsApp zero-day which occured in May, the NSO Group is believed to have developed an exploit that abused a feature in WhatsApp’s VoIP calling feature.
In the zero-day, targets would get a WhatsApp call, but specially crafted RTCP packets allowed an attacker to run malicious code that installed the NSO Group’s Pegasus spyware kit on targeted devices whether it be Android or iPhones.
During that time, Facebook fixed the vulnerability in updates and issued an advisory but did not issue any official statements.
Will Cathcart, Head of WhatsApp at Facebook reported that after months of investigation they are sure of who is behind this attack. They have also filed a complaint in federal court that explains what happened and attributes the intrusion to an international technology company called NSO Group.
According to the information the company has collected during the investigation, they understood that the attackers used servers and Internet-hosting services that were previously associated with NSO. Besides, they have tied certain WhatsApp accounts used during the attacks back to NSO. He also stated that while their attack was highly sophisticated, they were not successful in covering their tracks.
According to court documents, the attack targeted more than 1,400 devices belonging to attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.
Facebook confirmed that depending on the country codes of the targeted WhatsApp numbers, the users were located in the Kingdom of Bahrain, the United Arab Emirates and Mexico.
The company has sent “a special WhatsApp message” to notify all device holders about the May attacks. They have also published a FAQ page on the WhatsApp website.
Facebook said the main aim of the lawsuit was to hold NSO accountable under US state and federal laws, including the Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act. Facebook has also named NSO Group’s parent company ‘Q Cyber Technologies’ as a second defendant in the case.
Earlier the company said several times that they sell their hacking tools to customers, but are not responsible for what they do with its code. However, the Facebook lawsuit wants to prove else and link the company to an active hacking campaign.
The NSO Group pledged in September to follow the UN’s human rights policy and fight against customers who use its tools to spy on innocents, political opponents, and journalists.