Facebook sued the Israeli hacker-for-hire company NSO Group on Tuesday in U.S. federal court for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp including diplomats, political dissidents, journalists and senior government officials.
The lawsuit filed in San Francisco is the first legal action of its kind, according to Facebook, involving a nearly totally unregulated realm. In the lawsuit, they accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.
Facebook says NSO Group violated laws including the U.S. Computer Fraud and Abuse Act with a crafty exploit that took advantage of a flaw in the popular communications program allowing a smartphone to be penetrated through missed calls alone.
"It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world," the head of WhatsApp, Will Cathcart, wrote in an op-ed published by The Washington Post.
He said that since discovering the malware operation in May, Facebook learned that the attackers were using servers and internet-hosting services previously associated with NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.
NSO Group issued a statement in which it did not directly deny hacking WhatsApp but which said it disputed the allegations and vowed to "vigorously fight them."
"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," the company said. "Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years."
It said strongly encrypted platforms are used by pedophile rings, drug traffickers and terrorists and that NSO's technologies "provide proportionate, lawful solutions."
Facebook demands in the suit that NSO Group be denied access to Facebook's services and systems and seeks unspecified damages.
Cathcart said leaders of tech firms "should join U.N. (free speech) Special Rapporteur David Kaye's call for an immediate moratorium on the sale, transfer and use of dangerous spyware."
"This is huge. I am really glad to see a tech company put their massive litigation team on the field on behalf of users," tweeted Alex Stamos, a Stanford University researcher and former Facebook chief security officer.
WhatsApp is the world's most popular communications software, with about 1.5 billion users in 180 countries.
Citizen Lab, a cybersecurity research laboratory based at the University of Toronto that worked with WhatsApp to investigate the phone hacking, told Reuters that the targets included well-known television personalities, prominent women who had been subjected to online hate campaigns and people who had faced "assassination attempts and threats of violence.”
Neither Citizen Lab nor WhatsApp identified the targets by name.
John Scott-Railton, a researcher with Citizen Lab, called the hack "a very scary vulnerability" when it was discovered. "There's nothing a user could have done here, short of not having the app."
The lawsuit alleges that malicious code from NSO was sent from April 29 through May 10 over WhatsApp servers. The aim was to infect some 1,400 devices whose users included attorneys, journalists, human rights activists, political dissidents, diplomats and other government officials. It said the targeted phone numbers were in countries including Bahrain, United Arab Emirates and Mexico.
NSO's spyware has repeatedly been found deployed to target such people. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi Consulate in Istanbul last year and whose body has never been found.
Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to "stop it profiting from state-sponsored repression."
In the lawsuit, Facebook alleges that after it publicly announced that it had identified and closed the vulnerability an NSO employee complained "You just closed our biggest remote for cellular... It's on the news all over the world."
The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle.
NSO Group's flagship malware, called Pegasus, allows spies to effectively take control of a phone, remotely and surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal and geolocation data.
A European private equity firm, Novalpina Capital LLP, bought a majority stake in NSO Group in February. It claimed in a May statement that "highly targeted interception technologies" of the kind NSO Group produces "play a critical role in protecting the public" and can do so without undermining privacy rights or free speech.