NSO ran US-based attack servers: Facebook

Facebook has filed legal documents that it says shows that Israeli spyware vendor NSO Group ran command and control servers on American cloud providers, which the social network says were used to hack hundreds of WhatsApp users.

Source: John Scott-Railton/Twitter

Security researcher John Scott-Railton who with the University of Toronto's Citizenlab helped track the activities of NSO Group noted that the new documents presented evidence that the hacked devices connected to servers on California-located cloud providers QuadraNet and Amazon Web Services.

Ah! Another interesting detail, @WhatsApp engineers observed 723 NSO attacks on users in which phones, once exploited, reached out to NSO-owned servers in California (104.223.76[.]220 - @QuadraNet & 54.93.81[.]200 - @amazon) pic.twitter.com/cgPo03WKfo

— John Scott-Railton (@jsrailton) April 24, 2020

The new legal filings could undermine NSO Group's claims that it was not directly involved in the hacking of WhatsApp users as attacks were done through servers paid for by the Israeli spyware vendor.

NSO Group has maintained that its clients are doing the hacking, and that it wasn't involved the attacks.

Some 1400 WhatsApp users are said to have been attacked with NSO Group spyware, which was deployed on users' devices via a vulnerability in the messaging app.

NSO Group also argued that the case against the spyware vendor and its management should be dismissed as American courts have no jurisdiction over an Israeli company and that its alleged overseas government clients meant it had immunity from prosecution.

It's chief executive Shalev Hulio stated earlier that "NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorised agents" and that those sovereigns and not NSO operate the spyware.

Facebook and WhatsApp responded to the motion to dismiss, saying NSO Group was a commercial company and could not seek immunity as a foreign state as there was no basis in law for it be considered as such.

"Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s US-based servers, including in California, to hack into WhatsApp users’ devices.

Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn," WhatsApp and Facebook said.

Facebook sued the Israeli spyware vendor in October last year, alleging NSO Group was responsible for reverse-engineering WhatsApp in order to develop a hack to intercept the communications of activists, journalists and dissidents.

WhatsApp incurred costs to investigate the hacks and the vulnerability, and to develop and deploy a patch against it, Facebook said.

The messaging app also suffered loss of goodwill, and impairment to the integrity, quality and value of WhatsApp services, the social network claimed.

Known for its Pegasus spyware, NSO Group is also being sued for its alleged role in the monitoring of American journalist Jamal Khashoggi, who was murdered by Saudi Arabian government agents.