Facebook offers proof of NSO hacking WhatsApp in US

NSO promises future response

A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S. (photo credit: REUTERS/STEVE MARCUS)
A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S.
(photo credit: REUTERS/STEVE MARCUS)
Facebook significantly upped the ante on Friday in its blockbuster US lawsuit against NSO Group for allegedly hacking around 1,400 of its WhatsApp users accounts, giving detailed proof of NSO acting within the US for the first time.
To date, NSO has denied the allegations and denied that it operates in the US in any fashion.
Further, NSO has said that it should have sovereign immunity from the lawsuit since it works hand-in-hand with foreign governments’ intelligence agencies.
Facebook’s legal brief on Friday said it was exposing a massive NSO attack infrastructure operating in the US, in direct contradiction of NSO’s defenses, under the guise of third parties.
The social media giant said that its attacks on WhatsApp users were hosted by Amazon Web Services in the US and by the Californian company QuadraNet (with a German provider).
Further, Facebook asserted that NSO had a contract with QuadraNet, using its server “more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.”
The brief named the remote server IP addresses 5 and as being used for the attacks.
Moreover, the brief listed a bunch of subdomains which were all allegedly hosted on Amazon servers covering the dates of the attacks.
The new revelations could make it harder for NSO to continue to deny any US operations and harder to get out of the lawsuit with a sovereign immunity defense.
The October 29 lawsuit had already alleged NSO creating specific WhatsApp accounts in Cyprus, Israel, Brazil, Indonesia, Sweden and the Netherlands to achieve the hack, and mentioned malicious servers owned by Choopa, Quadranet and Amazon Web Services.
A sticking point in the public debate and likely in the US case could be cutting through whether NSO can really “provide basic technical support” without at least indirectly touching on “any operational activity” – it claims the two issues are separate.
Another key question, even if NSO gets past that first issue is whether NSO can be held responsible for what its clients do using a broad theory of negligence – the same way that those dealing in hazardous materials can be held liable for all sorts of indirect and unintended impacts from those materials.
However, Facebook’s latest evidence suggested that NSO was directly involved.
NSO could also be held liable for producing a hazardous cyber tool of sorts, without which Facebook’s clients could not have been hacked by NSO’s clients.
Without formally admitting to Facebook’s specific lawsuit, with a wink and a nod, NSO sources have indirectly admitted to The Jerusalem Post in the past that hacking a service like Facebook’s WhatsApp to stop bad guys is part of why they need to exist.
NSO responded to Facebook’s brief saying, “Our products are used to stop terrorism, curb violent crime, and save lives. NSO Group does not operate the Pegasus software for its clients, nor can it be used against US mobile phone numbers, or against a device within the geographic bounds of the United States.”
“Our past statements about our business, and the extent of our interaction with our government intelligence and law enforcement agency customers, are accurate,” noting that “we will be filing a brief in response to these latest filings by WhatsApp in the coming days.”
If the hack occurred, Facebook and individual users might have a right to significant civil damages.