This spring, a team of engineers at WhatsApp detected a series of suspicious calls on the messaging service’s networks, many of them emanating from phone numbers in Sweden, the Netherlands, Israel, and other countries. At first, WhatsApp wasn’t sure what was happening. Then the engineers, working with their counterparts at Facebook, which owns WhatsApp, realized that the voice and video calls were somehow infecting targeted phones with advanced spyware, using a penetration method that the company had never encountered before. Most disturbing to the investigators was that it appeared many of the targeted phones became infected whether the calls were answered or not—what’s known as a zero-click vulnerability.
The malware then instructed the targeted phones to upload their content to servers owned by Amazon Web Services and other companies, where the stolen data was stored and could be accessed by the intruders. After the malware was loaded on some of the targeted phones, the call logs were wiped. Victims who heard their phones ringing overnight found no evidence of the calls in the morning.
On May 13th, WhatsApp announced that it had discovered the vulnerability. In a statement, the company said that the spyware appeared to be the work of a commercial entity, but it did not identify the perpetrator by name. WhatsApp patched the vulnerability and, as part of its investigation, identified more than fourteen hundred phone numbers that the malware had targeted. In most cases, WhatsApp had no idea whom the numbers belonged to, because of the company’s privacy and data-retention rules. So WhatsApp gave the list of phone numbers to the Citizen Lab, a research laboratory at the University of Toronto’s Munk School of Global Affairs, where a team of cyber experts tried to determine whether any of the numbers belonged to civil-society members.
On Tuesday, WhatsApp took the extraordinary step of announcing that it had traced the malware back to NSO Group, a spyware-maker based in Israel, and filed a lawsuit against the company—and also its parent, Q Cyber Technologies—in a Northern California court, accusing it of “unlawful access and use” of WhatsApp computers. According to the lawsuit, NSO Group developed the malware in order to access messages and other communications after they were decrypted on targeted devices, allowing intruders to bypass WhatsApp’s encryption.
The lawsuit also details how NSO Group may have planned the attack, noting that the company had created a series of WhatsApp accounts that were used to initiate the calls which injected the spyware onto the victims’ phones. An NSO Group employee appeared to reach out directly to someone involved in patching the WhatsApp vulnerability after it was disclosed, writing, “You just closed our biggest remote for cellular. . . . It’s on the news all over the world,” according to the lawsuit.
NSO Group said in a statement in response to the lawsuit, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.” In September, NSO Group announced the appointment of new, high-profile advisers, including Tom Ridge, the first U.S. Secretary of Homeland Security, in an effort to improve its global image.
In a statement to its users on Tuesday, WhatsApp said, “There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”
The Citizen Lab’s investigation into the identities of the victims is ongoing. So far, the university laboratory said that the attacks targeted at least a hundred members of civil society in at least twenty countries. The list of targets includes prominent religious leaders of multiple faiths, well-known journalists and television personalities, and human-rights activists and human-rights lawyers. John Scott-Railton, a senior researcher at the Citizen Lab, said, “It is the largest attack on civil society that we know of using this kind of vulnerability.” He added that the Citizen Lab is not releasing the names of the victims at this time, because of confidentiality restrictions.
In addition to targeting civil-society members, the malware was used against diplomats and foreign government officials, presumably by NSO Group’s customers, which include law-enforcement and intelligence agencies.
This piece has been updated to include a comment from NSO Group.