A federal judge in California agreed with WhatsApp that NSO Group, the Israeli cyber surveillance company behind the Pegasus spyware, had hacked into its systems by sending malware through its servers to the phones of thousands of its users. WhatsApp and its parent company, Meta, sued NSO Group in 2019 and accused it of spreading malware to 1,400 mobile devices in 20 countries for the purpose of surveillance. They revealed at the time that some of the attacked phones were owned by journalists, human rights activists, prominent female leaders and political dissidents. <a target="_blank" data-i13n="cpos:2;pos:1" href="https://www.washingtonpost.com/technology/2024/12/20/whatsapp-meta-nso-pegasus-hacking-spyware/?pwapi_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZWFzb24iOiJnaWZ0IiwibmJmIjoxNzM0NjcwODAwLCJpc3MiOiJzdWJzY3JpcHRpb25zIiwiZXhwIjoxNzM2MDUzMTk5LCJpYXQiOjE3MzQ2NzA4MDAsImp0aSI6ImZkMjU0MzM5LWE3NzYtNDkzMi04MGNmLWYxMDk3M2U2NGJlZCIsInVybCI6Imh0dHBzOi8vd3d3Lndhc2hpbmd0b25wb3N0LmNvbS90ZWNobm9sb2d5LzIwMjQvMTIvMjAvd2hhdHNhcHAtbWV0YS1uc28tcGVnYXN1cy1oYWNraW5nLXNweXdhcmUvIn0.AsUnT6oPsVyy7Gkad4ECICGIMMqkIaiMBPpFUpwL86g” rel=”nofollow noopener” target=”_blank” data-ylk=”slk:The Washington Post;cpos:2;pos:1;elm:context_link;itc:0;sec:content-canvas” class=”link “>Washington Post reports that District Judge Phyllis Hamilton granted WhatsApp's motion for summary judgment against NSO and ruled that it had violated the US Computer Fraud and Abuse Act (CFAA).
The NSO Group disputed the allegations in the “strongest possible terms” when the lawsuit was filed. It denied having anything to do with the attacks, telling Engadget at the time that its sole purpose was to “provide technology to authorized government intelligence and law enforcement agencies to help them fight terrorism and serious crime.” The company argued that it should not be held responsible, because it is limited to selling its services to government agencies, which determine its objectives. In 2020, Meta escalated its lawsuit, accusing the company of using US-based servers to orchestrate its Pegasus spyware attacks.
Judge Hamilton ruled that NSO Group violated the CFAA because the firm appears to fully recognize that the modified WhatsApp program its clients use to attack users sends messages through legitimate WhatsApp servers. Those messages then allow Pegasus spyware to be installed on users' devices; Targets don't even have to do anything, like pick up the phone to take a call or click on a link, to become infected. The court has also determined that the plaintiff's motion for sanctions should be granted because the NSO Group “has repeatedly (failed) to produce relevant discoveries,” the most significant of which is the Pegasus source code.
WhatsApp spokesperson Carl Woog said The mail “We are grateful for today's decision,” Woog told the publication. “NSO can no longer escape responsibility for its illegal attacks on WhatsApp, journalists, human rights activists and civil society. With this ruling, spyware companies should be warned that their illegal actions will not be tolerated.” In her decision, Judge Hamilton wrote that her order resolves all issues regarding NSO Group's liability and that only a trial will proceed to determine how much the company must pay in damages.
