Endpoint Security , Governance & Risk Management , Open XDR
Other Tech Firms Back Facebook's Lawsuit Against NSO GroupMicrosoft, Google, Cisco and VMware File a Brief in Spyware Case
Several tech giants, including Microsoft, Google, Cisco and VMware, have filed a brief backing Facebook's lawsuit against Israel-based spyware firm NSO Group, which has been accused of hacking into Facebook-owned WhatsApp's instant messaging app to enable spying by the company's clients.
In a federal civil lawsuit filed in October 2019, Facebook alleged that NSO Group developed an exploit that enabled governments to spy on WhatsApp messages from diplomats, journalists, human rights activists and political dissidents. The lawsuit seeks unspecified damages as well as a permanent injunction banning NSO Group from accessing WhatApp’s systems (see: Facebook Sues Spyware Maker Over WhatsApp Exploit).
In July, a federal judge ruled that the lawsuit could proceed, and WhatsApp and Facebook are now seeking documents from NSO Group (see: Judge Rules Facebook's Lawsuit Against NSO Group Can Proceed).
On Monday, the tech firms, as well as the Washington-based Internet Association, filed a brief supporting Facebook’s lawsuit seeking damages and an injunction, stating that the spyware tools NSO Group sells are "powerful and dangerous."
"Foreign governments may use the technology in problematic ways, but beyond that, idiosyncratic misuse is a much greater systemic risk," the companies say in their brief. "Widespread creation and deployment of these tools by private companies acting for profit dramatically increases the risk that these vulnerabilities will be obtained and exploited by malicious actors other than the initial."
In a separate statement, Microsoft notes that, by filing the brief, the tech companies are looking to protect their customers and trying to prevent the proliferation of offensive cyber weapons for malicious purposes.
"We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks," Microsoft states, calling for the court to hold NSO Group liable for violating WhatsApp's security protections.
NSO Group did not immediately respond to a request for comment. But the company has maintained that its tools are only used by its clients to crack down on terrorist groups and for law enforcement purposes. The company has also repeatedly denied that its tools are used against activists and disputed the accusations in the WhatsApp lawsuit (see: Israeli Court Dismisses Complaint Against NSO Group).
Dispute Over Immunity
In seeking to have the U.S. lawsuit thrown out, NSO Group's lawyers argued in previous court filings that, because the company was acting as a contractor to governments, it was immune from legal actions. The company also argued that this immunity allows it to keep its list of clients private.
Facebook, however, argued that NSO Group should not be granted sovereign immunity because that would lead to wide-scale adoption of NSO's tools by repressive governments. In the brief filed Monday, the tech companies agreed.
"Expanding foreign sovereign immunity to private companies that use their own cyber-surveillance tools at the behest of their numerous foreign government customers would dramatically increase the creation and use of cyber-surveillance tools globally," the brief states. "As more companies develop these tools and more governments buy them, the risk that they will fall into the wrong hands increases exponentially and threatens all of us."
In its lawsuit, Facebook alleges that NSO Group violated several laws, including the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, by reverse-engineering its WhatsApp messaging app to develop an exploit that could deliver spyware called Pegasus to targeted devices by initiating a video call.
The exploit worked as a way to circumvent the security measures, including end-to-end encryption, that Facebook built into WhatsApp, the lawsuit states.
Pegasus, which can intercept communications and extract browser history and contacts, has been sold to customers that include the Kingdom of Bahrain, the United Arab Emirates and Mexico, according to news reports.
Over the last several years, organizations such as Amnesty International and Citizen Lab, a University of Toronto-based think tank, have published reports about how governments have allegedly used the Pegasus software to spy on human rights activists, journalists and others.
In a report published Sunday, Citizen Lab revealed that iPhones belonging to 36 Al Jazeera journalists were hacked using Pegasus software. The report says that NSO Group is now using "zero-click exploits," which enable its government clients to break into phones without any interaction from the target and without leaving any visible traces.
"The phones were compromised using an exploit chain that we call Kismet, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, Kismet was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11," the report said.
NSO tools have allegedly been used in other cyberattacks.
In January, following the hacking of Amazon CEO Jeff Bezos's smartphone, a digital forensic analysis conducted by FTI Consulting found that Bezos's device may have been infected with Pegasus software deployed by Saudi Arabian state actors (see: Investigators: Saudis Hacked Amazon CEO Jeff Bezos' Phone).
Also in January, Citizen Lab reported that a New York Times reporter was targeted with Pegasus as part of a campaign with possible links to a Saudi Arabia group (see: NY Times Reporter Targeted by Spyware: Report).