Pegasus Spyware Manufacturer NSO Group Found Liable in WhatsApp Lawsuit, Violated US State and Federal Hacking Laws
The bnanned NSO Group’s infamous Pegasus spyware, is in more trouble as WhatsApp has prevailed over it in court.
The Meta-owned messaging app accused the Israel-based spyware firm of exploiting a bug in its platform to leverage its attacks, with the court finding that NSO is liable and in violation of both state and federal hacking laws.
The ruling sets a precedent that NSO is responsible for how customers use the Pegasus spyware, and that US courts will potentially hold it liable for any attacks on US targets. The WhatsApp case began in 2019, well before the “Pegasus Papers” exposed the use of “clickless” zero-day exploits that compromised iPhone users via text messages. The company previously used other approaches that required users to interact with messages to download malware, including via WhatsApp.
Pegasus spyware found guilty, faces separate trial to determine damages payable to WhatsApp
WhatsApp initiated legal proceedings after discovering that NSO Group had used the Pegasus spyware to infect the phones of about 1,400 people via its messaging service over the course of two weeks in May 2019. The case took over five years to resolve, with the judge noting that NSO repeatedly failed to comply with court orders and slowed the process down as much as it was able to.
One of the central issues was that NSO repeatedly failed to make the Pegasus spyware source code available to WhatsApp as instructed by the court, and when it did it initially tried to make it viewable only by an Israeli citizen who was in Israel at the time. The judge said that this directly contributed to her decision to allow sanctions against the company.
The case was also slowed by repeated appeals, as it gradually worked its way to the Supreme Court before being returned to the Northern District of California to proceed.
In 2020 NSO Group petitioned for “conduct-based immunity” under a claim that it was a foreign official acting in an official capacity. A trial judge’s decision against it was sent to the 9th U.S. Circuit Court of Appeals and then the Supreme Court, which both rejected the claim.
NSO Group was found to not only have exceeded its legal level of access to the WhatsApp servers and broken the terms of service, but to also have violated the US Computer Fraud and Abuse Act as well as the state of California’s Comprehensive Computer Data Access and Fraud Act.
The company will have to pay damages to Meta, which will be determined in a separate trial scheduled to begin in March 2025.
Pegasus spyware has specialized in abusing numerous software flaws
Though WhatsApp discovered the flaw in May 2019 and filed its complaint against NSO Group later that year, the court documents revealed that the company continued to incorporate WhatsApp in the Pegasus spyware until May 2020. NSO’s stock-in-trade has been finding these novel and highly dangerous exploits, and jumping from one to the other over the years as they are eventually discovered and patched out.
The company has consistently defended its actions by claiming it only sells its product to legitimate law enforcement and anti-terrorist agencies, and that it screens out dictatorships or authoritarian governments that might use it for activist, press or dissident surveillance.
Though NSO Group has been subject to blacklists and bans, this is the first time the Pegasus spyware has had a judgement made against it in a court. The legal precedent only applies in the United States, but it shoots down another of NSO’s core defenses of its product: that it cannot be held responsible for the actions customers take with it. The court filings may be of use in other cases, in that they establish that NSO directly participates in “installing and extracting” the malware used to siphon information from target devices.
Apple had a similar case against NSO Group in the works, after the Pegasus spyware exploited vulnerabilities in its iMessage system on at least two different occasions. Both of these vulnerabilities would enable the attacker to gain nearly complete access to the target phone with a text message, even if the victim did not open or interact with the message.
Apple opted to drop that case in September of this year, noting that proceeding with the case could expose sensitive information about its threat intelligence program. While it might be able to hold NSO to account, the information it would reveal in the process could be picked up by similar spyware vendors around the world and used against them.
(Coutesy: cpomagazine)