Big Tech giants, such as Microsoft, Google, Cisco, VMWare, and the Internet Association, have decided to back Facebook in a major legal battle against the NSO Group over allegations that the latter exploited a critical vulnerability in WhatsApp to inject surveillance malware into users’ devices.
In October last year, Facebook filed a lawsuit against NSO Group in California, alleging that NSO Group “used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices” and that the firm developed their malware “in order to access messages and other communications after they were decrypted on Target Devices”.
In its complaint, Facebook alleged that NSO Group and its agents used WhatsApp servers and the WhatsApp Service to send discrete malware components to target devices after setting up various WhatsApp accounts and remote servers to conceal their involvement.
Using Facebook’s servers, NSO Group initiated calls that secretly injected malicious code into target devices and then executed the codes to create a connection between the hijacked devices and its remote server. Once a connection was established, NSO Group caused target devices to download and install additional malware, including Pegasus, for the purpose of accessing data and communications.
“Between approximately January 2018 and May 2019, Defendants created WhatsApp accounts that they used and caused to be used to send malicious code to Target Devices in April and May 2019. The accounts were created using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands.
“Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers. Defendants’ program was sophisticated, and built to exploit specific components of WhatsApp network protocols and code,” the complaint read.
Facebook further alleged that because of NSO Group’s covert activities that caused damage to its reputation and destroyed the goodwill between the company and its users, it suffered damages in excess of $75,000 and asked the Court to award it “compensatory, statutory, and punitive” damages.
This week, several major technology companies, including Microsoft, Google, and VMWare filed an amicus brief against NSO Group, stating that the business model of private-sector offensive actors, who enable their customers to break into people’s computers, phones, and internet-connected devices, cannot be allowed to continue as it seriously threatens the security and privacy of organisations and individuals.
The companies contended that no organisation should be legally allowed to use or sell offensive cyber tools and weapons that threaten the security of journalists, human rights campaigners, dissidents, rights activists, or even common people. Even if NSO Group sells cyber weapons only to governments, the same must not be allowed as there is a very real possibility of such tools falling in the wrong hands.
They said NSO Group supplies cyber-surveillance tools to the likes of the United Arab Emirates, Uzbekistan, Bahrain, Egypt, Ethiopia, Kazakhstan, Mexico, Morocco, Nigeria, Oman, Saudi Arabia, and Sudan and there is evidence of these governments using the tools to spy on human rights defenders, journalists and others, including U.S. citizens.
“These tools allow the user to track someone’s whereabouts, listen in on their conversations, read their texts and emails, look at their photographs, steal their contacts list, download their data, review their internet search history and more. Just yesterday The Citizen Lab reported that between July and August of this year NSO’s Pegasus program was used to hack 36 phones belonging to journalists, producers, anchors, and executives at Al Jazeera,” they said.
“The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of U.S. law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve.
“We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks,” the companies added.