Spyware Maker Liable for Hacks

You know, I really hate saying, “I told you so….but….” Back in 2013, I witnessed the capabilities of the Pegasus spyware. I was introduced to the NSO group through an Israeli colleague of mine, where our friendship went back to just after the 9-11 attacks. Right in front of me, NSO actually took control of a cell phone (though a demo, I hoped). They then touted the magnitude of what this type of surveillance could provide to law enforcement and governments. I immediately said, “if that was a true takeover of a cell phone, you just committed a US federal crime.” They assured me that it was just a demonstration of the Pegasus capabilities. I told them that without a telecommunications US federal search warrant, called an Electronic Surveillance Title III search warrant,[1] their Pegasus surveillance device (before it was called Spyware) would not be permitted for use in the US. Well, they left disappointed and I, a bit relieved that their demo, was just that, a fake takeover of a cell phone. But I kept my eyes on NSO and Pegasus. My Israeli colleague dropped promoting the service (which I thought wise), but the other world markets didn’t necessarily take the same stance.

It is now being reported that NSO has been found liable for the compromise of hundreds of WhatsApp users, in a historic US court ruling. US Federal Judge P. Hamilton said on 20 December 2024 that the NSO Group[2] broke US state and federal laws and WhatsApp’s terms of service, by using zero-day exploits in the popular messaging tool to deploy its Pegasus spyware on at least 1400 devices. Meta-owned WhatsApp took the Israeli firm to court five years ago, arguing at the time that “attackers used servers and internet-hosting services that were previously associated with NSO.”[3] We are now all connected globally, and sovereign laws are now starting to catch up with this fact.

The ruling added that the attacks were not used for legitimate policing efforts, which the NSO Group often claims of its services, but that they target journalists, human rights activists, political dissidents and senior government officials. Delivering her ruling, the US federal judge in Northern California claimed that NSO Group failed to comply with a court order requiring the firm to provide access to its Pegasus source code or turn over important emails.

See: https://redskyalliance.org/xindustry/us-cracks-down-on-predatory-spyware-firm

A WhatsApp executive described the ruling as “a huge win for privacy” in a post on Threads. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” he added. “Surveillance companies should be on notice that illegal spying will not be tolerated. WhatsApp will never stop working to protect people’s private communication.”

NSO Group’s zero-click attacks are a common feature of commercial spyware makers, who operate in a legal grey area, despite efforts from the Biden administration to clamp down on their practices. NSO Group was placed on a US export blacklist in 2021, while similar firms such as Intellexa were sanctioned in recent years. An executive order last year banned US government use of any commercial spyware previously misused by foreign states to spy on citizens, dissidents, activists and others.

Not all tech companies have been as successful as WhatsApp in pursuing commercial spyware makers. In September 2024, Apple dropped its suit against NSO Group, citing risks to its threat intelligence program. Why Apple?

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: