Israeli Spyware Firm NSO Group Found Liable for Hacks of WhatsApp Users
A California court recently ruled against the Israeli firm NSO Group which has become infamous for hacking numerous encrypted platforms.
By Derrick Broze, The Last American Vagabond
In late December the Northern District of California ruled against Israeli spyware firm NSO Group, finding the controversial firm liable for hacking and a breach of contract.
The ruling was the latest in a five year battle between NSO Group and WhatsApp over the Israeli company’s Pegasus spyware infiltrating WhatsApp’s servers to spy on WhatsApp users.
Overall, the ruling was a win for WhatsApp with the court finding in favor of their motions for sanctions against NSO Group. However, the court also ruled against elements of WhatsApp’s sanctions request.
The court found that NSO Group is subject to evidentiary sanctions for refusing to comply with discovery requests after the court ordered the company to comply and produce various documents. The company is notorious for attempting to impede lawsuits by refusing to provide relevant information, including a now dropped lawsuit filed by Apple.
NSO Group used their malicious spyware known as Pegasus to infiltrate and monitor devices and extract information using what are known as zero-click exploits. This means that a user does not need to click on a link or download a program for a hacker to access their devices. Instead, Pegasus exploits existing software like WhatApp’s servers.
In this specific case, NSO Group was found liable for hacking journalists and employees of El Faro, an independent publication which primarily serves Central America. NSO Group and clients using their spyware used the zero-click exploits to install Pegasus on iPhones of 22 employees of El Faro between June 2020 and November 2021.
The court found that NSO Group exceeded its “authorized access” to WhatsApp’s servers and breached WhatsApp’s terms of service by transmitting its infiltration code and learning information about target devices through WhatsApp’s servers. The court found NSO Group liable under the Computer Fraud and Abuse Act (“CFAA”), California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), and for breach of contract.
Damages will be decided at a trial in 2025.
The Electronic Privacy Information Center (EPIC) called the ruling a “win for the journalists, activists, politicians, and everyday users that NSO Group targets to help authoritarian governments”.
EPIC filed an amicus brief against NSO Group arguing that foreign spyware is not exempt under the CFAA when the exploited computers are located in the United States. In their brief, EPIC noted that, “Unlike a one-click attack, which requires a target to click on a link in order to trigger the attack, a zero-click attack downloads and installs spyware on the target’s device without the target’s involvement or awareness, making it all but impossible for even sophisticated smartphone users to prevent or detect attacks.”
“The Pegasus attacks not only caused Plaintiffs serious personal harms, but
also upended Plaintiffs’ professional lives,” EPIC wrote. “Plaintiffs have fundamentally altered how they use their iPhones, making it considerably more costly and time-consuming to conduct the in-depth, independent reporting for which El Faro is known.”
EPIC has also submitted a Freedom of Information Act request to the FBI seeking information about its connections to NSO Group and use of Pegasus spyware. The organization has yet to hear back from America’s largest law enforcement agency.
Despite the court ruling and the attempt at sanctioning NSO Group, it is unlikely to deter the firm from continuing its surreptitious practices. As a November court filing made clear, even after NSO Group was sued by Meta (the parent company of WhatsApp) they continued the practicing of spying on users.
“The evidence unveiled shows exactly how NSO’s operations violated U.S. law and launched their cyber-attacks against journalists, human rights activists and civil society,” a WhatsApp spokesperson told CyberScoop via email.
NSO Group’s Web of Infiltration
The Last American Vagabond has previously reported on the NSO Group and the rise of the “offensive spyware market”. The type of software sold by NSO Group is known as spyware because it is explicitly aimed at helping the user gain unauthorized remote access to an internet-enabled device for surveillance and data extraction.
The NSO Group first came to prominence in 2020 when more than 50,000 phone numbers belonging to individuals identified as “people of interest” by nations using Pegasus were leaked to Amnesty International and Forbidden Stories.
This data was then distributed to 17 media outlets under the name “The Pegasus Project”, including The Guardian, Le Monde, The Washington Post, Frontline, The Wire, and Proceso. Their reporting revealed that NSO Group developed and supplied their Pegasus spyware to international governments which in turn used the tool to target government officials, journalists, activists, academics, and embassy workers.
The reporting from The Washington Post showed that Pegasus was used to target the wife of journalist Jamal Khashoggi months before he was murdered. Pegasus leadership has denied their spyware was used in the murder.
In February, Poland’s Prime Minister announced that the previous government had deployed NSO Group’s Pegasus to hack opposition politicians.
In 2022 it was reported that the FBI had purchased a license to use Pegasus. FBI Director Christopher Wray claimed the purchase was only for research and development purposes.
“To be able to figure out how bad guys could use it, for example,” he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified.
However, internal FBI documents and court records obtained by The New York Times showed that FBI officials attempted to use Pegasus in 2020 and 2021 in their own criminal investigations. After the Times reported on the secret purchase and attempted use of Pegasus the FBI conducted an internal investigation to uncover who used the tools only to find out that the FBI itself contracted with vendor Riva Networks.
In fact, the FBI contracted with Riva Networks to track drug smugglers in Mexico using Landmark, another NSO Group technology known for tracking cell phones.
Paragon Solutions: Yet Another Israeli Spyware Firm
In September 2024, the US Immigration and Customs Enforcement (ICE) signed a $2 million one-year contract with another controversial Israeli spyware vendor, Paragon Solutions. The contract involved Paragon’s US subsidiary based in Chantilly, Virginia and ICE’s Homeland Security Investigations Division 3.
Paragon claims its tools can help law enforcement and governments remotely crack encrypted messaging platforms like WhatsApp, Telegram, Signal, and Facebook Messenger.
The agreement calls for Paragon to provide ICE with a “fully configured proprietary solution including license, hardware, warranty, maintenance and training.” The agreement was first reported on by Wired.
Within weeks of the ICE-Paragon contract becoming public Wired reported the contract was under review by the White House to see if it violates a 2023 Executive Order issued by the Biden administration. Executive Order 14093 was signed by President Joe Biden in March 2023 as part of an ongoing US government effort ostensibly aimed at restricting the use of commercial spyware by U.S. agencies.
The EO says the US government will continue to promote the “responsible use” of spyware that aligns with promoting “democratic values”. Despite the U.S. government efforts to prosecute journalists like Julian Assange, the EO claims the U.S. has an interest in “promoting respect for human rights; and defending activists, dissidents, and journalists against threats to their freedom and dignity.”
Emily Tucker, the executive director at the Center on Privacy and Technology at Georgetown Law, told Vanity Fair that an “impending disaster” between privacy and the growth of the spyware industry was inevitable.
“You may believe yourself not to be in one of the vulnerable categories, but you won’t know if you’ve ended up on a list for some reason or your loved ones have,” Emily Tucker warned. “Every single person should be worried.”
By October 31st, More than 30 civil society and digital rights organizations and spyware experts signed a letter which calls on the Department of Homeland Security to release details about its $2 million contract with Paragon.
In 2021, Forbes first reported on the existence of Paragon and noted that many of Paragon’s employee LinkedIn profiles reveal their connections to Israeli intelligence. Paragon’s cofounder, director, and chief shareholder Ehud Schneorson was a former commander of Israel’s elite Unit 8200. Paragon’s CEO Idan Nurick and CTO Igor Bogudlov are also former members of Israeli intelligence.
Former Israeli prime minister Ehud Barak is also listed as a cofounding director and investor. Barak is known for his connections to Israeli firms Toka and Carbyne911 (now Carbyne). He is also infamous for accompanying Jeffrey Epstein on his private plane dozens of times.
In addition to the investment from Ehud Barak, Paragon has also received significant financial resources from Boston-based investment firm Battery Ventures. Forbes reported that two anonymous senior employees at companies in the Israeli surveillance industry said Battery Ventures invested between $5 and $10 million. Battery’s Israel-based vice president Aaron Rinberg is also listed as a “board observer” at Paragon.
Battery is known for its financial investments in several successful companies, including Coinbase, Groupon, Splunk, SkullCandy and Pokémon Go creator Niantic.
With less than three weeks until Donald Trump returns to the White House, the American public ought to continue watching the spyware industry and the growing number of contracts between these surveillance firms and the U.S. government.
