WhatsApp has just pushed a significant update to its 1.5 billion users. That’s because the messaging service has discovered a security flaw that enabled attackers to remotely install spyware, possibly without the target of the surveillance even being aware of it.
A “select” group of users were targeted by an “advanced cyber actor,” the company said. So who might have been responsible? “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said.
To anyone immersed in the murky world of cybersecurity and surveillance, it was pretty clear who WhatsApp was referring to. A source familiar with the investigation tied the spyware to an Israeli-based security developer called NSO Group.
What is NSO Group?
NSO is a multi-million-dollar Israeli tech firm that specializes in cyber-surveillance tools. Appropriately for the sphere in which it works, the company prefers to work in the shadows. Its executives rarely talk to the media and it does not say very much about its clients.
Its flagship product is Pegasus, a powerful piece of malware designed to track a user’s cellphone. The software is able to infect a device after a single click on a link in a fake text message, which then grants complete access to the phone. Data stored on the phone – messages, phone calls and even GPS location data – are visible, allowing NSO’s clients to see where someone is, who they are talking to, and about what.
NSO Group told CNN on Monday that its technology was licensed only to government agencies, and “for the sole purpose of fighting crime and terror.” The company has no role in identifying the targets of its technology, “which is solely operated by intelligence and law enforcement agencies,” it said in a statement.
Who uses the NSO Group’s spyware?
Up to 45 countries use NSO’s Pegasus technology, according to researchers with the Toronto-based Citizen Lab, an academic security research group that investigates digital threats to civil society groups and online freedom of expression.
At least six of those countries – Saudi Arabia, the United Arab Emirates, Bahrain, Mexico, Morocco and Kazakhstan – “have previously been linked to abusive use of spyware to target civil society,” Citizen Lab noted in a report in September.
Shalev Hulio, the CEO of NSO Group, said earlier this year that his company only sells its products to government agencies. “All sales are authorized by Israel’s Defense Ministry and are only made to states and their police and law enforcement organizations” and “only for use fighting terrorism and crime,” Hulio told Yedioth Ahronoth, one of Israel’s largest newspapers.
Hulio defended the firm’s technology, and said that if clients were found to be abusing the software, NSO group could disconnect it – and had done so three times in the past, though he declined to identify who the customers were.
“I will say with modesty that thousands of people in Europe owe their lives to the hundreds of workers [we have] in Herzliya,” Hulio said, referring to the Israeli town where the company is based. “I reiterate that any use [of our technology] that goes beyond the criteria of saving human lives at risk from crime or terror will prompt our company to take immediate steps, unequivocally and decisively.”
But cyber security expert Michael Shaulov told CNN that once the software was sold to a country, NSO Group had little control over what it was used for.
“Even when [NSO Group sells] the software to specifically the law enforcement agency that specifically bought it, in the case that those guys want to go after what we call illegitimate targets, NSO has no control [over it],” Shaulov said. “They cannot really prevent it.”
The firm attracted attention in the aftermath of the murder of Jamal Khashoggi last year, when a friend of the Washington Post journalist claimed that their conversations had been intercepted by Saudi authorities using spyware created by NSO Group.
Omar Abdulaziz, a Montreal-based activist, had been communicating with Khashoggi via WhatsApp in the year before the journalist was killed at the Saudi consulate in Istanbul last October. In their private messages, Khashoggi was far more critical of Saudi Arabia than he was in public.
Abdulaziz is suing NSO Group, accusing it of violating international law by selling its software to oppressive regimes. Researchers at Citizen Lab believe Abdulaziz’s phone was targeted with military-grade spyware developed by NSO Group. “The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN in December. “The guilt is killing me.”
The company has denied any involvement in the tracking of the Saudi journalist or his killing.