NSO Group Technologies Ltd. continued to develop spyware that used multiple zero-day WhatsApp exploits even after the instant messaging firm sued the Israeli surveillance firm over violation of federal and state anti-hacking laws, revealed a court filing filed by the messaging app and its parent company Meta that was published on Thursday.
Court filings reveal that NSO continued using WhatsApp servers to install Pegasus spyware on phones by calling the targeted device, even after the messaging platform detected and blocked the exploit in May 2019.
The allegations stem from a series of cyberattacks against WhatsApp users, including journalists, dissidents, and human rights advocates.
“As a threshold matter, NSO admits that it developed and sold the spyware described in the Complaint, and that NSO’s spywareโspecifically its zero-click installation vector called “Eden,” which was part of a family of WhatsApp-based vectors known collectively as “Hummingbird” (collectively, the “Malware Vectors”)โwas responsible for the attacks described in the Complaint. NSO’s Head of R&D has confirmed that those vectors worked precisely as alleged by Plaintiffs.” reads theย court filing.
NSO admits that NSO customers used its Eden technology in attacks against approximately 1,400 devices. Following the detection of the attacks, WhatsApp patched the Eden vulnerabilities and deactivated NSO’s WhatsApp accounts. However, the Eden exploit remained active until it was blocked in May 2019.
Despite this, the surveillance firm developed yet another installation vector, known as “Erised,” that used WhatsApp servers to install Pegasus spyware in zero-click attacks, NSO admitted. This exploit reportedly remained active and available to NSO customers even after WhatsApp sued the company in October 2019, until further security changes to the messaging platform blocked its access sometime after May 2020.
NSO witnesses reportedly declined to confirm whether the spyware maker continued developing WhatsApp-based malware vectors afterward.
The company acknowledged that its employees created and used WhatsApp accounts to develop malware for themselves and their clients. This violated WhatsApp’s Terms of Service in several ways, including reverse-engineering the platform, transmitting malicious code, unauthorized data collection, and illegally accessing the service.
Meta claimed that these actions also violated the Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA), causing WhatsApp damages.
NSO has long maintained that it is unaware of its customers’ operations and has minimal control over customers’ use of its spyware, denying any involvement in executing targeted cyberattacks.
However, the newly released court documents reveal that the spyware vendor operated its Pegasus spyware, with customers only needing to provide a target number.
In one of the court documents, WhatsApp argued that “NSO’s customers’ role is minimal,” given that the government customers were only required to input the phone number of the target’s device and, citing an NSO employee, “press Install, and Pegasus will install the agent on the device remotely without any engagement.”
“In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus,” WhatsApp added.
The court filings also quoted an NSO employee as saying it “was our decision whether to trigger [the exploit] using WhatsApp messages or not,” referring to one of the exploits the company offered its customers.
In its defense, Gil Lanier, Vice President of global communications for the Israeli firm, said in a statement to TechCrunch: “NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.”
“We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so,” he added.