WhatsApp sued Israeli surveillance firm NSO Group on Tuesday, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials.
In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified. WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”
However, NSO denied the allegations.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said in a statement. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
WhatsApp said the attack exploited its video calling system in order to send malware to the mobile devices of a number of users. The malware would allow NSO’s clients – said to be governments and intelligence organizations – to secretly spy on a phone’s owner, opening their digital lives up to official scrutiny.
WhatsApp is used by some 1.5 billion people monthly and has often touted a high level of security, including end-to-end encrypted messages that cannot be deciphered by WhatsApp or other third parties.
Citizen Lab, a cybersecurity research laboratory based at the University of Toronto that worked with WhatsApp to investigate the phone hacking, told Reuters that the targets included well-known television personalities, prominent women who had been subjected to online hate campaigns and people who had faced “assassination attempts and threats of violence.”
Neither Citizen Lab nor WhatsApp identified the targets by name. Governments have increasingly turned to sophisticated hacking software as officials seek to push their surveillance power into the furthest corners of their citizens’ digital lives.
Companies like NSO say their technology enables officials to circumvent the encryption that increasingly protects the data held on phones and other devices. But governments only rarely talk about their capabilities publicly, meaning that the digital intrusions like the ones that affected WhatsApp typically happen in the shadows.
NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago. Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”
NSO has recently tried to clean up its image after it was bought by London-based private equity firm Novalpina Capital earlier this year. In August, NSO co-founder Shalev Hulio appeared on “60 Minutes” and boasted his spyware had saved “tens of thousands of people.” He provided no details. NSO has also brought on a series of high-profile advisers, including former Pennsylvania Governor Tom Ridge and Juliette Kayyem, a senior lecturer in international security at Harvard University. Last month, NSO announced it would begin abiding by U.N. guidelines on human rights abuses.