The NSO Group and the Weaponization of WhatsApp
May 21, 2019
May 21, 2019
On 13 May, WhatsApp notified Ireland’s Data Protection Commission (DPC), the messaging app’s lead regulator in the European Union, of a “serious security vulnerability” on its platform. The following day, European regulators confirmed they were investigating into the breach as a violation of privacy regulations. In a statement, the DPC said it “understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed.” In response, WhatsApp advised all users to update the application “out of an abundance of caution”. The question is, who launched the attack and who were the targets?
According to the Financial Times report, an unknown party tried to access decrypted data on the devices of targeted individuals using malware designed to target communications databases stored on the devices. This vulnerability was reportedly discovered by WhatsApp at the beginning of May and could have allowed third parties to install surveillance software on phones by calling a user via the app’s phone call function. WhatsApp addressed the breach internally before notifying users or regulators. An update to the app was published on May 13.
WhatsApp told Reuters that it was still investigating the breach but believed only a “select number of users were targeted through this vulnerability by an advanced cyber actor.” Jay Rosenberg, a senior security researcher at the antivirus-software firm Kaspersky Labs, told Business Insider that “this is government-grade malware that costs millions of dollars”. “Unless you’re the target of some government, then you really have nothing to worry about. Your average cybercriminal is not doing this.”
On May 14, WhatsApp said that the breach on its messaging app had “signs of coming from a government using surveillance technology developed by a private company, and it may have targeted human rights groups.” According to the Financial Times, the spyware in this case was developed by the Israeli cyber intelligence company NSO Group, called Pegasus.
Electronic Frontier Foundation (EFF), a San Francisco-based non-profit, and Citizen Lab at the Munk School of Global Affairs, part of the University of Toronto, were among the groups notified of the breach by WhatsApp. Eva Galperin, Director of Cybersecurity at EFF, told Reuters that “they believed it was NSO Group, but they also couched it in very careful terms with many caveats, because attribution is hard”. According to a 2016 report by the New York Times Pegasus spyware, once installed on a phone, can extract its data and can create new data by using the phone’s microphone and camera to record the user’s surroundings and ambient sounds.
A suspected target, a London-based human rights lawyer, contacted Citizen Lab after receiving suspicious WhatsApp calls. The lawyer is helping a Saudi dissident who hasfiled a lawsuit against NSO claiming its spyware targeted him and led to the killing of his friend, Saudi journalist Jamal Khashoggi. The lawyer is also leading civil cases against NSO for its selling of the software to the Mexican government and the subsequent killing of several journalists. The Citizen Lab has been researching the NSO Group and deems that the company “fails to engage in adequate due diligence concerning the sale of their Pegasus spyware and its human rights impacts.”
Currently there are four known legal cases against NSO Group and it is being sued for damages allegedly caused by the sale of its technology. Cybersecurity expert Claudiu Popa told CTV News Channel that “what the NSO Group and companies like that do is focus their efforts on the most popular pieces of software and try to identify vulnerabilities that they can sell; that they can weaponize.” Following the latest breach, the human rights group Amnesty International filed a legal action that was supported by at least 30 individuals claiming that Israel’s Ministry of Defense has put human rights defenders at-risk by allowing NSO Group to export its products abroad and that its staff have been specifically targeted. What is for certain is that this is not the last time that we will hear of NSO nor of similar technologies and companies looking to exploit tools at the fingertips of almost the entire planet.
Image: Natanaelginting / Freepik (link)
Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Grey Dynamics LTD.
Dylan Ramshaw is a freelance consultant with over 15 years working and living in Latin America and Africa. He is a trained economist and recently completed a post graduate certificate in intelligence analysis at Brunel University London.