A federal judge in California has agreed with WhatsApp that NSO Group, the Israeli cyber surveillance firm behind the Pegasus spyware, had hacked its systems by sending malware to thousands of users’ phones through its servers. WhatsApp and its parent company Meta sued NSO Group in 2019 and accused it of spreading malware to 1,400 mobile devices in 20 countries for the purpose of surveillance.
They revealed that some of the phones targeted at the time were owned by journalists, human rights activists, prominent female leaders and political dissidents.
The Washington Post reports that District Judge Phyllis Hamilton has granted WhatsApp’s motion for summary judgment against NSO and ruled that it violated the US Computer Fraud and Abuse Act (CFAA).
NSO Group denied the allegations in the “strongest possible terms” when the suit was filed. It denied that it had a hand in the attacks and told Engadget at the time that its sole purpose was to “provide licensed government intelligence and law enforcement agencies with technology to help them fight terrorism and serious crime.”
The company argued that it should not be held liable, because it simply sells its services to government agencies, which determine its own targets. In 2020, Meta furthered its lawsuit and accused the firm of using US-based servers to carry out its Pegasus spyware attacks.
Judge Hamilton has ruled that NSO Group violated the CFAA, because the firm fully admits that the modified WhatsApp program that its clients use to target users sends messages through legitimate WhatsApp servers.
Those messages then allow the Pegasus spyware to be installed on users’ devices — targets don’t need to do anything to be infected, such as picking up the phone to receive a call or clicking on a link.
The court also found that the plaintiffs’ motion for sanctions should be granted due to NSO Group’s “repeated failure to produce relevant discovery,” most importantly the Pegasus source code.
WhatsApp spokesman Carl Woog told The Post that the company believes this is the first court decision agreeing that a major spyware vendor violated US hacking laws. “We are grateful for today’s decision,” Woog told the publication.
“NSO can no longer escape accountability for its unlawful attacks on WhatsApp, journalists, human rights activists, and civil society. With this decision, spyware companies should know that their illegal actions will not be tolerated.”
In his decision, Judge Hamilton wrote that his order resolves all issues related to NSO Group’s liability and that the trial will proceed only to determine how much the company should pay in damages.