In a filing released on Thursday in federal court in Oakland, California, lawyers representing the social media giant alleged that NSO Group had used a network of remote servers in California to hack into phones and devices that were used by attorneys, journalists, human rights activists, government officials and others.
NSO Group has argued that Facebook’s case against it should be thrown out on the grounds that the court has no jurisdiction over its operations. In a 13 May legal document, lawyers representing NSO Group said that the company had no offices or employees in California and “do no business of any kind there.”
NSO has also argued that it has no role in operating the spyware and is limited to “providing advice and technical support to assist customers in setting up” the technology.
John Scott-Railton, a senior researcher at the Citizen Lab at the University Of Toronto’s Munk School, said evidence presented by Facebook on Thursday indicated NSO Group was in a position to “look over its customer’s shoulders” and monitor who its government clients were targeting.
“This is a gut punch to years of NSO’s claims that it can’t see what its customers are doing,” said Scott-Railton. He said it also shows that the Israeli company “probably knows a lot more about what its customers do than it would like to admit.”
NSO’s spyware, known as Pegasus, can gather information about a mobile phone’s location, access its camera, microphone and internal hard drive, and covertly record emails, phone calls and text messages. Researchers have accused the company of supplying its technology to countries that have used it to spy on dissidents, journalists and other critics.
A representative for NSO Group said its products are “used to stop terrorism, curb violent crime, and save lives.”
“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the representative said, adding that a response to Facebook’s legal filing was forthcoming.
In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices. It’s unclear whether NSO Group’s software was used to target people within the U.S.. The company has previously stated that its technology “cannot be used on U.S. phone numbers.”
Facebook accused NSO Group of reverse-engineering WhatsApp, using an unauthorized program to access WhatsApp’s servers and deploying its spyware against approximately 1,400 targets. NSO Group was then able to “covertly transmit malicious code through WhatsApp servers and inject” spyware onto people’s devices without their knowledge, according to the Facebook’s legal filings.
“Defendants had no authority to access WhatsApp’s servers with an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp users,” Facebook alleged in the Thursday filing. “That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking” under the Computer Fraud and Abuse Act.