Lawyers for WhatsApp’s parent company alleged in documents filed Thursday that NSO Group, the Israeli software surveillance firm accused of spying on over a thousand WhatsApp users, has used U.S.-based servers to launch its attacks.
In court documents, Facebook-owned WhatsApp claims NSO Group used a server run by Los Angeles-based hosting provider QuadraNet “more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.”
Additionally, NSO Group used a remote server hosted by Amazon to target WhatsApp users, WhatsApp software engineer Claudiu Gheorghe said in the filing.
The filing is a blow to NSO Group’s claims that its signature product, Pegasus, isn’t capable of running operations in the United States.
“That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking at the heart of the [Computer Fraud and Abuse Act]’s unauthorized-access offense,” WhatsApp claims in the filing.
John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto Monk School of Global Affairs and Public Policy, said the filing will likely degrade NSO Group’s argument that it has no operations in the U.S.
“[It’s] going to be hard for NSO to credibly claim that there is no [United States] nexus to their operations when they were busy paying for server space in American data centers,” Scott-Railton said in a tweet. “This filing shows NSO purchasing [and] operating the servers doing the hacking. This makes the company look much more like hacking-as-a-service than software developers.”
An NSO Group spokesperson reiterated its previous claims in a statement shared with CyberScoop Friday.
“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the spokesperson said when reached for comment on the latest filings.
WhatsApp’s lawyers also worked to refute NSO Group’s arguments that the case should be dismissed over jurisdictional technicalities, as well as the Israeli company’s planned sovereign immunity defense. The Israeli firm has argued that because its customers are governments that use its products for national security reasons, the firm should be immune from the claims.
WhatsApp lawyers say NSO Group has failed to identify “any specific [government] for whom NSO worked — let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role,” WhatsApp lawyers said in the filing.
“Defendants pin blame on unidentified [governments],” the filing reads. “That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court. NSO is neither a sovereign nor immune from the court’s exercise of jurisdiction.”