According to a lawyer working for an Israeli spyware manufacturer, the governments of Mexico, Saudi Arabia and Uzbekistan were among several countries accused of being behind the 2019 hacking campaign targeting more than 1,200 WhatsApp users on NSO group Pegasus Spyware.
At a hearing of a lawsuit between WhatsApp and the NSO group last Thursday, NSO group lawyer Joe Akrotirianakis specifically appointed three governments as clients using Spyware, according to a transcript of the hearing obtained this week by TechCrunch.
This is the first time an NSO group representative has publicly recognized who (or did) Spyware Maker’s customers are after years of refusing to discuss their customers.
The revelation came as part of a lawsuit filed by meta-owned WhatsApp in 2019, accusing the NSO group of hacking around 1,400 WhatsApp users of exploiting vulnerabilities in the messaging app system around April-May that same year.
inquiry
Do you have more information about the NSO Group or other spyware companies? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email.
The contents of last week’s hearing were first reported by Courthouse News Service.
In its legal complaint, WhatsApp allegedly claimed there were more than 100 eligible victims who work as human rights activists, journalists and “other members of civil society.” Citizen Lab, a digital rights group that has been investigating government spyware abuse for over a decade, said in a report from the time that WhatsApp could help identify those victims.
Last week, NSO Group lawyer Akrotirianakis told the judge “In this case, there are at least eight clients whose names are part of the discovery,” but only three were appointed at the hearing.
At the same time, the lawyers suggested last week that the 1,223 victims of the 2019 SPYware campaign were also a list of NSO groups clients.
“Pegasus is approved for its territory and can only be used in these regions,” Acrotilia Akis said, referring to the NSO group’s marquee spyware.
Apart from Mexico and Uzbekistan, the list of 51 countries includes Bahrain, India, Morocco, Spain, the UK and the US. However, Saudi Arabia mentioned at the NSO group hearing is not listed.
This can be explained by the fact that some NSO groups’ customers can target individuals outside their territory. For example, in 2017, Citizen Lab reported that there was “circumstantial evidence” suggesting that one or more government clients of the Mexican NSO group targeted multiple individuals, including the child of a well-known Mexican journalist in the United States at the time he was targeted.
Gil Lainer, a spokesman for the NSO group, who reached TechCrunch prior to its publication, declined to comment. When asked, Raynor did not dispute that Mexico, Saudi Arabia and Uzbekistan were three companies’ customers at the time of the WhatsApp Spyware campaign.
Whatsapp spokesman Zade Alsawah told TechCrunch that the company will “take on upcoming trials to determine the damages and secure an injunction against the NSO to protect WhatsApp and People’s private communications.”
On Tuesday, a judge before the suit said that the NSO group’s documents provided as part of the case’s discovery period identified “at least four NSO customers,” but the company has not yet publicly confirmed that those countries are their customers.
“The evidence records are unclear as to which of the (NSO) clients are responsible for the attacks in question, and therefore (WhatsApp) was unable to find evidence as to whether they followed screening procedures against these clients,” the judge wrote. Furthermore, as far as we discuss the facts about clients who were found to have misused Pegasus, these facts appear to come from media coverage, not from the defendant. ”
For years, organizations such as Citizen Lab and Amnesty International have documented cases where Pegasus was used to target or hack journalists, dissidents and human rights advocates in several countries mentioned on victim lists, including Mexico, Hungary, Spain and the United Arab Emirates.
TechCrunch will contact embassies in Mexico, Saudi Arabia and Uzbekistan in the US for comment and update the story if they receive a response.
Updated throughout in the background and in additional context.