WhatsApp Accuses NSO Group of Spyware Attacks

Published on April 27, 2020

The WhatsApp team is claiming that the NSO Group used US-based servers to launch attacks through the spyware known as Pegasus. According to Engadget, NSO allegedly used the Los Angeles hosting service QuadraNet over 700 times to infect devices with malware. Writer, Jon Fingas explains that said accusations would reject NSO’s claims that “it couldn’t run operations in the US,” and reinforce the idea that it is a hacking service as opposed to a regular software developer. Facebook’s legal team also attempted to erase NSO’s beliefs that it is out of jurisdiction, as well as the idea that the government clientele gives the company immunity.

NSO Targets

To be more exact, as stated by Tech Times, the Israeli cyber surveillance firm is being accused of spreading spyware to 1,400 mobile devices in 20 countries. The main targets were journalists, female leaders, human rights activists, and protesters of politics. Most of these devices were in Mexico, Bahrain, and the United Arab Emirates.

Tech Times explains that it was quite simple. Devices would get infected simply by phone calls; victims do not even need to pick them up in order to fall prey of Pegasus. No, the program isn’t capable of breaking WhatsApp’s encryption. However, it does have access to messages after being decoded on the device.

Facebook’s Receipts

Forbes explains that Facebook has enough evidence that proves the hackers had operations in America. Facebook contacted Claudiu Gheorghe, a software engineer working with WhatsApp. He also worked on the investigation of the 2019 attacks. Gheorghe says that NSO’s programing “was designed to cause a WhatsApp user’s mobile device to connect to a remote server not associated with WhatsApp.”

“In 720 instances of the attack, the remote server’s IP address was 5. In three instances of the attack, the remote server’s IP address was”

Claudiu Gheorghe, WhatsApp Sotware Engineer

Associate editor, Thomas Brewster also writes that Facebook’s lawyers uncovered subdomains sip.nsogroup.com, sip.qtechnologies.com, and sip.2access.xyz. They were all found on IP addresses of Amazon servers from January 2nd to November 24th of 2019. That’s the same time frame the attacks took place.

The Investigation Started…

The investigation last year was a team effort between Facebook and Citizen Lab, a research group associated with the University of Toronto that helps victims of cybercrimes, according to The New York Times. The investigation began after Citizen Lab accused NSO Group of taking advantage of a WhatsApp security hole to cyberattack the phone of an English attorney.

The attorney had represented plaintiffs that accused NSO Group of supplying the necessary items to hack the devices of a Saudi Arabian dissident residing Canada, a Qatari citizen, and a group of Mexican journalists and activists. He contacted Citizen Lab. Nicole Perlroth explains the inevitable that said breach of security left a digital print that helped them discover NSO’s activities through its weakness, WhatsApp.

Spies All Around

This is of course not the first time that WhatsApp has been in battle against malicious programs. In February, the Facebook-owned messenger app announced a major flaw, one that allowed cybercriminals to gain access to a victim’s phone. For these attacks, all the victim had to do was click a coded link sent through the app. Most of the victims of that attack were solely Apple-based products and users. One of those victims was Jeff Bezos, CEO of the online retail company Amazon.

It does not stop there. Ever since the rise of COVID-19, there has been an increase in cyber crimes. These include Nintendo and its 160,000 accounts that have been recently hacked. It all comes down to the versatility of technology being exploited during these times of quarantine by the hackers of the world.  

Argenis Ovalles is an Editorial Intern at Grit Daily. He currently writes at Vocal Media and Theater Pizzazz.

Read more

More GD News