On Thursday, WhatsApp scored a legal victory by convincing a U.S. federal judge to publicly release three court documents that include new revelations about the inner workings of Pegasus, the spyware made by Israeli surveillance tech maker NSO Group.
The newly unsealed documents include information coming from depositions of NSO employees during the legal proceedings, internal company documents, as well as — ironically — WhatsApp messages exchanged between NSO employees, which WhatsApp obtained by sending subpoenas to NSO.
The documents also reveal that NSO disconnected 10 government customers in recent years from accessing the Pegasus spyware, citing abuse of its service.
This release of new revelations is the latest development in the lawsuit that WhatsApp filed in 2019, accusing NSO of violating the anti-hacking law, the Computer Fraud and Abuse Act, and breaching WhatsApp’s terms of service, by accessing WhatsApp servers and targeting individual users with spyware sent over the chat app. The accusations are based on a series of cyberattacks against WhatsApp users, including journalists, dissidents, and human rights advocates.
“The evidence unveiled shows exactly how NSO’s operations violated U.S. law and launched their cyber-attacks against journalists, human rights activists and civil society,” WhatsApp spokesperson Zade Alsawah said in a statement sent to TechCrunch. “We are going to continue working to hold NSO accountable and protect our users.”
‘Tens of thousands’ of potential targets
According to the court documents, seen by TechCrunch, NSO had developed a suite of hacking tools to be used against targets using WhatsApp, capable of accessing private data on the target’s phone. The hacking suite was called “Hummingbird,” and two of the suite’s exploits were dubbed “Eden” and “Heaven.”
This suite cost NSO’s government customers — namely police departments and intelligence agencies — up to $6.8 million for a one-year license, and netted NSO “at least $31 million in revenue in 2019, according to one of the court documents.
Thanks to these hacking tools, NSO installed Pegasus on “between hundreds and tens of thousands” of target devices, according to a deposition by NSO’s head of research and development Tamir Gazneli.
Until now, it wasn’t clear who was actually sending the malicious WhatsApp messages to target individuals with spyware. For years, NSO has claimed to have no knowledge of customers’ operations, and not be involved in carrying out the targeted cyberattacks. The newly released court documents cast doubt on some of NSO’s claims.
WhatsApp argued in one of the court documents that, “NSO’s customers’ role is minimal,” given that the government customers only needed to input the phone number of the target’s device and, citing an NSO employee, “press Install, and Pegasus will install the agent on the device remotely without any engagement.”
“In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus,” WhatsApp argued.
The court filings cited an NSO employee as saying it “was our decision whether to trigger [the exploit] using WhatsApp messages or not,” referring to one of the exploits the company offered its customers.
When reached for comment, NSO spokesperson Gil Lainer said in a statement to TechCrunch: “NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.”
“We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so,” said NSO’s Lainer.
NSO’s three exploits targeted WhatsApp users
One technique that NSO used to allow its customers to target WhatsApp users, described in one document, was to set up something the company called a “WhatsApp Installation Server,” or WIS, which WhatsApp calls a “fake client.” This was essentially a modified version of the WhatsApp app that NSO developed and used to send messages — including their malicious exploits — to regular WhatsApp users. NSO admitted setting up real WhatsApp accounts for its customers, per one of the court documents.
WhatsApp was able to defeat both NSO’s “Eden” and “Heaven” exploits with patches and security updates, according to an internal NSO communication.
“Eden/Heaven/Hummingbird R.I.P. announcement,” read a message sent to NSO employees.
The court documents show that NSO’s Heaven exploit was active before 2018, and was designed to direct target WhatsApp devices into communicating with a malicious WhatsApp relay server controlled by NSO.
After WhatsApp patched its systems against NSO’s Heaven exploit, NSO developed a new exploit called “Eden,” which an NSO employee quoted by the court documents said, “need[ed] to go through WhatsApp relay servers,” which the Heaven exploit had sought to avoid. It was the use of the Eden exploit that led to WhatsApp filing its lawsuit against NSO, according to a deposition by another NSO employee.
A third exploit developed by NSO, revealed in the documents, was called “Erised,” a so-called “zero-click” exploit that could compromise a victim’s phone without any interaction from the victim. WhatsApp blocked the use of NSO’s Erised exploit in May 2020, several months after WhatsApp had filed its lawsuit.
Customers cut-off
Another interesting detail that surfaced this week is the admission by one of the NSO employees deposed in the course of the lawsuit that Pegasus was used against Dubai’s Princess Haya, a case that was reported by the The Guardian and The Washington Post in 2021, and later by The New Yorker in 2023.
The same NSO employee said the spyware maker “disconnected” access to Pegasus for 10 customers, citing abuse of the spyware.
At this point in the legal case, WhatsApp is asking the judge to issue a summary judgment in the case, and is awaiting a decision.
Meanwhile, the details that have come out from the lawsuit this week could help other people who have sued NSO in other countries, according to Natalia Krapiva, the tech legal counsel at Access Now, a nonprofit that has investigated some cases of abuse carried out with NSO’s spyware.
“WhatsApp’s sticking with their legal action finally reaps some benefits,” Krapiva told TechCrunch. “While it is true that NSO has not been sharing much information (especially things like Pegasus codes, list of customers, etc.), the information that they did share is already quite useful for this case but also for legal cases against NSO around the world.”
“And the fact that NSO hides information also cuts both ways because it also makes it very difficult for them to present a solid defense,” said Krapiva.