Facebook sues surveillance company NSO Group over alleged WhatsApp hack

The lawsuit claims the Israeli surveillance company attempted to hack about 1,400 people using WhatsApp.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Facebook is suing the NSO Group over an alleged hack on WhatsApp users.

Graphic by Pixabay/Illustration by CNET

Facebook is taking legal action against the Israeli surveillance company NSO Group, alleging that it was behind a targeted hacking campaign against people using WhatsApp . In court documents, the tech giant argues that the NSO Group created an exploit used to hack into people's devices through WhatsApp, which Facebook owns. 

The lawsuit, filed on Tuesday, alleges that NSO Group was responsible for a security flaw that allowed potential hackers to install spyware through a phone call, first reported in May by the Financial Times. Targeted victims didn't need to pick up the phone or take any action to get infected, and it affected both iPhones and Android devices. 

The NSO Group has helped create software to spy on encrypted devices, including the "Pegasus" spyware.

The NSO Group denied the allegations and said it planned to "vigorously fight" them.

"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," NSO said in a statement. "Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years."

While spyware like Pegasus and the WhatsApp exploit are not widespread, the malware is used for targeted attacks on specific people. WhatsApp said it believes about 1,400 people were targeted by the phone call exploit, which included journalists, attorneys, human rights activists, government officials, political dissidents and diplomats. 

"This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones," WhatsApp said in a statement.

The victims were in countries including Mexico, the United Arab Emirates and Bahrain. In a column published in The Washington Post on Tuesday, WhatsApp's head, Will Cathart, said the hackers behind the exploit were using services and internet hosting services associated with the NSO Group. 

"While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful," Cathart said. 

This is the second lawsuit Facebook has filed this week to protect its digital security. On Monday, it sued two domain hosts over phishing websites targeting the social network. 

The suit filed Tuesday alleges that the NSO Group violated the Computer Fraud and Abuse Act by creating the WhatsApp vulnerability and exploiting it. The company is seeking a permanent injunction to ban the NSO Group from using WhatsApp again. 

"This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users," WhatsApp said.

You can read the full lawsuit here:

Originally published Oct. 29 at 1:13 p.m. PT. Updated at 3:35 p.m. with NSO statement.