An NSO surveillance tool called Pegasus has been implicated in spying on Washington Post contributing writer Jamal Khashoggi before he was killed by people affiliated with Saudi Arabia’s security services last year. A friend of Khashoggi, Omar Abdulaziz, has alleged in a lawsuit that his phone was infected with Pegasus without his knowledge and that the malicious software helped the Saudis snoop on Khashoggi.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” NSO said in a statement that was forwarded to The Washington Post by a Washington public relations agency.
WhatsApp, which is owned by Facebook, said in a blog post that the company believes NSO and its parent company, Q Cyber Technologies, violated U.S. and California law, as well as the terms of service for WhatsApp.
The suit should put governments that want to snoop on notice, said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a civil liberties group.
WhatsApp said it stopped a sophisticated attack using NSO malicious software in May and subsequently alerted 1,400 users that they may have been affected. Citizen Lab, which long has researched the use of hacking technologies and their manufacturers, volunteered its services to study the impact on targets globally. At least 100 victims have now been identified, though WhatsApp declined to name the victims, citing privacy policies.
According to the suit, the WhatsApp users had numbers with country codes from several nations, including the Kingdom of Bahrain, the United Arab Emirates, and Mexico. The suit also noted that NSO’s clients include government agencies in those three countries, among others.
“This number may grow higher as more victims come forward,” the post from the company said. “We are committed to doing all we can, working with industry partners, to protect our users and guard against these kinds of threats.”
It also said, “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”
NSO has a malware tool called Pegasus that, according to a Citizen Lab report from last year, has been used in 45 countries and, in at least 10, has been used to conduct surveillance across international borders. The report names six nations — Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates — that it says “have previously been linked to abusive use of spyware to target civil society.”