In a pivotal decision issued late last week, the U.S. District Court for the Northern District of California held Israeli spyware firm NSO Group accountable for infecting 1,400 WhatsApp user devices with its notorious Pegasus spyware. The judgment grants partial summary judgment in favor of WhatsApp and imposes sanctions on NSO for failing to meet court-ordered discovery obligations.
The case stems from a 2019 lawsuit filed by Meta-owned WhatsApp, accusing NSO Group of exploiting the messaging platform to deliver Pegasus spyware to targets, including journalists, activists, and government officials. U.S. District Judge Phyllis J. Hamilton ruled that NSO violated the federal Computer Fraud and Abuse Act (CFAA) and California's Comprehensive Computer Data Access and Fraud Act (CDAFA) while also breaching WhatsApp's terms of service.
The lawsuit alleged that NSO deployed its WhatsApp Installation Server (WIS) to deliver malicious code, targeting devices through WhatsApp's infrastructure. NSO's Pegasus spyware enabled unauthorized access and data extraction from these devices, circumventing WhatsApp's defenses. Judge Hamilton noted that NSO's actions demonstrated intentional targeting of WhatsApp servers, many of which are located in California.
NSO argued that its clients, primarily government entities, conducted the hacking. However, WhatsApp presented compelling evidence showing that NSO's spyware relied on its servers to install the malicious code and retrieve sensitive data from the victims. Internal communications and technical records revealed that NSO controlled critical aspects of Pegasus' operation.
NSO was sanctioned for noncompliance with court-ordered discovery. The firm failed to provide the full source code of Pegasus, offering limited access to select code that is only viewable in Israel. This restriction, Judge Hamilton ruled, impeded the plaintiffs' ability to examine critical evidence. Additionally, NSO withheld internal communications about WhatsApp vulnerabilities and interactions with U.S.-based company Westbridge, further obstructing the case.
This decision marks a significant legal precedent, as it is one of the first instances where a spyware company has been held liable for facilitating cyberattacks. The ruling underscores the accountability of spyware developers and highlights the risks posed by such tools when misused against civil society.
Meta celebrated the outcome, stating, “With this decision, spyware companies are put on notice that illegal activities targeting innocent users will not be tolerated.” The court will proceed to assess damages in a forthcoming trial.
Meanwhile, the menace of spyware remains strong for users. High-risk individuals are recommended to keep their software up to date, use security tools, enable optional protective features on their devices, and monitor for unauthorized activities.
YouBoost Chrome Extension Used by 2 Million People Hijacked
Leave a Reply