Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California
from the not-immune-from-its-own-carelessness dept
Things are getting even more interesting in Facebook’s lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.
Unfortunately, Facebook wants a court to find that violating an app’s terms of service also violates the CFAA — something most of us really don’t want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.
NSO finally responded to Facebook’s lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies — including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).
NSO’s claims it can’t be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook’s latest filings point to NSO operating its malware servers from inside the United States — apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.
Facebook’s answer to NSO’s attempt to dismiss the lawsuit concedes NSO’s point: it is not its customers. But that’s precisely why it can be sued. From Facebook’s response [PDF]:
A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.
The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.
The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn’t some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook’s expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.
Attached as Exhibit 1 is a true and accurate screenshot from IP2Location.com obtained on April 22, 2020, for IP address 22.214.171.124. Exhibit 1 shows that IP address 126.96.36.199 is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.
According to historical IP address location information from Maxmind.com for IP address 188.8.131.52 obtained through the website archive.org, IP address 184.108.40.206 was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the Maxmind.com csv.zip file available for download at archive.org that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped Maxmind.com csv.zip file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address 220.127.116.11 showing the location and ownership of IP address 18.104.22.168 as of May 28, 2019.
This is the upshot of Facebook’s investigation of NSO’s WhatApp-based efforts:
NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.
These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it’s trying to project just isn’t that plausible.
Facebook’s response points out the logical leap NSO is demanding from the court.
The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.
NSO’s options are all unappealing at the moment. It can’t hope to settle since its customers aren’t going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can’t be looking forward to continued litigation since that’s only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company’s service and your payload deliveries route themselves through rented/purchased servers located in the United States.
NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO’s customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.