Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California

from the not-immune-from-its-own-carelessness dept

Things are getting even more interesting in Facebook’s lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.

Unfortunately, Facebook wants a court to find that violating an app’s terms of service also violates the CFAA — something most of us really don’t want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.

NSO finally responded to Facebook’s lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies — including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).

NSO’s claims it can’t be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook’s latest filings point to NSO operating its malware servers from inside the United States — apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.

Facebook’s answer to NSO’s attempt to dismiss the lawsuit concedes NSO’s point: it is not its customers. But that’s precisely why it can be sued. From Facebook’s response [PDF]:

A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.


The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.

The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn’t some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook’s expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.

Attached as Exhibit 1 is a true and accurate screenshot from obtained on April 22, 2020, for IP address Exhibit 1 shows that IP address is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.

According to historical IP address location information from for IP address obtained through the website, IP address was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the file available for download at that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address showing the location and ownership of IP address as of May 28, 2019.

This is the upshot of Facebook’s investigation of NSO’s WhatApp-based efforts:

NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.

These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it’s trying to project just isn’t that plausible.

Facebook’s response points out the logical leap NSO is demanding from the court.

The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.

NSO’s options are all unappealing at the moment. It can’t hope to settle since its customers aren’t going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can’t be looking forward to continued litigation since that’s only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company’s service and your payload deliveries route themselves through rented/purchased servers located in the United States.

NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO’s customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.

Filed Under: , , , ,
Companies: facebook, nso group, whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

IANAL, but can’t NSO claim that its just providing MAS (malware as a service) and doesn’t know what its customers are using it for?

No. That would make them an accomplice. Claiming ignorance of what the service is primarily used for isn’t a defense. Especially when you directly advertise it as the main selling point to potential clients. To use a bank robber analogy, offering a service that provides "forceful extractions of materials from unwilling storage facilities" and then claiming ignorance of bank robberies made by your clients would still get you a nice stay in a 4×4 cell. After being laughed at by the judge.

Simply put, slapping ass on something doesn’t make you immune from lawsuits. If anything slapping ass on something makes you a target.

Anonymous Coward says:

The cheapest solution is to ‘hire’ NSO for a whatsapp attack job, analyze the software and break it fundamentally by changing whatsapp, so not just the current version of whatsapp, but the underlying NSO software hack principle is rendered useless.

NSO collapses, its directors are rendered homeless bums living under a bridge, crying themselves to sleep every night. win-win

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...