Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California

from the not-immune-from-its-own-carelessness dept

Things are getting even more interesting in Facebook's lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.

Unfortunately, Facebook wants a court to find that violating an app's terms of service also violates the CFAA -- something most of us really don't want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.

NSO finally responded to Facebook's lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies -- including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).

NSO's claims it can't be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook's latest filings point to NSO operating its malware servers from inside the United States -- apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.

Facebook's answer to NSO's attempt to dismiss the lawsuit concedes NSO's point: it is not its customers. But that's precisely why it can be sued. From Facebook's response [PDF]:

A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.

[...]

The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.

The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn't some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook's expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.

Attached as Exhibit 1 is a true and accurate screenshot from IP2Location.com obtained on April 22, 2020, for IP address 104.223.76.220. Exhibit 1 shows that IP address 104.223.76.220 is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.

According to historical IP address location information from Maxmind.com for IP address 104.223.76.220 obtained through the website archive.org, IP address 104.223.76.220 was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the Maxmind.com csv.zip file available for download at archive.org that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped Maxmind.com csv.zip file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address 104.223.76.220 showing the location and ownership of IP address 104.223.76.220 as of May 28, 2019.

This is the upshot of Facebook's investigation of NSO's WhatApp-based efforts:

NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.

These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it's trying to project just isn't that plausible.

Facebook's response points out the logical leap NSO is demanding from the court.

The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.

NSO's options are all unappealing at the moment. It can't hope to settle since its customers aren't going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can't be looking forward to continued litigation since that's only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company's service and your payload deliveries route themselves through rented/purchased servers located in the United States.

NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO's customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.

Filed Under: cfaa, hacking, jurisdiction, spying, surveillance
Companies: facebook, nso group, whatsapp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 1 May 2020 @ 7:18pm

    IANAL, but can't NSO claim that its just providing MAS (malware as a service) and doesn't know what its customers are using it for?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 May 2020 @ 11:15am

      Re:

      IANAL, but can't NSO claim that its just providing MAS (malware as a service) and doesn't know what its customers are using it for?

      No. That would make them an accomplice. Claiming ignorance of what the service is primarily used for isn't a defense. Especially when you directly advertise it as the main selling point to potential clients. To use a bank robber analogy, offering a service that provides "forceful extractions of materials from unwilling storage facilities" and then claiming ignorance of bank robberies made by your clients would still get you a nice stay in a 4x4 cell. After being laughed at by the judge.

      Simply put, slapping ass on something doesn't make you immune from lawsuits. If anything slapping ass on something makes you a target.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 May 2020 @ 9:40pm

    dudes doing shitty things

    cant we get him on "SOMETHING"

    reply to this | link to this | view in chronology ]

  • icon
    Ed (profile), 2 May 2020 @ 6:46am

    Hmmm

    Is there any doubt that this NSO Group is an arm of the Israeli government?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 May 2020 @ 1:53am

    The cheapest solution is to 'hire' NSO for a whatsapp attack job, analyze the software and break it fundamentally by changing whatsapp, so not just the current version of whatsapp, but the underlying NSO software hack principle is rendered useless.

    NSO collapses, its directors are rendered homeless bums living under a bridge, crying themselves to sleep every night. win-win

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 3 May 2020 @ 11:13am

    I hope it continues because...

    Discovery is going to be a hoot! So what's the damage they cause? I dunno, let's see source code!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.