A federal judge in California agreed with WhatsApp that NSO Group, the Israeli cybersurveillance firm behind the Pegasus spyware, hacked its systems, sending malware through its servers to thousands of its users' phones. WhatsApp and its parent company Meta, filed a lawsuit against the NSO group back in 2019 and accused him of distributing malware to 1,400 mobile devices in 20 countries for the purpose of surveillance. They then discovered that some of the attacked phones belonged to journalists, human rights activists, prominent women leaders and political dissidents. Washington Post reports that District Judge Phyllis Hamilton granted WhatsApp's motion for summary judgment against NSO and ruled that the company violated the US Computer Fraud and Abuse Act (CFAA).
The NSO group disputed the allegations “in the strongest possible terms” when filing the lawsuit. The company denied any involvement in the attacks and told Engadget at the time that its sole purpose was to “provide technology to licensed government intelligence and law enforcement agencies to help them combat terrorism and serious crime.” The company argued that it should not be held liable because it simply sells its services to government agencies, which determine their goals. In 2020 Meta escalated his claim and accused the firm of using servers in the US to organize espionage attacks on Pegasus.
Judge Hamilton ruled that NSO Group violated the CFAA because the firm appeared to fully admit that the modified WhatsApp program its clients used to target users sent messages through legitimate WhatsApp servers. These messages then allow Pegasus spyware to be installed on users' devices—victims don't even have to do anything like pick up the phone to answer a call or click a link to become infected. The court also found that the plaintiff's motion for sanctions should be granted because NSO had “repeatedly (failed) to produce relevant discoveries,” the most important of which was the Pegasus source code.
This was announced by WhatsApp representative Karl Woog. Message The company believes this is the first court decision finding that a major spyware vendor violated US hacking laws. “We are grateful for today’s decision,” Woog told the publication. “NSO can no longer escape responsibility for unlawful attacks on WhatsApp, journalists, human rights defenders and civil society. “With this ruling, spy companies must be warned that their illegal activities will not be tolerated.” In her decision, Judge Hamilton wrote that her order resolved all issues regarding NSO Group's liability and that the trial would continue only to determine the amount the company must pay in damages.