In a landmark ruling, a U.S. judge has mandated that the NSO Group, an Israeli spyware firm, disclose its source code for Pegasus and other products to Meta. This forms a crucial part of Meta’s ongoing legal battle against the company.
Meta’s Legal Victory
The court’s decision represents a significant win for Meta, which initiated the lawsuit in October 2019. The social media behemoth accused NSO Group of exploiting its infrastructure to disseminate the spyware to roughly 1,400 mobile devices during April and May. Notably, the victims included two dozen Indian activists and journalists.
The Spyware Attack
The attackers exploited a zero-day vulnerability in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a severe buffer overflow bug in the voice call feature, to deploy Pegasus. Intriguingly, the spyware could be installed merely by placing a call, even if the recipient did not answer.
Furthermore, the attack sequence incorporated measures to delete the record of the incoming call from the logs, thereby evading detection.
Court Documents Reveal NSO Group’s Obligations
According to court documents unveiled recently, NSO Group has been instructed to “produce information concerning the full functionality of the relevant spyware.” The timeframe specified for this information spans one year before and after the alleged attack, i.e., from April 29, 2018, to May 10, 2020.
However, the company is not required to “provide specific information regarding the server architecture at this time” as WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware.” Importantly, it has been exempted from revealing the identities of its clients.
Reactions to the Court’s Decision
Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, expressed both satisfaction and disappointment at the court’s decision. He stated, “While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.”
NSO Group’s Sanctions
In 2021, the U.S. imposed sanctions on NSO Group for creating and supplying cyber weapons to foreign governments. These tools were maliciously used to target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Meta’s Privacy Controversy
Meanwhile, Meta is under increasing pressure from privacy and consumer groups in the European Union. The company’s “pay or okay” (aka pay or consent) subscription model is being criticized as a choice between paying a “privacy fee” and agreeing to be tracked by the company.
Critics argue that this approach turns privacy into a luxury rather than a fundamental right, reinforcing existing discriminatory exclusion from digital access and control over personal data. They further contend that this practice undermines GDPR.
New Developments in Mobile Spyware
In related news, Recorded Future has disclosed a new multi-tiered delivery infrastructure linked to Predator, a mercenary mobile spyware managed by the Intellexa Alliance.
The infrastructure network is likely associated with Predator customers in countries such as Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It’s noteworthy that no Predator customers in Botswana and the Philippines have been identified until now.
“Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups,” the company stated.
Sekoia’s Findings on Predator Spyware Ecosystem
In a separate report, Sekoia, a cybersecurity firm, shared its findings on the Predator spyware ecosystem. The company discovered three domains linked to customers in Botswana, Mongolia, and Sudan.
Interestingly, Sekoia noted a “significant increase in the number of generic malicious domains” in its investigation. These domains do not provide any indications about the targeted entities and potential customers, making it challenging to determine the scope and impact of these cyber threats.