WhatsApp is a widely used messaging and social network application with over 1.5 billion active monthly users. Such massive reach is bound to attract cyberattackers, interested in invading user privacy. That’s exactly what happened almost 1 year back when WhatsApp found a zero-day exploit within its application. This spiraled down to many months of investigations, accusations and discoveries that has finally led us to some substantial proof. Recent news suggests it was in fact the prime suspect of the attack, NSO.
Revisiting – WhatsApp Zero-Day Exploit by NSO
In May, 2019, the Facebook owned social network exposed a spyware that infected users’ iPhone and Android handsets by simply ringing a WhatsApp call. The end-user didn’t need to pick it up in order to activate this malware.
Although a fixed update was released as soon as within 10 days of identification, reportedly around 1,400 users had already been hacked by then. After analyzing the vulnerability, that came to be known as CVE-2019-3568, it was found the attackers had used a malware developed by the infamous NSO Group from Israel.
Facebook Inc. further detailed that the hackers used the concept of buffer overflow where malicious packets are sent to the service’s backend to overwrite it’s own code and trigger a desired response. This was an attempt on how to hack WhatsApp location, media and other data. Through the attack, the hacker gained access to the user’s handset, camera, personal files, location and more.
About Israel’s NSO Group - Who Are They?
NSO Group Technologies Ltd. (abbreviated for - Niv, Shalev, Omri - Names of Founders) has been largely credited with shady cyberattacks on smartphone apps and cloud services. They have been allegedly associated with Government, Federal, Security and Intelligence agencies for providing hacking tools. One of their most talked about cyber attacks is Pegasus, having broken the high-security of the likes of Google Drive and and iCloud
NSO WhatsApp Hacked Lawsuit
After months of speculations in October 2019, Facebook filed an official lawsuit against the isreali cybersecurity firm NSO Group. The complaint detailed that the latter has illegally hacked WhatsApp’s users and violated the right to their privacy. They reached this formidable conclusion after finding NSO’s links to the culprit Servers and ISPs, explained WhatsApp CEO Will Cathcart. Another unmissable clue was their pattern to target members of civil society, human-rights activists, journalists and others.
Quickly following this, NSO group denied all allegations, stating “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human-rights activists and journalists. It has helped to save thousands of lives over recent years.”
The active litigations against NSO group are filed under U.S. Law, namely California Comprehensive Computer Data Access and Fraud Act and more prominently Computer Fraud and Abuse Act.
Recent Case Developments in Facebook-WhatsApp-NSO Lawsuit
In April, 2020, NSO and its ally Q Cyber Technologies Ltd. requested for the WhatsApp lawsuit dismissal, presenting jurisdiction claims saying that they hold sovereign immunity; as their official foreign government clients are outside of the US. They further explicitly mentioned that their softwares/ tools have a killswitch and do not run in American territory.
To this, Facebook’ counsel came in full force to defy all dismissal claims by NSO. They explained that NSO has in fact used 2 United States IPs and multiple websites while attacking the tech giant’s popular messaging app. They were hosted by:
- Amazon Web Services (USA)
- QuadraNet (California, USA)
- A German Provider
NSOs contract with QuadraNet was further explained by their usage of the california-based servers for “more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.”
Claudiu Gheorghe, a software engineer from WhatsApp cybersecurity team, strengthened the case by explaining the hacker’s process. He added that the attack was designed to connect the victim’s smartphone to a different remote server. Upon deeper analysis they found that in 720 cases, this remote server’s IP was 104.223.76.220.5; and in three cases it was 54.93.81.200. Interestingly,
- 104.223.76.220.5 was hosted by Quadranet,
- 54.93.81.200 was hosted by AWS, Amazon
Another revelation came forward in the form of NSO’s and affiliate sub domains that were hosted with Amazon during the timeframe of the attack. These subdomains include -
- sip.nsogroup.com,
- sip.qtechnologies.com,
- sip.2access.xyz
Wow, @WhatsApp just dropped a bunch of hacking group NSO's IPs in their latest filing. Notably, these were servers located in the USA. THREAD pic.twitter.com/8PmyJlbGvI
— John Scott-Railton (@jsrailton) April 24, 2020
The above crucial piece of information has put NSO on back burner, eradicating all their claims of not operating or running tools inside the United States of America. We’ve yet to hear back any response from the defendant on this, but it’s safe to say that NSO’s chances are looking pretty slim.
But this isn’t the only scrutiny coming NSO’s way. Reportedly, FBI is also looking into the Israeli spyware organization for involvement in Jeff Bezos, Amazon CEO’s hacked iPhone case.
Let us know who do you think is the real attacker in the comments below.
