New Delhi: Government officials around the world were also part of the group of 1,400 WhatsApp users who were subjected to attempted attacks through the NSO Group’s Pegasus spyware in 2019, the messaging app’s CEO Will Cathcart has disclosed in an interview to The Guardian as part of the Pegasus Project.
Significantly, Cathcart also noted that he saw parallels between the attack against WhatsApp users in 2019 – currently the subject of a lawsuit brought by the Facebook-owned firm against the NSO Group in a federal court in California – and the reporting on the leaked data that was the basis of the Pegasus Project.
The leak, as noted by The Wire and 16 other media organisations, contained thousands of numbers that the consortium believes were selected as candidates for possible surveillance by government clients of the NSO Group. This has included a wide cast of individuals – from heads of state to government officials to journalists and human rights defenders. Digital forensics conducted by Amnesty International’s Security Lab on a small cross-section of the phones on the list showed traces of either an attempted Pegasus attack or a full infection.
When WhatsApp announced two years ago that users had been subject to an attempted attack through NSO malware, it said it had found that about 100 of 1,400 targets were members of civil society – journalists, human rights defenders and activists. The users were targeted through a vulnerability in the messaging app’s security that was later fixed.
“The first thing I’d say is that this reporting matches what we saw in the attack we defeated two years ago. And it’s very consistent with what we were loud about then,” the WhatsApp boss noted.
“The attack we saw was people, you know, NSO group attempting to attack people’s phones through our service. It was a very clear actual attempted attacks. And in that list, we saw, in addition to journalists, human rights defenders and the others, we saw government officials, you know, in countries around the world,” he added.
50k too big of a number?
In pre-publication statements given to the Pegasus Project, the NSO Group disputed the leaked list, saying it had no relevance to the company and rejected the Pegasus Project’s reporting.
Importantly, the Israeli spyware maker also denied that the leaked data represented those that could have been targeted for surveillance. In particular, NSO said the 50,000 number was “exaggerated” and too large to represent the number of individuals targeted by Pegasus.
In interviews, NSO boss Shalev Hulio has claimed that the average number of targets per NSO customer is around 100 and the company only sells the spyware to between 40 and 45 countries.
Cathcart, however, believes that this may not match up with what WhatsApp saw two years ago.
“The facts are clear, though. We saw in a [two] week period 1,400 people … [were targets of] attempted attacks by NSO Group. That does not match up with the story they’ve been telling,” he said.
“And so what we saw was 1,400 victims in that brief period. That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. If there was 1,400 in a very brief window of time, then, you know, if you just play [that] out over a couple of years, it’s a lot of people.”
Cathcart said he had discussed the 2019 attacks against WhatsApp users with governments all around the world. He praised recent moves by Microsoft and others in the technology industry who are speaking out about the dangers of malware, and called on Apple – whose phones are vulnerable to malware infections – to adopt their approach.
“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’,” he said.
“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure.”
The WhatsApp boss also called on governments to help create accountability for spyware makers.
“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this. Should they stop? Should there be a discussion about which governments were paying for this software?”
In the lawsuit launched by WhatsApp, the NSO Group has argued that it should be immune to the suit because its clients are foreign governments. It has said its clients are contractually obliged to use Pegasus to target criminals and that it investigates allegations of abuse. It said it has no insight into how government clients use the spyware or who they target, unless the company requests an investigation into allegations of wrongdoing.
The court last week rejected NSO Group’s claim that it had only a limited role in the surveillance of the plaintiff’s users. Instead, the judge found that the company “retained some role” in the operation of Pegasus, “even if it was at the direction of their customers.”
In a statement to The Guardian, an NSO spokesperson said: “We are doing our best to help creating a safer world. Does Mr Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.