Senior government officials around the world – including individuals in high national security positions who are “allies of the US” – were targeted by governments with NSO Group spyware in a 2019 attack against 1,400 WhatsApp users, according to the messaging app’s chief executive.
Will Cathcart disclosed the new details about individuals who were targeted in the attack after revelations this week by the Pegasus project, a collaboration of 17 media organisations which investigated NSO, the Israeli company that sells its powerful surveillance software to government clients around the world.
Cathcart said that he saw parallels between the attack against WhatsApp users in 2019 – which is now the subject of a lawsuit brought by WhatsApp against NSO – and reports about a massive data leak that are at the centre of the Pegasus project.
The leak contained tens of thousands of phone numbers of individuals who are believed to have been selected as candidates for possible surveillance by clients of NSO, including heads of state such as the French president, Emmanuel Macron, government ministers, diplomats, activists, journalists, human rights defenders, and lawyers.
It includes some people whose phones showed infection or traces of NSO’s Pegasus spyware, according to examinations of a sample of the devices conducted by Amnesty International’s security lab.
“The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then,” Cathcart said in an interview with the Guardian. In addition to the “senior government officials”, WhatsApp found that journalists and human rights activists were targeted in the 2019 attack against its users. Many of the targets in the WhatsApp case, he said, had “no business being under surveillance in any way, shape, or form”.
“This should be a wake up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.”
When NSO’s Pegasus spyware infects a phone, government clients who use it can gain access to an individual’s phone conversations, messages, photos and location, as well as turn the phone into a portable listening device by manipulating its recorder.
The leak contains a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016.
The appearance of a number on the leaked list that was accessed by the Pegasus project does not mean it was subject to an attempted or successful hack. NSO said Macron was not a “target” of any of its customers, meaning the company denies there was any attempted or successful Pegasus infection of his phone.
NSO has also said the data has “no relevance” to the company, and has rejected the reporting by the Pegasus project as “full of wrong assumptions and uncorroborated theories”. It denied that the leaked data represented those targeted for surveillance by the Pegasus software. NSO has called the 50,000 number exaggerated and said it was too large to represent individuals targeted by Pegasus.
But Cathcart questioned NSO’s claim that the figure was in itself “exaggerated”, saying that WhatsApp had recorded an attack against 1,400 users over a two-week period in 2019.
“That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” he said. “That’s why we felt it was so important to raise the concern around this.”
When WhatsApp says it believes its users were “targeted”, it means the company has evidence that an NSO server attempted to install malware on a user’s device.
NSO has declined to give specific details about its customers and the people they target. However, a source has claimed the average number of annual targets per customer was 112.
When WhatsApp announced two years ago that users had been targeted by the NSO malware, it said it had found that about 100 of 1,400 targets were members of civil society – journalists, human rights defenders and activists. The users were targeted through a WhatsApp vulnerability that was later fixed.
Cathcart said he had discussed the 2019 attacks against WhatsApp users with governments all around the world. He praised recent moves by Microsoft and others in the technology industry who are speaking out about the dangers of malware, and called on Apple – whose phones are vulnerable to malware infections – to adopt their approach.
“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’,” he said.
“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure.”
He also called on governments to help create accountability for spyware makers.
“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this. Should they stop? Should there be a discussion about which governments were paying for this software?”
WhatsApp launched its lawsuit against NSO in late 2019, claiming that the Israeli company was responsible for sending malware to WhatsApp users phones. A judge in the case pointed out that the underlying facts in the case – that malicious code owned by NSO was sent through WhatsApp’s service – did not appear to be disputed. Instead, the lawsuit has revolved around whether NSO’s “sovereign customers” were to blame, or the company itself.
NSO has argued that it ought to be immune to the suit because its clients are foreign governments. It has said its clients are contractually obliged to use Pegasus to target criminals and that it investigates allegations of abuse. It said it has no insight into how government clients use the spyware or who they target, unless the company requests an investigation into allegations of wrongdoing.
An NSO spokesperson said: “We are doing our best to help creating a safer world. Does Mr Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”