The governments of Mexico, Saudi Arabia, and Uzbekistan have been identified as the entities behind the 2019 hacking campaign. Which targeted over 1,200 WhatsApp users with the use of NSO Group’s notorious Pegasus spyware. This revelation was made during a hearing in the lawsuit filed by WhatsApp against NSO Group last Thursday. With NSO Group’s lawyer Joe Akrotirianakis naming the three governments as customers of the spyware. This marks the first time that NSO Group representatives have publicly acknowledged the identities of their clients. Something the company has previously refused to discuss, citing legal constraints.
This disclosure comes as part of a long-standing legal battle between Meta-owned WhatsApp and NSO Group. A case that dates back to 2019 when WhatsApp accused NSO Group of exploiting a vulnerability in its systems to hack into about 1,400 WhatsApp users between April and May of that year. The lawsuit accused NSO Group of using the vulnerability to facilitate attacks targeting human rights activists, journalists, and members of civil society. Citizen Lab, a digital rights group known for its work investigating the use of spyware by governments. Has played a crucial role in identifying the victims in this case.
According to the lawsuit, over 100 of the targeted individuals were human rights activists, journalists, and other civil society figures. In the hearing last week, NSO Group’s lawyer revealed that the company had at least eight customers whose names had been part of the discovery process in the case. Although only three were explicitly named during the proceedings. The revelation that Mexico, Saudi Arabia, and Uzbekistan were involved as customers marked a significant shift for NSO Group. Which had, for years, been tight-lipped about the specifics of its clientele. This is the first acknowledgment by the company regarding the countries that purchased its spyware. Specifically the Pegasus software that was used for surveillance purposes.
In addition to naming the three countries, Akrotirianakis also hinted that a recently unsealed court document, which outlined the locations of the 1,223 victims of the 2019 spyware campaign, could be a list of NSO Group’s clients. The lawyer emphasized that Pegasus, NSO Group’s flagship spyware, was licensed for use in specific territories. Thus suggesting that the spyware’s deployment was restricted to certain geographic locations. This has led to further speculation about how the spyware was used beyond these territories.
Apart from the three countries named, the list of 51 countries mentioned in the court document includes Bahrain, India, Morocco, Spain, the United Kingdom, and the United States. However, it is important to note that Saudi Arabia, despite being mentioned by NSO Group’s lawyer in the hearing, does not appear in the list. This discrepancy could be explained by the fact that some customers of NSO Group are reportedly able to target individuals outside their designated territories. For example, a 2017 report by Citizen Lab suggested that some NSO Group customers in Mexico were targeting individuals. Including a child of a prominent Mexican journalist, who were located outside the country, in the United States at the time.
The court proceedings also shed light on the challenges of identifying and prosecuting the individuals responsible for the attacks. The evidence presented in the discovery phase has been unclear about which specific clients were responsible for the hacking campaigns. This has led to difficulties in pinpointing exactly who misused the spyware. While WhatsApp has been able to identify some of the perpetrators through media reports and the investigative work of organizations like Citizen Lab and Amnesty International, much of the evidence remains opaque.
In the courtroom, NSO Group’s lawyer also stated that documents produced in the discovery process indicated that at least four countries were NSO Group’s customers. Although the company has yet to publicly confirm these details. The judge in the case also acknowledged the complexity of determining which clients were involved in the attacks. Noting that WhatsApp had been unable to discover whether NSO’s screening procedures for clients were properly followed.
Throughout the years, NSO Group’s Pegasus spyware has been at the center of several high-profile cases involving journalists, human rights defenders. And dissidents being targeted by governments using the tool for surveillance. Many of the countries mentioned in the victim list, including Mexico, Hungary, Spain, and the United Arab Emirates, have been linked to such surveillance activities. The recent court revelations suggest that these activities are part of a broader pattern of government use of sophisticated spyware tools to monitor individuals deemed to be threats to the state’s power.
WhatsApp, emphasized its commitment to pursuing the case further and obtaining damages as well as securing an injunction against NSO Group to protect users’ private communications. The tech company also expressed confidence that the upcoming trial would shed light on the extent of the damage caused by the hacking campaign and the role NSO Group played in facilitating the attacks.
This case remains ongoing, and it is clear that it could have significant implications not only for NSO Group but for the wider debate around the use of surveillance tools by governments.
