U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp

A U.S. judge has ruled that NSO Group must provide Meta with access to its source code for Pegasus and other software products as part of Meta's ongoing legal battle against the Israeli surveillance company.

This decision is seen as a significant legal win for Meta, which initiated the lawsuit in October 2019, alleging that NSO Group used Meta's infrastructure to distribute spyware to around 1,400 mobile devices between April and May of that year. Among the targets were approximately two dozen Indian activists and journalists.

The attacks exploited a zero-day vulnerability in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), allowing Pegasus to be delivered simply by placing a call, even if the calls went unanswered. Additionally, steps were taken to erase call information from logs to evade detection.

According to court documents released recently, NSO Group has been ordered to provide details about the full functionality of the spyware used during the one-year period before and after the alleged attack (from April 29, 2018, to May 10, 2020). However, the company is not required to disclose specific server architecture information at this time, as Meta could obtain such details from the spyware's full functionality. Importantly, NSO Group is also not compelled to reveal the identities of its clients.

Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, praised the court's decision but expressed disappointment that NSO Group could maintain the secrecy of its clients, who were allegedly involved in the unlawful targeting.

NSO Group faced sanctions from the U.S. in 2021 for developing and supplying cyber weapons to foreign governments, which allegedly used these tools for malicious purposes against various individuals, including government officials, journalists, and activists.

Meanwhile, Meta is under increasing scrutiny from privacy and consumer groups in the European Union due to its "pay or okay" subscription model. Critics argue that this model presents users with a choice between paying a "privacy fee" or consenting to be tracked by Meta, potentially undermining GDPR regulations and turning privacy into a luxury rather than a fundamental right.

This development coincides with Recorded Future's revelation of a new multi-tiered delivery infrastructure associated with Predator, a mobile spyware managed by the Intellexa Alliance.

The network infrastructure is strongly linked to Predator customers, with presence observed in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, prior to this discovery, no Predator customers had been identified within Botswana and the Philippines.

Despite attempts by Predator operators to adapt their infrastructure in response to public reporting, they maintain consistent operational patterns with minimal alterations. These patterns include ongoing spoofing tactics and targeting specific types of organizations, such as news outlets, while adhering to established infrastructure configurations.

Sekoia, in its report on the Predator spyware ecosystem, identified three domains associated with customers in Botswana, Mongolia, and Sudan. The report also noted a notable increase in generic malicious domains that lack indicators of specific targeted entities and potential customers.