NSO Group Fined $167M for Spyware Attacks on 1,400 WhatsApp Users

A U.S. federal jury has handed down a landmark verdict, ordering Israeli spyware vendor NSO Group to pay WhatsApp a staggering $167,254,000 in punitive damages and $444,719 in compensatory damages for a 2019 campaign that targeted 1,400 users of the popular communication app.

The verdict is considered a significant milestone in the fight against cybercrime and the exploitation of vulnerable software vulnerabilities. Meta, WhatsApp's owner, hailed the decision as "an important step forward for privacy and security." The company praised the jury's recognition of NSO Group's malicious actions and its determination to hold the spyware vendor accountable.

The fines stem from a May 2019 campaign when NSO attempted to infect 1,400 WhatsApp users with its Pegasus spyware using a WhatsApp zero-day vulnerability. The vulnerability, CVE-2019-3568, allowed attackers to send specially crafted RTCP packets to a target phone number, exploiting the device and installing the spyware even if the recipient did not answer the call.

Meta filed the lawsuit against NSO Group on October 29, 2019, alleging that the spyware vendor had exploited a vulnerability in WhatsApp's calling feature to deliver its Pegasus spyware to approximately 1,400 users. The targets included human rights activists, journalists, and diplomats, according to court documents.

The trial revealed that NSO Group was directly involved in infection operations and spent tens of millions of dollars developing multiple infection channels besides WhatsApp. Court documents also showed that the spyware vendor used at least one more zero-day vulnerability in WhatsApp software to target users with spyware even after Meta's lawsuit had been submitted.

In a surprising twist, Judge Phyllis J. Hamilton ruled that NSO Group was liable for violating U.S. hacking laws and WhatsApp's Terms of Service, granting partial summary judgment in WhatsApp's favor and moving the case to a jury trial to determine damages.

The verdict is considered a significant deterrent against the commercial spyware industry, which has long been accused of exploiting vulnerabilities in software to install malware on unsuspecting users.

A New Era for Cybersecurity

CitizenLab researcher John Scott-Railton welcomed the court's decision, warning that spyware firms could be next. "The verdict sends a clear message: those who develop and use illegal spyware will be held accountable," he said.

The case is likely to have far-reaching implications for the cybersecurity industry, as it sets a new standard for holding companies accountable for their actions. As one expert noted, "This verdict marks an important turning point in the fight against cybercrime."

What's Next?

For those interested in diving deeper into the details of the case, Meta has published transcribed NSO Group depositions.

If you're concerned about your own online safety and security, stay tuned for our upcoming series on the top 10 MITRE ATT&CK techniques behind 93% of attacks. We'll explore the tactics and strategies used by hackers to exploit vulnerabilities in software and hardware.