A US judge has ordered NSO Group to hand over the source code of Pegasus and other products to Meta as part of ongoing litigation between the social media giant and the Israeli spyware vendor.
The decision, which marks a major legal victory for Meta, which filed a lawsuit in October 2019 for using its infrastructure to distribute spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.
These attacks exploited a then-zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice calling functionality, to provide Pegasus by simply making a call, even in scenarios where calls went unanswered.
Additionally, the attack chain included steps to wipe incoming call information from logs in an attempt to evade detection.
Court documents released late last month show that NSO Group was asked to “produce information regarding the full functionality of the spyware in question”, specifically for a period between one year before the alleged attack and one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).
That said, the company is not required to “provide specific information regarding the server architecture at this time” because WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware.” Perhaps even more significant is the fact that he was spared from sharing the identity of his clientele.
“While the court’s decision represents a positive development, it is disappointing that NSO Group is allowed to continue to keep secret the identities of its clients responsible for this illegal attack,” said Donncha Ó Cearbhaill, head of Amnesty’s Security Lab International.
NSO Group was sanctioned by the United States in 2021 for developing and supplying cyber weapons to foreign governments who “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy employees.”
The development comes as Recorded Future revealed a new multi-tiered distribution infrastructure associated with Predator, a mercenary mobile spyware operated by the Intellexa Alliance.
The infrastructure network is most likely associated with Predator customers, including in countries such as Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, Philippines, Saudi Arabia, and Trinidad and Tobago. It is worth noting that no Predator customers have been identified in Botswana and the Philippines so far.
“Although Predator operators respond to public reports by altering some aspects of their infrastructure, they appear to persist with minimal changes to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established rules and configurations infrastructure,” the company said.