NSO lawyer names Mexico, Saudi Arabia, and Uzbekistan as spyware customers accused of 2019 WhatsApp hacks

The governments of Mexico, Saudi Arabia, and Uzbekistan have been amongst a number of nations accused of being behind the 2019 hacking marketing campaign that focused greater than 1,200 WhatsApp customers with NSO Group’s Pegasus spy ware, in keeping with a lawyer working for the Israeli spy ware maker.

Throughout a listening to within the lawsuit between WhatsApp and NSO Group final Thursday, NSO Group’s lawyer Joe Akrotirianakis particularly named the three governments as spyware-using clients, according to a transcript of the hearing obtained by TechCrunch this week.

That is the primary time that representatives for NSO Group have publicly acknowledged who the spy ware maker’s clients are (or have been), after years of refusing to debate its clientele, arguing that the corporate was “unable” to take action, an NSO Group spokesperson instructed TechCrunch in 2023, for instance. 

The revelation comes as a part of a lawsuit introduced by Meta-owned WhatsApp in 2019, which accused NSO Group of hacking around 1,400 WhatsApp users by exploiting a vulnerability within the messaging app’s methods between round April and Could that very same yr.

The content material of final week’s listening to was first reported by Courthouse News Service.

Within the lawsuit’s criticism, WhatsApp claimed that there have been greater than 100 focused victims who work as human rights activists, journalists, and “different members of civil society.” Citizen Lab, a digital rights group that has investigated authorities spy ware abuses for greater than a decade, said in a report at the time that it helped WhatsApp establish these victims.  

Final week, NSO Group’s lawyer Akrotirianakis instructed the decide that, “there’s a minimum of eight clients whose names are a part of the invention on this case,” however solely named three through the listening to. 

On the similar time, the lawyer additionally hinted {that a} record of nations included in a court document unsealed final week, which shows in which countries 1,223 victims of the 2019 spyware campaign were located, can also be an inventory containing NSO Group clients. 

“Pegasus was licensed for territories and it will possibly solely be utilized in these territories,” stated Akrotirianakis, referring to NSO Group’s marquee spy ware. 

Aside from Mexico and Uzbekistan, the record of 51 nations consists of Bahrain, India, Morocco, Spain, United Kingdom, and the US. Saudi Arabia, which was talked about by NSO Group’s lawyer within the listening to, nevertheless, doesn’t seem within the record. 

This may very well be defined by the truth that some NSO Group’s clients can goal people outdoors of their very own territory. For instance, in 2017, Citizen Lab reported that there was “circumstantial proof” to counsel that a number of of NSO Group’s authorities clients in Mexico focused a number of people, together with the kid of a widely known Mexican journalist, who was in the United States on the time he was focused. 

Reached by TechCrunch previous to publication, NSO Group spokesperson Gil Lainer declined to remark. When requested, Lainer didn’t dispute that Mexico, Saudi Arabia and Uzbekistan have been three firm clients on the time of the WhatsApp spy ware marketing campaign.

WhatsApp’s spokesperson Zade Alsawah instructed TechCrunch that the corporate is wanting ahead “to the upcoming trial to find out damages, and securing an injunction in opposition to NSO to guard WhatsApp and folks’s non-public communication.”

On Tuesday, in a pre-trial order, the decide presiding over the lawsuit stated that whereas NSO Group stated that paperwork supplied as a part of the lawsuit’s discovery interval establish “a minimum of 4 nations as NSO clients,” the corporate has not but publicly confirmed that these nations are its clients. 

“The evidentiary file is opaque as to which of [NSO’s] purchasers have been liable for the assaults at situation, and thus [WhatsApp] have been unable to find proof about whether or not screening procedures have been adopted with respect to these purchasers,” wrote the decide. “Furthermore, to the extent that the events talk about details relating to purchasers who have been discovered to have misused Pegasus, these details seem to have come from media experiences, slightly than from defendants.”

For years, organizations like Citizen Lab and Amnesty Worldwide have documented instances the place Pegasus was used to focus on or hack journalists, dissidents, and human rights defenders in a number of the nations talked about within the sufferer record, corresponding to Mexico, Hungary, Spain, and the United Arab Emirates, amongst a number of others.

TechCrunch reached out for remark to the embassies of Mexico, Saudi Arabia, and Uzbekistan within the U.S. and can replace the story if we obtain a response.

Up to date all through with background and extra context.