NSO Spyware: Mexico, Saudi Arabia, Uzbekistan Linked to WhatsApp Hacks

Governments Accused in 2019 WhatsApp Spyware Campaign

The administrations of Mexico, Saudi Arabia, and Uzbekistan are reportedly among those implicated in a 2019 hacking operation. This campaign affected over 1,200 WhatsApp users through the deployment of NSO Group’s Pegasus spyware, as stated by legal counsel representing the Israeli spyware developer.

NSO Group Identifies Customers

During a court hearing concerning the lawsuit between WhatsApp and NSO Group last Thursday, Joe Akrotirianakis, NSO Group’s attorney, explicitly identified the three aforementioned governments as clients utilizing the spyware. This information was gleaned from a hearing transcript reviewed by TechCrunch this week.

This marks the first instance of NSO Group representatives publicly acknowledging the identities of its customers – or former customers. For years, the company had refrained from disclosing its clientele, citing an “inability” to do so, as a spokesperson indicated to TechCrunch in 2023.

Lawsuit Details and Targeted Individuals

The disclosure arises from a lawsuit initiated by WhatsApp, owned by Meta, in 2019. The suit alleges that NSO Group hacked approximately 1,400 WhatsApp users by exploiting a security flaw within the messaging application’s systems between April and May of that year.

Initial reports regarding the hearing’s content were published by Courthouse News Service.

WhatsApp’s initial complaint asserted that over 100 targeted individuals were human rights advocates, journalists, and other members of civil society. Citizen Lab, a digital rights organization with extensive experience in investigating government spyware misuse, assisted WhatsApp in identifying these victims, as detailed in a report released at the time.

Further Customer Information

Last week, Akrotirianakis informed the judge that “at least eight customers” are identified within the evidence presented in the case, though only three were named during the hearing.

He also suggested a connection between a list of countries contained in a recently unsealed court document – detailing the locations of 1,223 victims of the 2019 spyware campaign – and NSO Group’s customer base.

“Pegasus was licensed for specific territories and its use was restricted to those areas,” Akrotirianakis explained, referencing NSO Group’s flagship spyware product.

Geographic Scope of the Campaign

Beyond Mexico and Uzbekistan, the list of 51 countries includes Bahrain, India, Morocco, Spain, the United Kingdom, and the United States. Notably, Saudi Arabia, mentioned by NSO Group’s lawyer, is not present on this list.

This discrepancy may be attributed to the possibility that some NSO Group customers targeted individuals outside their national borders. Citizen Lab previously reported in 2017 on “circumstantial evidence” suggesting that a Mexican government client of NSO Group targeted an individual in the United States, specifically the child of a prominent Mexican journalist.

Company Response and Ongoing Litigation

Gil Lainer, an NSO Group spokesperson, declined to provide a comment when contacted by TechCrunch. However, Lainer did not refute the assertion that Mexico, Saudi Arabia, and Uzbekistan were clients of the company during the time of the WhatsApp spyware campaign.

Zade Alsawah, a WhatsApp spokesperson, stated that the company anticipates the upcoming trial to determine damages and to secure an injunction against NSO Group, aiming to protect WhatsApp and the privacy of its users’ communications.

Court Findings and Evidentiary Challenges

In a pre-trial order issued on Tuesday, the presiding judge acknowledged that NSO Group’s submitted documents identify “at least four countries as NSO customers,” but noted that the company has not yet publicly confirmed these relationships.

The judge further observed, “The evidentiary record lacks clarity regarding which of [NSO’s] clients were responsible for the attacks in question, hindering [WhatsApp’s] ability to uncover evidence concerning adherence to screening procedures for those clients.” The judge also pointed out that information regarding client misuse of Pegasus largely originates from media reports, rather than from the defendants themselves.

Broader Concerns About Spyware Abuse

For several years, organizations such as Citizen Lab and Amnesty International have documented instances of Pegasus being used to target journalists, dissidents, and human rights defenders in numerous countries, including Mexico, Hungary, Spain, and the United Arab Emirates.

TechCrunch contacted the embassies of Mexico, Saudi Arabia, and Uzbekistan in the U.S. for comment and will update this story upon receiving a response.

This article has been updated throughout to include additional background information and context.