My Authors
Read all threads
Wow, @WhatsApp just dropped a bunch of hacking group NSO's IPs in their latest filing. Notably, these were servers located in the USA. THREAD
Its going to be hard for NSO to credibly claim that there is no US nexus to their operations when they were busy paying for server space in American data centers.
And here you have it, NSO was rocking Amazon's cloud. You have to wonder whether their customers realized how exposed these operations were to the US...
The meat of these filings is @WhatsApp's rebuttal of NSO's claim that because they sell to foreign states, they should be immune to prosecution. "Here, NSO is a for-profit commercial company - decidedly not a foreign state
The filing methodically goes through NSO's claim for derivative sovereign immunity, pointing out that "no established law recognizes the novel immunity NSO seeks"
Another point: NSO's claims immunity immunity because they work for governments, using as factual basis a statement from their CEO Shalev Hulio. But Hulio didn't identify a single government that they worked for, or cite a single contract.
The filing seems to rebut NSO's claim that the @WhatsApp lawsuit had to join foreign governments to the case. WA: we are not seeking relief from the conduct of these govs., but from NSO. (dropping in the key disclaimer: IANAL)
Plenty of reasons for personal jurisdiction: (1) NSO accepted @whatsapp TOS W/consent to CA jurisdiction & used services (2) NSO used CA servers incl. @QuadraNet (contract had a cali law clause) & funded by CA firm Francisco Partners (3) hacking was directed at WA infra in Cali.
A reminder that NSO has a subsidiary marketing arm in the US [my note: this is West Bridge Technologies], and one of its board members lives in the US... Also flagging the "significant engineering resources" @WhatsApp expended to investigate and remediate NSO's hacking.
Fun analogy: NSO saying the hacking didn't violate CFAA because they created a @WhatsApp account is like a reader hacking @nytimes servers and manipulating other readers' comments.... "untenable consequences would flow"
NSO cited only one case, Brekka, to make this argument, an employer employee dispute, which WA says doesn't fit.
Interesting, among the harms @WhatsApp lists costs to investigate and remediate, including the cost of developing and pushing out updates to the app.
WA: NSO "misses the point" by saying that the total number of transmissions by NSO was small. The harm comes from the effect of those transmissions in impairing integrity, quality and value of @WhatsApp services.... not the total # of hacking attempts.
WA: loss of goodwill resulted from NSO's interference with our system. Also it cost us a lot of engineering time etc.
NSO's infrastructure keeps being exposed because they & some customers keep doing illegal, abusive things. If you are a law enforcement NSO customer when do you cut losses & look for a lower profile company that doesn't hit headline-making trouble every quarter?
And as an NSO customer, when do you start worrying that the FBI investigation might be logging who you are targeting with your fancy NSO deployment?…
Ah! Another interesting detail, @WhatsApp engineers observed 723 NSO attacks on users in which phones, once exploited, reached out to NSO-owned servers in California (104.223.76[.]220 - @QuadraNet & 54.93.81[.]200 - @amazon)
KEY TAKEAWAY: NSO says "our clients do the hacking, not us". This filing shows NSO purchasing & operating the servers doing the hacking. This makes the company look much more like hacking-as-a-service than software developers...
...moreover, if NSO runs these infection servers then they must have logs of the connections. Sounds like they should be able to know exactly who was targeted, down to the victim device IP and time. So much for denials that they can't see what customers are doing.
...Which makes you wonder: does NSO collect detailed intelligence on their customers? Do its customers realize that NSO has this level of total visibility into what they are doing?
Very helpful! @dguido uploaded the @WhatsApp vs. NSO filings to Court Listener.…
As @WhatsApp's filing shows, NSO is running some exploitation servers. Perhaps for the fancy zero-click vectors NSO handles the exploitation, then hands off to customers for full infection & C2. Side benefit to NSO: they don't leak fancy 0day to dubious customers. Guess-a-sketch:
Non-denials like "we don't operate the software for clients" are irrelevant. NSO could be doing the device exploitation, then handing off phones to customers, who then operate the C2 'software'. cc @shanvav…
NSO's US servers must be treasure trove of:
- exploit kit & Pegasus payloads
- victim device info / IP etc.
- logs of NSO doing maintenance (would help prove they operated servers)
- any sketchy monitoring system NSO might use to track what its customers are doing
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with John Scott-Railton

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!