Facebook-NSO lawsuit: Hundreds of WhatsApp attacks linked to one IP address

The legal case between Facebook and Israeli spyware vendor NSO Group is starting to yield the details tech and cyber-security experts have been waiting since Facebook filed its lawsuit in October 2019.

In court documents filed yesterday, Facebook said it linked 720 instances of attacks against WhatsApp users to one single IP address.

The attacks were carried out against WhatsApp users in the spring of 2019. The exploit used in the attack was a zero-day in the WhatsApp VoIP feature.

Facebook sued NSO last year for developing the exploit and making it available to its customers (foreign governments), who then used it to hack WhatsApp users.

This included more than 1,400 users, according to Facebook count, and included the likes of attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.

The exploit had the ability to infect a phone with the Pegasus malware, which then pinged NSO command and control servers for instructions on what commands to execute and what data to steal.

Hundreds of attacks linked to one US server

“I have reviewed the malicious code sent during the attack described in the Complaint,” said Claudiu Gheorghe, a software engineering manager for WhatsApp in court documents filed by Facebook’s legal team last night.

“That malicious code was designed to cause a WhatsApp user’s mobile device to connect to a remote server not associated with WhatsApp. The IP address of the remote server was included in the malicious code,” Gheorghe said.

“In 720 instances of the attack, the remote server’s IP address was 104.223.76.220. In 3 instances of the attack, the remote server’s IP address was 54.93.81.200,” Gheorghe added.

The first of these IPs, and the one most commonly observed by WhatsApp engineers, belongs to QuadraNet Enterprises LLC, a Los Angeles-based data center provider.

The small detail to what IP address a hacked WhatsApp user has communicated is now crucial in the case after earlier this month, the NSO Group legal team filed a motion to dismiss the case, citing a long list of reasons, including the lack of jurisdiction of a California court to preside over the case.

But Facebook’s legal team says this argument is faulty as NSO has been taking financing from a California private equity firm, and has been relying on servers located in the state.

“To execute its scheme and install its spyware on WhatsApp users’ devices, NSO separately entered into a contract with a California-based technology company, QuadraNet, that included a California choice-of-law clause,” Facebook said, claiming that its lawsuit needs to allow to continue.

Facebook NSO is not immune because it sells to governments

In its 35-page document, Facebook also brought counter-arguments to all the items raised by NSO’s motion to dismiss the case earlier this month.

While most of the document is legalese sword-fighting between oppossing and expensive legal teams, there is also another interesting item raised by both teams.

Earlier this month, the NSO legal team argued that the company should be immune to prosecution because it was contracted by a foreign government.

In its counter-argument, Facebook claimed that NSO has not produced evidence, such as a contract, that it worked for any foreign government, nor that there is any law that grants immunity to contractors acting on behalf of a government.

Facebook said last year, and reiterated again yesterday, that the hacks caused reputational damage to its WhatsApp product and it now wants to hold NSO responsible and liable for damages.

In a statement last year, NSO told ZDNet that its product had been designed to help law enforcement and intelligence services fight terrorism and serious crime.

An NSO spokesperson did not return a request for comment on Facebook’s counter-motion.