NSO Group partly disputes claim about use of U.S.-based servers in WhatsApp spy campaign

NSO Group is claiming in court that WhatsApp's allegations it used U.S.-based infrastructure to spy on WhatsApp users is false.
law, legal, cybersecurity, court, justice
(Getty Images)

Israeli surveillance software company NSO Group is back in court disputing WhatsApp’s claims that it used U.S.-based infrastructure to launch spyware against thousands of WhatsApp users last year.

In court documents filed Thursday, NSO Group rejected Facebook-owned WhatsApp’s allegations that NSO Group used servers from a Los Angeles-based hosting provider, QuadraNet, over 700 times to target WhatsApp users.

“Plaintiffs’ new claims about QuadraNet are false: NSO did not contract with QuadraNet to use its California servers,” the filing reads.

NSO Group claimed in the filings that even if its spyware, Pegasus, did use QuadraNet servers, it was third-party activity. The company sells its software around the globe to intelligence and law enforcement agencies.


“If Pegasus messages did pass through QuadraNet servers, they would have been sent by NSO’s customers, not NSO,” the filing states. “We repeat: NSO Group does not operate the Pegasus technology for its clients,” the spokesperson added.

NSO Group CEO Shalev Hulio said in the filings that he “was not aware of any contract between NSO and QuadraNet.”

The filing is just the latest effort in the ongoing legal battle between WhatsApp and NSO Group over whether NSO Group allegedly used WhatsApp to surveil users in the spring of 2019. NSO Group has denied the accusations. It comes just days after Facebook claimed that NSO Group’s law firm has a conflict of interest given it previously represented WhatsApp in a case that is related to this one.

NSO Group’s filing did not address Facebook’s request.

The pushback on whether NSO Group used U.S.-based infrastructure to lob its attacks is the latest effort from NSO Group to refute WhatsApp’s claims that it has jurisdiction to sue NSO Group in a California-based court. NSO Group has argued that because it isn’t based in California, the case can’t proceed there.


But the filings also show NSO Group arguing, as it has time and time again, that its spyware isn’t capable of running in the U.S., that it isn’t responsible for the targeting of its spyware, which has been alleged to target human rights defenders, journalists and others.

WhatsApp’s allegations about the California servers could upend NSO Group’s line of defense.

NSO Group did not, however, dispute claims that it used a remote server hosted by Amazon — another claim WhatsApp filed last week.

Procedurally, the judge should not pay any mind to WhatsApp’s claims about QuadraNet servers, NSO Group argued, because those allegations weren’t flied in the original complaint.

“Plaintiffs’ assertions about QuadraNet’s California servers … should be disregarded because they are not in the Complaint. The Complaint alleged that NSO used QuadraNet servers located in the United States, not specifically in California,” the filing said. “If Plaintiffs want to clarify their allegations, they must amend the Complaint.”


CFAA claims

In an attempt to degrade WhatsApp’s argument that NSO Group has violated the Computer Fraud and Abuse Act (CFAA), NSO Group claimed its activities were authorized by WhatsApp.

“Plaintiffs concede NSO had limited authorization to send messages … so they cannot claim NSO acted … ‘without authorization’ under the CFAA by sending messages,” the filings state. “Plaintiffs seek to enforce the [terms of service]’s terms against NSO, thereby admitting that NSO’s right to access WhatsApp’s servers was created and regulated by the TOS.”

This line of argument may be on shaky ground, John Scott-Railton, a senior researcher at the University of Toronto Monk School of Global Affairs and Public Policy, told CyberScoop.

“What I find most remarkable about their filing is their claim that NSO was an authorized user of WhatsApp, and that because their infection attempts targeted users, not WhatsApp (their claim), their messages were authorized,” Scott-Railton said. “This logic would say that if I send ransomware emails to hospitals around the country, I’m still an authorized user of Gmail.”


You can read the filing in full below:

[documentcloud url=”” responsive=true]

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts