Washington, US: “Eden has finished its duty with us. Eden/ Heaven/Hummingbird R.I.P,” the email read. In the summer of 2019, programmers at WhatsApp seemed to have won their year-long battle against the intruders who had been using its servers to plant malware to spy on the phones of thousands of political activists, government officials, scholars and journalists around the world. Later that year, WhatsApp parent company Meta named Israeli cyber-intelligence firm NSO as the perpetrator in a legal complaint.
Last week, US District Judge Phyllis Hamilton issued a summary judgment against NSO, rejecting the argument that it was not responsible for the actions of the governments that licensed its Pegasus cyber-espionage system for $6.8 million per year. The judgment also notes that NSO defied legal orders to produce evidence.
The judgment opens the way for hearings on damages which are scheduled to begin in March—the first-ever such proceedings against a corporate cyber-espionage firm.
Even as NSO’s Hummingbird cyber-espionage suit was shut down and litigation began, court filings reveal that the company continued to work on an improved tool, Erised, to attack WhatsApp.
The filings appear to confirm independent investigations that NSO produced and sold new cyber-espionage tools until last year, using a tool called BlastPass that penetrated iPhones using iOS16.6.
Lawyers have hailed the judgment as a landmark in the struggle to secure individual privacy against illegal surveillance by authoritarian regimes. “This judgment serves notice to manufacturers of spyware who have shunned responsibility by saying that whatever their customers do with the hacking tools is not their responsibility,” New York-based lawyer Mishi Choudhary told ThePrint.
The rise of Erised and BlastPass, though, suggest that it might take more than a judgment to control the work of cyber-espionage companies. Israeli-origin firm Cytrox, Toronto-based CitizenLab revealed in 2021, continues to sell its Predator espionage tools through a network of firms across the world. Another firm Candiru also sells similar products, as does the Italian Hacking Team.
“The American judgment definitely sets a new norm, and will deter spyware corporations from engaging in any operations which involve US-based technology companies,” an Indian intelligence official said. “That said, there are a lot of actors operating in the grey zone who will continue to find buyers in nation-states which don’t have their own communications intelligence capabilities.”
Also Read: ‘Huge win for privacy’: US court holds Pegasus spyware-maker NSO Group liable for hacking WhatsApp
Threat to the internet
Among the key factors in the legal pushback against cyber-espionage, experts say, is that US-based technology firms are increasingly worried that the proliferation of the technology could lead to its becoming available to organised criminal cartels and rogue states. This could enable the theft of valuable data and sabotage, even conceivably destabilising the internet itself.
The US government itself is also concerned that the spread of cyber-espionage tools could undermine the decisive edge its intelligence services currently enjoy, an expert said.
The threat extends from personal data to government secrets. “A hacker might work for an Israeli company today, but who’s to say where that know-how will end up tomorrow?” a senior Indian intelligence officer said.
The officer also noted the case has made clear that the NSO had access to data gathered by the governments who licensed it—a design-feature which could have enabled leaks of highly-sensitive data.
“Israel is a close US ally,” Choudhary observes, “yet the United States Government blacklisted firms like NSO and Candiru in 2021. That should make clear just how serious this issue is.”
Last month, the US government revealed that a China-based hacking network it identifies by the code-name Salt Typhoon had successfully infiltrated the country’s mobile telecommunications networks. The Salt Typhoon attacks come on the back of cyber-espionage operations involving entities in China, Iran, Russia and North Korea. There were also a wave of attacks on the energy sector in Western countries in October.
Threats of this order are increasingly widespread. In November, Turkish defence firms were targeted by a South Asia-based hacking network, which is alleged to have been previously responsible for operations in China, Pakistan, India, Saudi Arabia, and Bangladesh.
State protection?
Even as lawyers for Meta pushed NSO to disclose information on its cyber-espionage tools—which allowed phones to be compromised with any user-side actions, like clicking a link—the Israeli company doggedly refused to cooperate.
NSO, the judgment notes, produced the Pegasus source-code “in a manner that is unusable in this litigation, as it is viewable only by Israeli citizens while in Israel.” Even that production, the judge recorded, was limited to Pegasus code on one Amazon cloud server, rather than a fully-functional example.
Israeli courts blocked NSO from producing documents or technical materials without the authorisation of Israeli authorities, The Guardian reported in July. The existence of the order itself was also made secret, and a gag-order prevented case-related government actions from being made public in Israel.
Tamil Gazneli, NSO’s head of research and development, however, testified in the court proceedings that Pegasus was deployed against “between hundreds and tens of thousands” of target devices.
In February, 27 countries signed a declaration committing member-states to develop guidelines to prevent the use of commercial spyware “in ways that threaten the stability of cyberspace or human rights and fundamental freedoms, or in a manner inconsistent with applicable international law”.
The so-called Pall Mall Declaration says “actions should be taken, as appropriate, to hold States accountable whose activity is inconsistent with international human rights law”. Israel and India are not part of this grouping.
“The underlying thrust of the argument is that cyber-espionage technologies should be tightly controlled by nation-states, in much the same way nuclear-weapons technology is. The Western consensus seems headed towards creating conventions to regulate this technology, in the same way there are regimes for missile and nuclear-weapons technology,” a Washington-based diplomat said.
Laws which could emerge from the process, another expert said, could pose an obstacle for future Indian acquisition of communications intelligence tools, since its intelligence services operate outside a clear legislative framework.
“There is no political will to subject surveillance to rule of law in India,” Choudhary notes. A Supreme Court-ordered investigation into the alleged illegal surveillance of dozens of individuals using the Pegasus spyware is yet to be made public, though it was completed in 2022.
(Edited by Tony Rai)