Full Report
This is the first time representatives for the spyware maker have publicly named its government customers.
Analysis Summary
# Threat Actor: NSO Group Customers (Government Entities)
## Attribution & Identity
The primary entities implicated as users of the spyware are governments that allegedly purchased tools from NSO Group. NSO Group itself denies public discussion of its clientele but was implicated via its lawyer during legal proceedings.
**Known Aliases/Associated Groups:** N/A (Focus is on the *purchasers* of the spyware, not the threat actor *using* it, though the overall context involves NSO Group exploitation).
## Activity Summary
The article details an alleged 2019 hacking campaign targeting over 1,200 WhatsApp users. This campaign was reportedly facilitated by the exploitation of a vulnerability in WhatsApp between approximately April and May 2019. The information surfaced during a lawsuit filed by WhatsApp against NSO Group.
## Tactics, Techniques & Procedures
- Exploitation of vulnerabilities within WhatsApp messaging systems.
- Deployment of NSO Group’s **Pegasus spyware**.
- Specific campaign identified: Attack exploiting a vulnerability between April and May 2019 that successfully compromised over 1,200 users.
## Targeting
- **Sectors:** Human rights activists, journalists, and "other members of civil society."
- **Geography:** Governments named as customers accused of conducting the attacks are **Mexico, Saudi Arabia, and Uzbekistan**.
- **Victims:** Over 100 targeted victims identified by Citizen Lab who work in sensitive fields (activists, journalists, civil society members).
## Tools & Infrastructure
- **Malware families used:** **Pegasus** spyware (developed by NSO Group).
- **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
This revelation marks the first public acknowledgment by NSO Group representatives naming specific customers involved in the alleged abuse of their spyware technology, specifically linking sales to government entities suspected of large-scale surveillance against civil society. This confirms allegations regarding the scope and nature of surveillance conducted by these states using zero-click spyware capabilities.
## Mitigations
- **For Organizations/Users:** Organizations like WhatsApp deploy patches to close vulnerabilities exploited by commercial spyware vendors. Users should ensure endpoints are running the latest secure software versions.
- **For Defense Analysts:** Monitor for indicators related to zero-click exploitation of messaging platforms and investigate potential government spyware usage against high-risk individuals (journalists, activists) in the named geographical areas.