Full Report
This is the first time representatives for the spyware maker have publicly named its government customers.
Analysis Summary
# Threat Actor: NSO Group Customer Base (State Actors utilizing Pegasus)
## Attribution & Identity
The threat actor in this context refers to the **customers** of NSO Group, the developers of the Pegasus spyware.
- **Attributed Customers (Named in court):** Governments of Mexico, Saudi Arabia, and Uzbekistan.
- **Associated Producer:** NSO Group (Israeli spyware maker).
## Activity Summary
The key activity summary revolves around a **2019 hacking campaign** that utilized NSO Group’s Pegasus spyware.
- This campaign targeted over 1,200 WhatsApp users.
- The revelation of the customers occurred during a public hearing in the lawsuit between WhatsApp (Meta) and NSO Group.
- NSO Group had previously refused to publicly acknowledge or discuss its clientele.
- A lawsuit complaint indicates at least eight customers are involved, though only three were named publicly during the hearing.
## Tactics, Techniques & Procedures
- **Exploitation of Zero-Day Vulnerability:** The attackers exploited a vulnerability in WhatsApp’s systems.
- **Timeline:** The exploitation occurred between approximately April and May 2019.
- **Payload:** Use of NSO Group’s **Pegasus spyware**.
- **Targeting Technique:** The attack was executed via the WhatsApp messaging app.
- **MITRE ATT&CK IDs:** (Not explicitly provided in the text, but the activity implies exploitation and remote code execution against mobile/endpoint devices.)
## Targeting
- **Sectors:** Human rights activists, journalists, and "other members of civil society."
- **Geography:** Customers identified are from Mexico, Saudi Arabia, and Uzbekistan (implied targeting may be within or outside these jurisdictions by these state actors).
- **Victims:** Over 100 targeted victims identified by Citizen Lab were human rights activists, journalists, and civil society members.
## Tools & Infrastructure
- **Malware families used:** Pegasus spyware (developed by NSO Group).
- **Infrastructure:** Exploitation details centered on the **WhatsApp messaging app** vector.
## Implications
The implication is the public confirmation by legal representatives of NSO Group that specific state governments (Mexico, Saudi Arabia, Uzbekistan) were responsible for deploying powerful surveillance tools like Pegasus against vulnerable targets, validating previous investigative work by groups like Citizen Lab. This severely implicates these governments in potential state-sponsored surveillance and espionage against civil society.
## Mitigations
- Patching and updating mobile operating systems and applications immediately (as the attack leveraged a WhatsApp vulnerability).
- Given the nature of the attack, organizations should implement defense-in-depth security strategies, especially for high-risk individuals like journalists and activists.
- Investigating potential compromise via mobile messaging applications.