By Dov Lieber, Valentina Pop and Robert McMillan
A team of European law-enforcement officials was hot on the trail of a potential terror plot in October, fearing an attack during Christmas season, when their keyhole into a suspect's phone went dark.
WhatsApp, Facebook Inc.'s popular messaging tool, had just notified about 1,400 users -- among them the suspected terrorist -- that their phones had been hacked by an "advanced cyber actor." An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation.
A judge in the Western European country had authorized investigators to deploy all means available to get into the suspect's phone, for which the team used its government's existing contract with NSO. The country's use of NSO's spyware wasn't known to Facebook. NSO licenses its spyware to government clients, who use it to hack targets.
On Oct. 29, Facebook filed suit against NSO -- which has been enmeshed in controversy after governments used its technology to spy on dissidents -- in federal court in California, seeking unspecified financial penalties over NSO's alleged hacking of WhatsApp software. It also sought an injunction prohibiting NSO from accessing Facebook and WhatsApp's computer systems.
NSO said it is vigorously defending itself against the lawsuit, without elaborating.
Technology companies such as Facebook and Apple Inc. over recent years have strengthened the security of their systems to the point where even the tech companies themselves can't provide law-enforcement agencies with messages created on their own systems.
Private companies, meanwhile, have stepped in to fill the gap by devising new ways of extracting data from computers and mobile devices. Facebook said in the lawsuit that spyware was installed by hacking WhatsApp's video-calling function.
The thwarted terror investigation, as described by the law-enforcement official, spotlights an increasingly common clash of concerns over public security and personal privacy. Tech companies have come under growing pressure in the U.S. and Europe to give law enforcement a back door into encrypted messages. But they are also under fire for not doing enough to protect the privacy of their users and, in some jurisdictions, they have legal obligations to disclose security breaches.
WhatsApp's Oct. 29 message to users warned journalists, activists and government officials that their phones had been compromised, Facebook said. But it also had the unintended consequence of potentially jeopardizing multiple national-security investigations in Western Europe about which Facebook hadn't been alerted -- and about which government agencies can't formally complain, given their secret nature.
"The hacking methods described in our lawsuit against the NSO Group are illegal. We remain committed to the security and protection of users from cyberattacks," WhatsApp said.
NSO told The Wall Street Journal that its technology "is only licensed, as a lawful solution, to government intelligence and law-enforcement agencies for the sole purpose of preventing and investigating terror and serious crime. As our technology is operated solely by the law enforcement or intelligence agencies themselves, NSO does not comment on related operational issues."
After an investigation, Facebook said it linked servers and WhatsApp accounts used in the hack to NSO. It alleges in the lawsuit that the hacking was done to install NSO's spyware, called Pegasus, on targets' devices. NSO hasn't responded to questions about whether it installed the spyware.
NSO has faced criticism for selling its products to government agencies in the Middle East, Mexico and India, which Facebook and human-rights research group Citizen Lab, among others, allege used them to spy on dissidents, religious leaders, journalists and political opponents. Among the 1,400 WhatsApp users notified in October, more than 100 fell into these categories, Citizen Lab said. The group, which is based at the University of Toronto's Munk School of Global Affairs and Public Policy, worked with Facebook on identifying these people.
NSO said most of its customers are democratic European governments that use its products in criminal and terror investigations. The company also maintains that it isn't privy to the identities of people surveilled by governments using its technology. NSO says it investigates any misuse of its technology it learns of, such as surveillance outside of a criminal investigation. It says it doesn't allow mass surveillance and that Israel's defense ministry must approve any foreign sale of its products.
Government agencies in many Western European countries employ several companies at once, layering the surveillance technology to increase the variety of devices that can be hacked and to have backups if one technology fails or is rendered useless, one current and one former European security official said. In some cases, they said, NSO's spyware was the best way to learn details of criminal plots.
Citizen Lab has issued reports for several years linking NSO's spyware to governments with a history of human-rights abuses, and said that record should put NSO out of the running for government contracts from Western agencies, said Ronald Deibert, Citizen Lab's director. "What we have been trying to do with our research is to raise alarm bells."
WhatsApp, which notified the Justice Department about the hacking in May, called in October for a moratorium on the use of tools such as NSO's, saying they need legal oversight to prevent their misuse.
A Justice Department spokesman declined to comment.
WhatsApp isn't the only tech entity targeted by NSO's technology: In 2016, Apple also released a security patch to close a vulnerability that allowed iPhones to be hacked.
On the day WhatsApp sent its alert, the official overseeing the terror investigation in Western Europe said, he was stuck in traffic on his way to work when a call came in from Israel. "Have you seen the news? We've got a problem," he said he was told. WhatsApp was notifying suspects whom his team was tracking that their phones had been hacked. "No, that can't be right. Why would they do that?" the official said he asked his contact, thinking it a joke.
The most immediate concern was a suspected terrorist investigators linked to Islamic State. They had received a tip he was part of a group plotting an attack around Christmas. Once they saw the suspect's phone receive WhatsApp's alert, the phone went dark, the official said. The sleuths soon lost access to the suspect's messages, the official said, indicating he had discarded or disabled the phone.
"We only had that one phone," the official said. "We put all our efforts into using this product to see what he was doing, which mosque he was going to, who was talking to him, whether the group was spread in neighboring countries."
The interception of data from the suspect's phone had gone on for just a few days before WhatsApp alerted the target. This meant the monitoring period had been too short to glean details of the suspected plot, the official said. The suspect had left his phone at home when he went out and was sending only brief messages, making investigators' work more difficult.
Then WhatsApp sent its message: "An advanced cyber actor exploited our video calling to install malware on user devices. There's a possibility this phone number was impacted."
"WhatsApp killed the operation," the official said. The terror suspect is still under traditional surveillance. But human resources are spread thin, the official said, especially around the winter holidays, which in Europe extend into early January and are a time when terrorists have staged attacks on the continent. "He's not the only suspect we have to follow."
The European official said NSO spyware had enabled his team to learn details of a separate gang of violent bank robbers and weapons traffickers and have police arrest them as they were about to commit a crime. In that case, they got lucky, the official said: "One gang member's phone we had infiltrated was already in police custody when the WhatsApp message landed."
The official said counterparts in other Western European countries told him more than 10 of their investigations may have been compromised by the WhatsApp alert. "I talked about it with my colleagues," the official said. "They also couldn't believe this was happening. It affected them more because they used this WhatsApp tool more than we did." The former security official, from a different nation in Western Europe, said several countries there rely on NSO spyware in counterterrorism investigations.
Facebook and other U.S. technology companies often inform users when a government agency is legally requesting their data, unless prohibited by law or if the company believes there are "exceptional circumstances, such as child-exploitation cases," Facebook says on its website.
NSO's technology bypasses the traditional legal request process, however, according to Facebook, Citizen Lab and others.
"From the company's perspective, the data has been stolen and some of the companies obligate themselves in their terms of service to notify their customers when a theft of data occurs," said Gregory Nojeim, senior counsel with the Center for Democracy and Technology, a nonprofit privacy-advocacy organization.
In a move highlighting the complex legal landscape tech companies and law enforcement must navigate in Europe, new European Union rules kicking in by the end of 2020 will oblige telecommunications companies, including Facebook, Google and Skype, to warn customers about security threats precisely the way WhatsApp notified its users in October.
(MORE TO FOLLOW) Dow Jones Newswires
January 02, 2020 15:44 ET (20:44 GMT)Copyright (c) 2020 Dow Jones & Company, Inc.