Senior officials from some 20 countries that are allied with the United States were reportedly the targets of a hacking campaign by the Israeli firm NSO Group that used the popular WhatsApp messaging service.
Citing people familiar with an internal investigation by the Facebook-owned WhatsApp, Reuters reported Thursday that a “significant” number of the victims were prominent government and military officials.
The report came days after WhatsApp filed a lawsuit in the US against NSO Group, accusing it of using the hugely popular instant messaging platform to conduct cyberespionage on nearly 1,400 journalists, diplomats, dissidents and human right activists worldwide.
The Israeli firm has denied journalists and activists were targeted and said that it only licenses its software to governments for “fighting crime and terror.”
According to Reuters, victims of the hacking campaign included people in the United States, Mexico, Bahrain, United Arab Emirates, Pakistan and India, but it was unclear whether government officials in those countries were affected.
Also Thursday, India demanded answers from WhatsApp over the snooping scandal after coming under fire from critics who accused authorities of using malware installed the messaging service to spy on citizens.
Nearly two dozen activists, lawyers and journalists were targeted in India — WhatsApp’s biggest market with some 400 million active users — according to Indian media reports.
The Indian Express reported WhatsApp confirmed a number of Indian users had been targeted by NSO Group’s Pegasus spyware, which installed itself on their devices and relayed back data to the hackers.
New Delhi has asked WhatsApp to “explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” Information and Technology Minister Ravi Shankar Prasad wrote on Twitter, denying the government had used the malware to spy on its citizens.
But opposition leaders accused the government of invading citizens’ privacy.
Indian media reports said 20 activists, lawyers and journalists were informed by WhatsApp recently that their phones were compromised for two weeks in May.
On Tuesday, the head of WhatsApp said the lawsuit was filed after an investigation showed NSO Group’s role in the cyberattack, despite its denials.
“NSO Group claims they responsibly serve governments, but we found more than 100 human rights defenders and journalists targeted in an attack last May. This abuse must be stopped,” Will Cathcart said on Twitter.
The lawsuit said Pegasus was designed to be remotely installed to hijack devices using the Android, iOS, and BlackBerry operating systems.
The complaint said the attackers “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code” to take over the devices.
The suit calls on the court to order NSO Group to stop any such attacks and asks for unspecified damages.
NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates.
Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.
Danna Ingleton of Amnesty International said the results of the WhatsApp investigation “underscore that NSO Group continues to profit from its spyware products being used to intimidate, track, and punish scores of human rights defenders across the globe, including the Kingdom of Bahrain, the United Arab Emirates and Mexico.”
Ingleton said Amnesty and other groups are seeking in the Israeli courts to block NSO from exporting the technology.