A US federal jury ordered Israeli spyware company NSO Group to pay more than $167 million in damages for hacking the devices of approximately 1,400 WhatsApp users in 2019 using its Pegasus software.
The verdict delivered Tuesday after a five-year legal battle includes $167.25 million in punitive damages and $445,000 in compensatory damages to WhatsApp and its parent company, Meta.
The US District Court for the Northern District of California rejected NSO Group’s claim of sovereign immunity as a private company, finding that the Pegasus spyware exploited vulnerabilities in WhatsApp’s platform.
The Pegasus tool enabled “zero-click” attacks that could infect devices without any user interaction, a capability governments allegedly used to surveil journalists, dissidents and activists worldwide.
Meta hailed the ruling as “the first victory against illegal spyware that threatens the safety and privacy of everyone.”
“The jury’s decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and our users worldwide,” it said in a statement.
Evidence presented during the trial revealed WhatsApp was not NSO’s only target. Meta noted that while it stopped the attack vector that exploited the company’s calling system in 2019, “Pegasus has had many other spyware installation methods” targeting different technologies.
The case began in October 2019 when WhatsApp filed a lawsuit claiming that the NSO Group had deployed malware to some mobile devices.
The Kenyan government has announced plans to relocate its Ministry of Foreign Affairs headquarters in Old Treasury building along Harambee Avenue to a new location.
Making the announcement on Friday, Foreign Affairs Principal Secretary (PS) Korir Sing’oei revealed that the government of China had offered to spearhead the construction project as a mark of appreciation for the 60 years that the two countries have enjoyed a close diplomatic relationship.
“Grateful to the Government of the People’s Republic of China for its commitment to support the Ministry of Foreign Affairs in the construction of the Ministry’s new headquarters as a visible marker of 60 years of diplomatic relations.” He said.
The PS added that he had met with the technical team but don’t indulge more details including cost and location of the project that is set to change the dynamics of international relations.
“Received the technical team in charge of project design in my office today.”
Spying
Many Kenyans have reacted sharply to the announcement with many expressing their fears that the Chinese government would use the building to extend their now common international espionage missions.
China has been accused in the past of giving similar offers of construction projects only to end up planting spying devices and this accusations have not only been about African countries but elsewhere around the world where the espionage regime had come under scope.
The May 2020 article by Voice of Africa (VOA) referenced a report by the Heritage Foundation, a U.S.-based conservative think tank, which stated that Chinese companies built at least 186 government buildings in Africa and 14 “sensitive intragovernmental telecommunications networks.”
“These buildings include residences for heads of state, parliamentary offices, and police or military headquarters,” the article read in part.
For these reasons, Kenyans have credible reasons to fear for their privacy, here’s some of the reactions from Kenyans to the new development of china building Kenya’s Foreign Office;
“Bugs from entrance to exit hugs in the loo, bugs in the stairs, bugs on the window, bugs in the offices, bugs all over.” Richard Odiawo said.
“That will stealthily transmit everything live to Beijing like Big Brother Africa.” Kanyi Gioko.
Yano, another Kenyan added, “Building they’ll build alright but every inch of every room will be bugged with listening devices and cameras.”
“Bugged AU Addis HQ didn’t teach us anything?” Hot Shotcreative said.
Engineer Nyasireka on X, warns of intense spying should the project succeed, “The Chinese built the African Union headquarters for free and proceeded to install a sophisticated spy equipment.
Even if the officials speak in Kalenjin only, trust some Chinese to translate it accurately.”
Ministry of Foreign Affairs officials when they held a meeting with the Chinese delegation in Nairobi.
Chinese hackers targeted Kenya
Last year, Reuters reported on how Chinese hackers targeted Kenya’s government in a widespread, years-long series of digital intrusions against key ministries and state institutions.
The hack aimed, at least in part, at gaining information on debt owed to Beijing by the East African nation: Kenya is a strategic link in the Belt and Road Initiative – President Xi Jinping’s plan for a global infrastructure network.
The hacks constitute a three-year campaign that targeted eight of Kenya’s ministries and government departments, including the presidential office, according to an intelligence analyst in the region.
An analyst also shared with Reuters research documents that included the timeline of attacks, the targets, and provided some technical data relating to the compromise of a server used exclusively by Kenya’s main spy agency.
A Kenyan cybersecurity expert described similar hacking activity against the foreign and finance ministries.
Between 2000 and 2020, China provided nearly $160 billion in loans to African countries, primarily for infrastructure projects.
Kenya used over $9 billion in Chinese loans to fund railways, ports, and highways. Beijing became Kenya’s largest bilateral creditor and a significant player in the East African consumer market and logistical hub.
However, by late 2019, Kenya’s financial strains were evident when a hack of a government-wide network was attributed to China.
The breach began with a “spearphishing” attack, where a Kenyan government employee unknowingly downloaded an infected document, allowing hackers to infiltrate the network and access other agencies.
The attacks appeared focused on Kenya’s debt situation. An intelligence analyst in the region claimed that Chinese hackers carried out a campaign against Kenya that began in late 2019 and continued until at least 2022.
Chinese cyber spies subjected Kenya’s president’s office, defense, information, health, land and interior ministries, counter-terrorism center, and other institutions to persistent and prolonged hacking activity.
The intelligence analyst working in the region – said Chinese hackers carried out a far-reaching campaign against Kenya that began in late 2019 and continued until at least 2022.
According to documents provided by the analyst, Chinese cyber spies subjected the office of Kenya’s president, its defence, information, health, land and interior ministries, its counter-terrorism centre and other institutions to persistent and prolonged hacking activity.
More accusations of China hacking and spying
In Africa, Chinese owned Huawei Technologies Co., the worlds largest telecommunications company, dominates African markets, has publicly been selling legal security tools that governments use for digital surveillance and censorship.
The company has been accused of helping African governments spy on their political opponents, including intercepting their encrypted communications and social media, and using cell data to track their whereabouts.
InUganda, a threat to the 3-decades long authoritarian regime of President Yoweri Museveni, Bobi Wine, had returned from Washington with U.S. backing for his opposition movement, and Uganda’s cyber-surveillance unit had strict orders to intercept his encrypted communications, using the broad powers of a 2010 law that gives the government the ability “to secure its multidimensional interests.”
Government officials asked Huawei help to hack into Bobi wines social media. The Huawei engineers, identified by name in internal police documents reviewed by The Wall Street Journal, used the spyware to penetrate Mr. Wine’s WhatsApp chat group, named Firebase crew after his band. Authorities scuppered his plans to organize street rallies and arrested the politician and dozens of his supporters.
In May 2018, Uganda’s Mr. Museveni signed a $126 million deal with Huawei for the safe-cities project after a classified bidding process involving two Chinese companies, paying $16.3 million up front and financing most of the rest with a $104 million loan from Standard Chartered Bank, according to documents presented to a parliamentary committee.
Ugandan intelligence officers have confirmed they were taught how to use the spyware for reading emails and texts but not encrypted communications.
In Zambia, according to senior security officials there, Huawei technicians helped the government access the phones andfacebook pages of a team of opposition bloggers running a pro-opposition news site, which had repeatedly criticized the then President Edgar Lungu.
The Huawei employees located the bloggers and were in contact with the police units deployed to arrest them.
Huawei technicians helped intercept the communications of opposition bloggers running a news site named Koswe, or “The Rat,” which had repeatedly criticized Mr. Lungu, the two Zambian officials in the Cybercrime Crack Squad said.
In 2012, a data theft incident began at the African Union (AU) Headquarters in Addis Ababa, Ethiopia, where information from the AU’s computer systems was allegedly transmitted to servers in China. This continued, at the same time every night, for five years, until it was discovered in January 2017.
The bulk of the computer systems that were compromised in the African Union Headquarters were supplied by Chinese telecommunications company Huawei.
The big question has been whether Chinese companies are just doing this for the money, or whether they’re pushing a specific kind of surveillance agenda.
Former US President Trumpsigned an executive order that allows the U.S. to ban telecommunications gear and services from “foreign adversaries,” a term widely interpreted to refer to Huawei. The Commerce Department added Huawei to the “Entity List,” citing national security concerns, which effectively bars companies from supplying U.S.-made technology to Huawei without a license.
Despite the companies denial, It is very evident how Huawei is a complicit in Chinese and now the African government spying.
Other Chinese Projects in Kenya
The Chinese government has been overseeing construction projects in Kenya, including buildings, roads, and the Kenya Standard Gauge Railway (SGR).
However, some projects have been criticized for irregularities, such as the construction of Hazina Towers, a project funded by the National Social Security Fund (NSSF).
In April 2024, China Jiangxi International Limited Kenya’s Director was unable to account for the money paid for the downsized building.
The Senate’s Public Investment Committee raised concerns over the company’s refusal to pay NSSF the project mobilization fees.
On May 1, Busia Senator Okiya Omtatah filed a petition to uncover an alleged Ksh777 billion overpayment of funds through the SGR to Chinese constructors, claiming the excess billions were paid to China Roads and Bridge Corporation (CRBC) at taxpayers’ expense.
Apple sent out threat notifications to users in 92 countries on Wednesday, informing them that they may have been the target of “mercenary spyware attacks,” a warning that comes as several countries are preparing to hold critical elections.
What you need to know
Apple updated the security notice on its website Wednesday, which states that threat notifications are “designed to inform and assist users who may have been individually targeted by mercenary spyware attacks.”
According to several Indian news outlets, including the Economic Times and the Indian Express, some iPhone users in the country received notifications from Apple alerting them of an attack “that is trying to remotely compromise the iPhone associated with your Apple ID.”
The notification informed the user they were likely being targeted specifically “because of who you are or what you do,” and urged them to take it “seriously.”
The reports do not name any individuals in India who received the notifications, but it comes just a week before the start of the country’s six-week general elections—the world’s largest democratic exercise.
Apple doesn’t include specific steps for users who have received the notifications, other than urging them to enlist help from cybersecurity experts.
BIG NUMBER
150. That’s the number of countries in which iPhone users have received threat notifications since 2021, the company said.
KEY BACKGROUND
In October, Apple sent out similar notifications to several prominent political leaders in India who represented opposition parties. Rahul Gandhi, the top leader of Congress—India’s main opposition party—told reporters he and several members of his and other opposition parties had received notifications that their iPhones were being targeted by “state-sponsored attackers.” At the time, Gandhi called out Prime Minister Narendra Modi’s government and accused them of carrying out the attack. Prominent activists and journalists who are critical of the Modi government also received the notification at the time. Apple confirmed it had sent out the notifications but said it had not attributed it to a “specific state-sponsored attacker.” In late December, Amnesty International said it had conducted a forensic investigation to confirm Apple’s findings and said NSO Group’s Pegasus spyware was used to carry out the attacks. Indian authorities publicly denied carrying out the attacks but, according to the Washington Post, they reportedly pressured Apple to “come up with alternative explanations for the warnings to users,” to ease the political fallout.
On March 2, 2017, Mexican journalist Cecilio Pineda took out his mobile phone and in a Facebook live broadcast spoke about alleged collusion between state and local police and the leader of a drug cartel. Two hours later, he was dead – shot at least six times by two men on a motorcycle.
It was a few weeks later that Forbidden Stories – a global network of journalists engaged in investigations – confirmed that not just Pineda, but also the state prosecutor who investigated the case, Xavier Olea Pelaez, were the targets of Israel’s Pegasus spyware in the weeks and months before his murder.
Pineda’s phone was also never found, as it had disappeared from the crime scene by the time the authorities had arrived.
Two weeks after Washington Post columnist Jamal Khashoggi was killed in the Saudi Consulate in Istanbul, Turkey in October 2018, the digital rights organization Citizen Lab reported that a close friend of Khashoggi, Omar Abdulaziz, had been targeted with Pegasus software developed by NSO Group Technologies — an Israeli technology firm.
New revelations from Forbidden Stories and its partners have found that Pegasus spyware was successfully installed on the mobile phone of Khashoggi’s fiancée, Hatice Cengiz, just four days after his murder. The phone of Khashoggi’s son, Abdullah, was selected as a target of an NSO client based on the consortium’s analysis of the leaked data.
Overall, the phones of 180 journalists around the world are claimed to have been selected as targets by clients of NSO Group Technologies. Its spyware Pegasus enables the remote surveillance of smartphones.
Forbidden Stories, which conducted investigations along with Amnesty International’s Security Lab, found that the phones of many politicians, civil society activists and even judges were being monitored in many countries, breaching privacy laws.
According to Forbidden Stories, they had access to a leak of more than 50,000 records of phone numbers belonging to journalists, politicians, officials, activists and even judges that NSO clients had selected for surveillance.
Forensic analysis
The forensic analyses of their phones – conducted by Amnesty International’s Security Lab and peer-reviewed by the Canadian organization Citizen Lab – were able to confirm infection or attempted infection with NSO Group’s spyware in 85% of cases.
“The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” said Agnes Callamard, secretary-general of Amnesty International.
NSO Group, in a written response to Forbidden Stories, said the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories” and reiterated that the company was on a “life-saving mission”.
“The alleged amount of leaked data of more than 50,000 phone numbers cannot be a list of numbers targeted by governments using Pegasus,” it added.
NSO Group maintains that its technology is used exclusively by intelligence agencies to track criminals and terrorists. According to NSO Group’s Transparency and Responsibility report released in June this year, the company has 60 clients in 40 countries around the world.
Pegasus “is not a mass surveillance technology and only collects data from the mobile devices of specific individuals suspected to be involved in serious crime and terror,” NSO Group wrote in the report.
In India, the phone of Paranjoy Guha Thakurta, an investigative journalist and author of several books, was hacked in 2018.
Quoting Thakurta, Forbidden Stories said he was targeted when he was working on an investigation into the finances of the famous Ambani business group.
“The purpose of getting into my phone and looking at who are the people I’m speaking to would be to find out who are the individuals who have been providing information to me and my colleagues,” he said.
Thakurta is one of at least 40 Indian journalists selected as targets of an NSO client in India, based on the consortium’s analysis of the leaked data.
The phones of two of the three cofounders of the independent online news outlet The Wire – Siddharth Varadarajan and MK Venu – were both infected by Pegasus, with Venu’s phone hacked as recently as July.
Top journalists targeted
Several other journalists who work for or have contributed to the independent news outlet The Wire– including columnist Prem Shankar Jha, investigative reporter Rohini Singh, diplomatic editor Devirupa Mitra and contributor Swati Chaturvedi – were all selected as targets, according to the records accessed by Forbidden Stories and its partners.
“It was alarming to see so many names of people linked to The Wire, but then there are lots of people not linked to the Wire,” said Varadarajan, whose phone was compromised in 2018.
Addressing parliament on Monday, Information Technology Minister Ashwini Vaishnaw said there is “no substance behind this sensational” claim and that “with checks and balances in place, illegal surveillance [is] not possible.”
“A highly sensational story was published by a web portal last night. Many over-the-top allegations [were] made around this story. The press reports appeared a day before [the] monsoon session of parliament. This can’t be a coincidence,” he said.
He described these revelations as an attempt to malign Indian democracy.
The Committee to Protect Journalists (CPJ) had previously documented 38 cases of spyware – developed by software companies in four countries – used against journalists in nine countries since 2011.
How does Pegasus work?
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), was one of the first security researchers to identify and document cyber-attacks against journalists and human rights defenders in Mexico, Vietnam and elsewhere in the early 2010s.
“Back in 2011, you would receive an email, and the email would go to your computer, and the malware would be designed to install itself on your computer,” she said.
But the installation of Pegasus spyware on smartphones has become subtler. Instead of the target having to click on a link to install the spyware, so-called “zero-click” exploits allow the client to take control of the phone without any engagement on the part of the target.
Once successfully installed on the phone, Pegasus spyware gives NSO clients complete device access and thereby the ability to bypass even encrypted messaging apps like Signal, WhatsApp and Telegram. Pegasus can be activated at will until the device is shut off. As soon as it’s powered back on, the phone can be reinfected.
According to Galperin Pegasus operators can remotely record audio and video, extract data from messaging apps, use the GPS for location tracking and recover passwords and authentication keys, among other things.
Spying governments have moved in recent years toward a more “hit and run” strategy to avoid detection, she said, infecting phones, exfiltrating the data and quickly exiting the device.
Over the years, governments the world over have moved to gather intelligence using technology instead of humans. In the past, they developed spyware tools in-house until private spyware companies like NSO Group, FinFisher and Hacking Team stepped in to sell their products to governments, according to Galperin.
In June 2021, French spyware company Amesys was charged with “complicity in acts of torture” for selling its spyware to Libya from 2007-2011. According to plaintiffs, in that case, information gleaned through digital surveillance was used to identify and hunt down opponents of deposed dictator Muammar Gaddafi, who were later tortured in prison.
The revelations stemming from this international collaborative investigation have thrown into question the safeguards put in place to prevent misuse of cyber weapons like Pegasus and, more specifically, NSO Group’s commitment to creating “a better, safer world.”
