Senior government officials in multiple US-allied countries were targeted this year by hacking software using Facebook WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation.
Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of known victims are high-profile government and military officials across at least 20 countries on five continents. Many nations are US allies, they said.
The hacking of a wider group of top government officials’ smartphones than previously reported suggests the WhatsApp cyber intrusion could have political and diplomatic consequences.
WhatsApp filed a lawsuit against Israeli hacking tool developer NSO Group. The Facebook-owned software giant alleges NSO built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into cellphones of at least 1 400 users.
The total number of WhatsApp users hacked could be higher. A London-based human rights lawyer, also a target, sent Reuters photographs showing attempts to break into his phone dating back to April 1.
While it is not clear who used the software to hack officials’ phones, NSO said it sells spyware exclusively to government customers.
Some victims are in the United States, United Arab Emirates, Bahrain, Mexico, Pakistan and India, said people familiar with the investigation.
Some Indian nationals went public with allegations they were among the targets over the past couple of days; they include journalists, academics, lawyers and defenders of India’s Dalit community.
NSO said in a statement it was “not able to disclose who is or is not a client or discuss specific uses of its technology.” Previously it denied wrongdoing, saying its products help governments catch terrorists and criminals.
Cybersecurity researchers cast doubt on the claims, saying NSO products were used against a wide range of targets, including protesters in countries under authoritarian rule.
Citizen Lab, an independent watchdog group that worked with WhatsApp to identify the hacking targets, said at least 100 victims were civil society figures such as journalists and dissidents, not criminals.
John Scott-Railton, a senior researcher at Citizen Lab, said it was not surprising foreign officials would be targeted.
“It is an open secret that many technologies branded for law enforcement investigations are used for state-on-state and political espionage,” Scott-Railton said.
Prior to notifying victims, WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases. The company found no overlap, said a person familiar with the matter. Governments can submit requests for information to WhatsApp through an online portal.
WhatsApp sent warning notifications to affected users earlier this week. The company declined to comment on the identities of NSO clients, who chose the targets.