Govt officials among 1400 WhatsApp users targeted in 2019: WhatsApp CEO

An aerial view shows the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel on 22 July 2021

Senior government officials from across the world, including individuals in high national security positions who are “allies of the US”, were targeted by governments using the NSO Group spyware in a 2019 attack against 1,400 WhatsApp users, according to the messaging apps Chief Executive Officer, The Guardian reported.

WhatsApp CEO Will Cathcart disclosed the new details about individuals who were targeted in the attack after revelations this week by the Pegasus Project, a collaboration of 17 media organisations which investigated NSO, the Israeli company that sells its powerful surveillance software to government clients around the world.

Cathcart said that he saw parallels between the attack against WhatsApp users in 2019, which is now the subject of a lawsuit brought by WhatsApp against NSO, and reports about a massive data leak which are at the centre of the Pegasus Project.

“The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then,” Cathcart said in an interview with The Guardian.

In addition to the “senior government officials”, WhatsApp found that journalists and human rights activists were targeted in the 2019 attack against its users. Many of the targets in the WhatsApp case, he said, had “no business being under surveillance in any way, shape, or form”, the report said.

If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure
Will Cathcart, WhatsApp CEO

“This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone,” he said.

As per the report, Cathcart questioned NSO’s claim that the figure was in itself “exaggerated”, saying that WhatsApp had recorded an attack against 1,400 users over a two-week period in 2019.

“That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” he said, adding: “That’s why we felt it was so important to raise the concern around this.”

When WhatsApp says it believes its users were “targeted”, it means the company has evidence that an NSO server attempted to install malware on a user’s device, The Guardian said.

When WhatsApp announced two years ago that its users had been targeted by the NSO malware, it said 100 of the 1,400 targets were journalists, human rights defenders and activists. The users were targeted through a WhatsApp vulnerability that was later fixed.

As per the report, Cathcart said he had discussed the 2019 attack against WhatsApp users with governments around the world.

He also praised the recent moves by Microsoft and others in the technology industry who are speaking out about the dangers of malware, and called on Apple -- whose phones are vulnerable to malware infections -- to adopt their approach, according to the report.

An illustration shows a person taps on the WhatsApp logo on his shamrtphone
File photo

“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’,” Cathcart was quoted as saying.

“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure,” he added.

He also called on governments to help create accountability for spyware makers, the report said.

The Guardian reported that WhatsApp had launched its lawsuit against NSO in late 2019, claiming that the Israeli company was responsible for sending malware to WhatsApp users’ phones.

A judge in the case pointed out that the underlying facts in the case -- that malicious code owned by NSO was sent through WhatsApp’s service -- did not appear to be disputed. Instead, the lawsuit revolved around whether NSO’s “sovereign customers” were to blame, or the company itself, the report said.