Full Report
The landmark trial between WhatsApp and NSO Group unearthed several new revelations.
Analysis Summary
# Incident Report: WhatsApp Zero-Click Spyware Attack by NSO Group
## Executive Summary
Beginning in October 2019, NSO Group utilized a zero-click exploit within WhatsApp to compromise over 1,400 users via a sophisticated spyware campaign codenamed "Hummingbird." The attack vector involved sending specially crafted malicious WhatsApp calls that exploited a vulnerability to install Pegasus spyware without any user interaction. This incident was the subject of a long-running legal battle, culminating in a May 2025 jury verdict ordering NSO Group to pay over $167 million in damages to Meta for the unauthorized access.
## Incident Details
- **Discovery Date:** October 2019 (Start of Legal Battle/Initial Attack Period)
- **Incident Date:** Commenced October 2019, with zero-click variants active until at least May 2020.
- **Affected Organization:** WhatsApp (Meta-owned) and its 1,400+ users targeted.
- **Sector:** Technology/Communication Services, Defense Technology (Spyware Vendor)
- **Geography:** Global targeting (Victim location not specified, but NSO operations based in Israel, customers mentioned include Mexico, Saudi Arabia, and Uzbekistan).
## Timeline of Events
### Initial Access
- **Date/Time:** Starting October 2019.
- **Vector:** Zero-click exploit delivered via a malicious WhatsApp phone call.
- **Details:** NSO Group deployed a system dubbed the "WhatsApp Installation Server" configured to mimic a real chat message/call. The receipt of this call triggered the target phone to contact a third-party server to download the Pegasus spyware. Only the target's phone number was required.
### Lateral Movement
- **Details:** Not explicitly detailed regarding post-compromise lateral movement on the device, but the goal was full device exploitation via Pegasus.
### Data Exfiltration/Impact
- **Details:** The result was the installation of Pegasus spyware, allowing deep surveillance capabilities on the targeted users' phones, enabling intelligence gathering.
### Detection & Response
- **Details:** WhatsApp filed a lawsuit against NSO Group in November 2019. The full scope and details were uncovered during subsequent legal proceedings, which concluded with a jury verdict in May 2025.
## Attack Methodology (Inferred from Trial Testimony)
- **Initial Access:** Zero-click mechanism ("Erised," "Eden," "Heaven" variants) exploiting a WhatsApp vulnerability via a specially placed malicious VOIP call.
- **Persistence:** Implied via the installation of Pegasus spyware.
- **Privilege Escalation:** Not detailed, but Pegasus typically achieves high privilege on the device.
- **Defense Evasion:** Zero-click nature bypasses user awareness and security training.
- **Credential Access:** Likely achieved through Pegasus capabilities post-compromise.
- **Discovery:** Not applicable to this stage, as NSO was the attacker.
- **Lateral Movement:** Not detailed in the context of the initial exploit phase.
- **Collection:** Data gathering capabilities inherent to Pegasus spyware.
- **Exfiltration:** Not detailed, but assumed via NSO infrastructure.
- **Impact:** Unauthorized surveillance and compromise of 1,400+ user devices.
## Impact Assessment
- **Financial:** NSO Group was ordered to pay over $167 million in damages to Meta. NSO disclosed financial struggles, revealing low bank reserves and significant monthly burn rate.
- **Data Breach:** Compromise of 1,400+ WhatsApp users' devices, allowing access to device data and communications.
- **Operational:** Disruption to WhatsApp's service integrity and significant legal resources required to litigate the case.
- **Reputational:** Significant negative public exposure for NSO Group regarding their use of surveillance technology against targets globally.
## Indicators of Compromise
*Note: Since this report details a legal finding about sophisticated state-sponsored malware, specific IOCs are redacted based on defense best practice.*
- **Network indicators:** Malicious outbound connection to a third server initiated after receiving a specially crafted WhatsApp call (Defanged IP/URL examples: `hxxp://installation-server[.]com`).
- **File indicators:** Installation of proprietary Pegasus framework components (exact hashes unavailable without forensic access).
- **Behavioral indicators:** Unexpected phone activity or system resource usage immediately following an unanswered or missed WhatsApp call.
## Response Actions (Legal & Remediation)
- **Containment measures:** WhatsApp isolated the vulnerability and patched the exploit vector after discovery. NSO Group continued exploiting *other* versions of the zero-click vector until May 2020.
- **Eradication steps:** The specific legal response involved filing a lawsuit in November 2019.
- **Recovery actions:** The successful lawsuit and substantial damage award represent the primary organizational recovery action.
## Lessons Learned
- **Zero-click attacks represent the highest risk vector** as they require zero user interaction, rendering standard awareness training ineffective.
- **Vulnerability management is critical,** even for mature applications like WhatsApp, as state-sponsored actors actively purchase and exploit flaws.
- **Continued malicious activity despite ongoing litigation** ($\text{Erised}$ vector active until May 2020) shows an intent to maximize compromise opportunities regardless of legal actions.
- NSO Group’s operations included testing on US phone numbers ($\text{+1}$ prefix) for potential government customers, indicating potential targeting alignment with US interests as well.
## Recommendations
- **Implement rigorous input validation and sanitization** for all VOIP call processing logic within communication platforms to prevent remote code execution from malformed packets.
- **Maintain strict application hardening** to minimize the attack surface accessible via the signaling layer (i.e., phone number registration/signaling).
- **Continuously monitor customer usage** (if applicable to a vendor context) and immediately suspend access upon evidence of abuse, as NSO admitted cutting off 10 customers for misuse.