NSO Group Ordered to Surrender Spyware Source Code to Meta

Sophia Taylor

By Sophia Taylor


In a groundbreaking legal development, a U.S. judge has directed the NSO Group, an Israeli spyware firm, to release its source code for the infamous Pegasus software and other remote access trojans to Meta, amid the tech giant’s extensive lawsuit against NSO. This decision represents a significant triumph for Meta in its ongoing battle against cyber espionage.

Background of the Case

Meta initiated this lawsuit in October 2019, accusing NSO Group of exploiting its platforms to distribute Pegasus. The spyware was used to infiltrate around 1,400 mobile devices between April and May 2019, targeting activists and journalists in India, among others.

The attackers exploited a critical zero-day vulnerability (CVE-2019-3568) in the instant messaging app’s voice call function, allowing Pegasus to be delivered simply by placing a call. Notably, the attack was effective even if these calls went unanswered, and it cleverly erased call information from logs to avoid detection.

NSO Group’s Legal Obligations

Recent court documents reveal that NSO Group must disclose comprehensive details about Pegasus’s functionalities for a specific period (April 29, 2018, to May 10, 2020). However, the company is not required to reveal information about its server architecture or its clientele.

Responses to the Ruling

Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, expressed a mix of satisfaction and disappointment at the ruling. “While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.”

NSO Group’s Controversial History

NSO Group faced U.S. sanctions in 2021 for supplying cyber weapons to foreign governments. These tools were reportedly used to target various individuals, including government officials and journalists.