The legal case between the NSO group and Israeli spy vendor NSO Group is beginning to provide the details technology and cybersecurity experts have been waiting for since Facebook filed the lawsuit in October 2019.

In court documents filed yesterday, Facebook said it related 720 cases of attacks on WhatsApp users to a single IP address.

The attacks took place against WhatsApp users in the spring of 2019. The exploitation used in the attack was a zero day in WhatsApp VoIP function.

Facebook sued NSO last year to develop the operation and make it available to its customers (foreign governments), who then used it to hack WhatsApp users.

This included more than 1,400 users, according to the Facebook count, and included likes such as lawyers, journalists, human rights activists, political dissidents, diplomats and government officials.

The blast had the ability to infect a phone with malicious software Pegasus, which then pinged the NSO command and control servers for instructions on what commands to run and what data to steal.

Hundreds of attacks linked to a US server

“I reviewed the malicious code sent during the attack described in the lawsuit,” said Claudiu Gheorghe, head of WhatsApp software engineering in court documents filed by Facebook’s legal team last night.

“This malicious code was designed to cause a WhatsApp user’s mobile device to connect to a remote server not associated with WhatsApp. The remote server’s IP address was included in the malicious code,” Gheorghe said.

“In 720 cases of attack, the IP address of the remote server was 104.223.76.220. In three cases of the attack, the IP address of the remote server was 54.93.81.200,” Gheorghe added.

The first of these IPs, and the most frequently observed by WhatsApp engineers, belongs to QuadraNet Enterprises LLC, a Los Angeles-based data center provider.

The small detail of what IP address a hacked WhatsApp user has reported is now crucial in the case after earlier this month, the NSO Group legal team filed a motion to dismiss the case, citing a long list of reasons , including the lack of jurisdiction of a California court to preside over the case.

But Facebook’s legal team says the argument is flawed because NSO has been taking funding from a California-based private equity firm that has relied on servers located in the state.

“To execute its scheme and install its spyware on WhatsApp users’ devices, NSO separately signed a contract with a California-based technology company, QuadraNet, that included a California law choice clause. “Facebook said, claiming its demand. you need to allow it to continue.

Facebook NSO is not immune because it sells to governments

In its 35-page document, Facebook also provided counter-arguments to all items raised by the NSO motion to dismiss the case earlier this month.

While most of the paper is the fight against swords legally between operating and costly legal teams, there is another interesting issue that both teams raise.

Earlier this month, the NSO legal team argued that the company should be immune from prosecution because it was hired by a foreign government.

In its counter-argument, Facebook claimed that NSO has not produced evidence, such as a contract, that it works for any foreign government or that there is any law granting immunity to contractors acting on behalf of a government.

Facebook said last year, and reiterated yesterday, that the hacks caused reputational damage to its WhatsApp product and that it now wants NSO to be held accountable and liable for the damage.

In a statement last year, NSO told ZDNet that its product had been designed to help law enforcement and intelligence services fight terrorism and serious crime.

An NSO spokesman did not return any request for comment on Facebook’s counter-motion.