On Thursday, a legal victory was achieved, persuading a US federal judge to publicly release three court documents, including new disclosures about the inner workings of spyware developed by the Israeli surveillance technology manufacturer NSO Group.

三份法律文件链接： https://s3.documentcloud.org/documents/25318663/reply-brief-in-support-of-whatsapp-summary-judgment_-unsealed.pdf https://s3.documentcloud.org/documents/25318662/whatsapp-opposition-to-nso-motion-for-summary-judgment_-unsealed.pdf https://s3.documentcloud.org/documents/25318661/wa-motion-for-summary-judgment_-unsealed.pdf

The newly unsealed documents include testimonies from employees during legal proceedings, internal company documents, and ironically, messages exchanged among employees, which were obtained through the issuance of subpoenas.

The document also reveals that in recent years, access to the (Pegasus) spyware has been cut off for a number of government clients due to service abuse.

The newly disclosed information pertains to the latest developments in a lawsuit filed in [Year], which alleges that [Defendant] violated the anti-hacking law, the Computer Fraud and Abuse Act, and breached [Company]'s terms of service by accessing [Company] servers and sending spyware to individual users via a chat application. These allegations are based on a series of cyberattacks targeting [Company] users.

The spokesperson stated: The disclosed evidence clearly demonstrates how the actions violated U.S. law and launched cyber attacks against journalists, human rights activists, and civil society. We will continue to work to hold them accountable and protect our users.

"Tens of thousands" of potential targets According to court documents seen, a set of hacking tools was developed to target users of , capable of accessing private data on the target's phone. This set of hacking tools is known as "Hummingbird()", with two vulnerabilities referred to as "Eden()" and "Paradise()".

Court documents show that the software suite cost government clients (i.e., police departments and intelligence agencies) up to $1 million for an annual license, bringing in at least $10 million in revenue for the company in 2022.

According to the testimony of the R&D director, using these hacking tools, they installed on "hundreds to tens of thousands" of target devices. So far, it remains unclear who sent the malicious messages to individuals using spyware. Over the years, they have consistently claimed to be unaware of their clients' operations and did not participate in targeted cyberattacks. The newly released court documents cast doubt on some of their claims.

In a court filing, it is argued that "the client's role is minimal" because the government client only needs to enter the target device's phone number, press "install," and the spyware will remotely install an agent on the device without any further involvement. In other words, the client simply orders the data from the target device, and the company, through its design, controls every aspect of the data retrieval and transmission process. The court filing quotes an employee as saying that whether to use a message trigger (vulnerability) is our decision, which is one of the vulnerabilities the company offers to its clients.

When contacted, the spokesperson said in a statement to the media: "We stand by our previous statement, which we have detailed on multiple occasions that the system is operated solely by our clients, and neither we nor our employees have access to the intelligence collected by the system." We believe that these allegations, like many others in the past, will be proven false in court, and we look forward to having the opportunity to do so.

The three attacks targeted users. A document described a technique that allowed its clients to target users by setting up what the company called an "installation server" or something referred to as a "fake client." This was actually a modified version of the application developed by , used to send messages (including their malicious exploits) to ordinary users. According to a court document, admitted to setting up real accounts for its clients. According to 's internal communications, was able to defeat 's "" and "" vulnerabilities through patches and security updates.

"Eden/Paradise/Hummingbird Announcement" This is a message sent to employees. Court documents show that the vulnerability was active before the year, aiming to guide target devices to communicate with malicious relay servers controlled by . After patched its system for the vulnerability, developed a new vulnerability named "", according to court documents citing a employee, which "requires going through relay servers," while the vulnerability attempted to avoid this. Another employee's testimony claims that it was the use of the vulnerability that led to suing .

The third vulnerability disclosed in the document is named "", which is a so-called "zero-click" vulnerability that can infiltrate a victim's phone without any interaction from the victim. blocked the use of the vulnerability in month, year, several months after filed the lawsuit.

Another interesting detail that surfaced this week is that an employee who testified during the lawsuit admitted that it was used against Princess Haya of Dubai. The Guardian and The Washington Post reported on the case in , and The New Yorker covered it in . The same employee also stated that the spyware manufacturer "cut off" access to for clients due to the misuse of the spyware.

Currently, a motion for summary judgment in this case is being requested from the judge and a ruling is awaited. The details disclosed in the litigation this week could be helpful for those suing in other countries. The insistence on legal action has ultimately yielded some benefits. Although they did not share much information (especially code, customer lists, etc.), the information they did share has been very useful for this case and the global legal cases against them. The fact that they concealed information is a double-edged sword, as it also makes it difficult for them to present a solid defense.