Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software developed by the Israeli NSO Group that used WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation.
Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents.
The hacking of a wider group of top government officials’ smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences.
WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool developer NSO Group. The software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users.
While it is not clear who used the software to hack officials’ phones, NSO says it sells its spyware exclusively to government customers.
Some victims are in the United States, United Arab Emirates, Bahrain, Mexico, Pakistan and India, said people familiar with the investigation. Reuters could not verify whether victims from these countries included government officials.
The revelation comes as more than a dozen Indian journalists and human rights activists said on Thursday they were also targeted.
NSO did not immediately respond to a request for comment. Previously it has denied any wrongdoing, saying its products are only meant to help governments catch terrorists and criminals.
Over the last several years, cybersecurity researchers have found NSO products used against a wide range of targets, including protesters in countries under authoritarian rule. The use of these tools to target high-profile politicians, however, is less understood.
An independent research group working with WhatsApp, named CitizenLab, said at least 100 of the victims are journalists and dissidents, not criminals.
WhatsApp has said it sent warning notifications to affected users earlier this week.
“It is an open secret that many technologies branded for law-enforcement investigations are used for state-on-state and political espionage,” said John Scott-Railton, a senior researcher with CitizenLab.
Prior to notifying victims, WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases. But the company found no overlap, said a person familiar with the matter. Governments can submit such requests for information to WhatsApp through an online portal the company maintains.
WhatsApp did not identify the clients of NSO Group, who ultimately chose the targets.