In the beginning, hacking was a hobby, carried out by people just to prove that they could. In most cases, these attacks were not designed to cause any damage to the target.
In recent years, cybercrime has become professionalized as cybercriminals exploit vulnerabilities in organizations’ cyber defenses to steal money or sensitive and valuable data. This increase in financially motivated hacking gives organizations ample reason to try to take legal action against attackers. A recent example of an attempt to bring hackers to court is Facebook suing the NSO Group, an Israeli company that specializes in selling exploits to governments for surveillance purposes, for exploitation of a buffer overflow vulnerability in WhatsApp. While Facebook has ample reason to sue and some convincing evidence, the company may have trouble getting the case to stick.
Facebook Sues NSO Group Over Exploitation of WhatsApp Flaw
In May 2019, a buffer overflow vulnerability was discovered in Facebook’s WhatsApp mobile application. The vulnerability was serious because it required no user interaction to allow an attacker to gain access to the device. The vulnerability was in how the application parsed the data sent as part of a WhatsApp call. When a call is initiated in WhatsApp, data is sent to the recipient’s device. While unpacking and interpreting this data, WhatsApp failed to check the size of a chunk of data before copying it into a pre-allocated memory buffer.
As a result, if an attacker included more data than would fit in the allocated space, the attacker could change other values within the app. This could allow an attacker to execute their own code on the target device, and, since this process happens as soon as a phone call is initiated, the target doesn’t even need to answer the call to be attacked.
During the course of the investigation into the WhatsApp vulnerability, the NSO Group, a company that sells spyware to governments, was accused of exploiting this vulnerability. Targets included a UK-based human rights lawyer and other individuals that a government may wish to monitor. Recently, Facebook has opened a lawsuit against the NSO Group for their alleged role in weaponizing and selling the WhatsApp exploit. The basis of the lawsuit is that the attack used infrastructure previously associated with the NSO Group and that the exploit was not used for “legitimate policing efforts”, instead targeting political activists, mainly in Bahrain, the UAE, and Mexico.
The Challenge of Cyber Attribution
Facebook’s attempt to bring the NSO Group to court for exploitation of the WhatsApp exploit will be challenging, but not because it is difficult to prove that the WhatsApp vulnerability was exploited. The WhatsApp security team had independently discovered the vulnerability and was working on a fix before publicly announcing it. During this process, they detected an attempted attack against a UK-based human rights lawyer that exploited the known vulnerability. Despite the fact that this initial attack failed, a follow-up exploit was sent by the attacker, indicating that the process of exploiting the vulnerability had been automated by the attacker. WhatsApp’s ability to monitor this process provides them with ample evidence that the vulnerability was under active exploitation.
The main challenge for Facebook in this legal case will be proving that the NSO Group was the one behind the attack. Logically, Facebook has good reason to suspect the NSO Group. The NSO Group’s core business is selling exploits to third parties, and it has a history of selling spyware (named Pegasus) to governments to help them monitor individuals. Additionally, infrastructure used by the attacker exploiting the WhatsApp flaw has previously been linked to the NSO Group.
This evidence is hardly conclusive, and attribution of cyberattacks is known to be difficult. Part of the cyber attribution problem is that many cyber threat actors work to cover their tracks by using infrastructure that cannot be directly linked to them. However, this is not the limit of the challenges associated with cyber attribution. Some hacking groups are known to impersonate other hacking groups in order to make attribution more difficult.
One example is when Turla, a Russian hacking group, impersonated the Iranian Oilrig APT. This included using Oilrig’s tools and backdoors to gain access to and exploit systems. Turla has a history of using these tactics, including attacks against the 2018 Winter Olympics while impersonating South Korea using tools associated with a North Korean hacking group.
These “false flag” operations make it difficult to authoritatively link a certain cyberattack to a particular source. While the exploits of the WhatsApp vulnerability definitely seem to point to the NSO Group, they could also be a false flag operation by another group. This uncertainty will make Facebook’s efforts to hold the NSO Group accountable in court difficult since they need to prove the involvement of the NSO Group “beyond a reasonable doubt”.
The Implications of Poor Cyber Attribution
The anonymity provided by the Internet is invaluable to cybercriminals since it makes it much more difficult to tie a cyberattack to its perpetrators. The difficulty of cyber attribution is exacerbated by “false flag” operations where one advanced persistent threat (APT) or cybercrime group impersonates the tactics and tools of another.
Since legal action requires proof that is difficult to find for cybercrimes, proving the identity of an attacker beyond “reasonable doubt” is difficult, as Facebook will likely find in its prosecution of the NSO Group for allegedly hacking of WhatsApp. This legal difficulty has serious implications for organizations’ security since the perceived lack of consequences only encourages cybercriminals.