SAN FRANCISCO — WhatsApp sued the Israeli cybersurveillance firm NSO Group in federal court on Tuesday, claiming the company’s spy technology was used on the popular messaging service in a wide-ranging campaign targeting journalists and human-rights activists.
WhatsApp, which is owned by Facebook, claimed in the lawsuit that an NSO Group program that was intended to piggyback on WhatsApp was used to spy on more than 1,400 people in 20 countries.
The lawsuit did not say who was using NSO Group technology to target WhatsApp users. But the area codes for a number of phones that had been attacked indicated a focus on people in Mexico, Bahrain and the United Arab Emirates.
The filing of the lawsuit, believed to be the first by a tech company against a for-profit digital surveillance company, could be the “beginning of the end” of the rapid and largely unregulated adoption of these surveillance technologies, said John Scott-Railton, a senior researcher at Citizen Lab.
WhatsApp worked closely with Citizen Lab, a research group affiliated with the University of Toronto that aids victims of digital surveillance, in its investigation of the attacks, which took place from April to May.
The messaging service said the victims included 100 journalists, prominent female leaders, several people who had been targeted with unsuccessful assassination attempts, political dissidents and human rights activists — as well as their families.
The suit was filed in the United States District Court in the Northern District of California. NSO Group, which sells its surveillance technology to governments all over the world, said in a statement Tuesday that it disputed the claims in the WhatsApp lawsuit in the “strongest possible terms” and “will vigorously fight them.”
NSO Group added that its technology was used by intelligence and law enforcement agencies in lawful antiterrorism efforts and crime-fighting, and it “has helped to save thousands of lives over recent years.”
The investigation started after Citizen Lab charged that NSO Group’s technology had been used to exploit a WhatsApp security hole to hack the phone of a London lawyer. The hole was patched in May.
The lawyer had represented several plaintiffs in lawsuits that accused NSO Group of providing tools to hack the phones of a Saudi Arabian dissident living in Canada, a Qatari citizen and a group of Mexican journalists and activists. He contacted Citizen Lab.
The researchers said they discovered that NSO technology left digital crumbs that helped them uncover the spy campaign. The weakness: Whoever was using the NSO Group hacking tools had to place a WhatsApp call to their target. Even if the target did not pick up the phone, NSO’s technology would become embedded in the phone and provide access to all of its contents.
The missed calls, however, tipped off the lawyer, he told The New York Times.
After WhatsApp patched the security hole, NSO employees lamented that the company closed off a major espionage channel. An NSO employee even told a WhatsApp employee in a message: “You just closed our biggest remote for cellular,” according to the WhatsApp complaint.
Citizen Lab and WhatsApp would not name the individuals targeted, citing privacy policies.
WhatsApp said in a statement that it was informing affected customers with special WhatsApp messages. The company is seeking a permanent injunction to block NSO from its service, and called on lawmakers to ban the use of cyberweapons like those sold by NSO Group to governments.
“This should serve as a wake-up call for technology companies, governments and all internet users,” Will Cathcart, the head of WhatsApp, wrote in an opinion article in The Washington Post on Tuesday. “Tools that enable surveillance into our private lives are being abused and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”
Mr. Cathcart also urged technology firms to join a call from the United Nations special rapporteur, David Kaye, for an immediate moratorium on the sale, transfer and use of dangerous spyware.
NSO Group is one of dozens of digital spy outfits that provide technology to track everything a target does on a smartphone. Its spyware allows governments to track the location, communications, contacts and web activities of targets. But such access can be easily abused.
NSO Group has said in the past that it limits the sale of hacking tools to governments with poor human-rights records, but it has little insight into how its tools are used once they are in government hands. The company has said it only learns and investigates cases of abuse when they surface in the media.
NSO Group’s technology has repeatedly been discovered on the phones of civilians.
In 2017, The Times helped uncover the use of NSO spyware on journalists, dissidents and consumer rights activists in Mexico. Since then, the spyware has been uncovered on the phone of the wife of a murdered Mexican journalist and, last year, on the phone of a close confidant of Jamal Khashoggi, a journalist whose murder was linked by United States intelligence services to the Saudi Arabian government.
The WhatsApp complaint that was filed on Tuesday claims that NSO Group is closer to the deployment of its spyware than it portrays to the public. WhatsApp traced several servers that deployed NSO’s spyware back to internet addresses operated directly by NSO Group. The company leased servers — including servers in the United States — from Amazon and two other cloud services called Choopa and Quadranet, to help deploy its spyware, the lawsuit said.
Amazon did not return a request for comment.
Since NSO Group was founded in 2011, its spy technology, called Pegasus, has become the preferred mobile spy tool of many governments. An early NSO commercial proposal leaked to The Times claimed Pegasus could overcome encryption to grant “unlimited access” to everything on a target’s mobile device.
“Pegasus silently deploys invisible software on the target device,” the company’s early pitch read. “Installation is performed remotely over-the-air, does not require any action from or engagement with the target and leaves no trace whatsoever on the device.”
For years, commercial spyware makers have been unregulated, in part because governments are the clients.
“They get close to governments and when those governments do bad things with their products, commercial spyware companies can claim it’s not their fault,” said Mr. Scott-Railton, of Citizen Lab.
Earlier this year, Novalpina Capital, a private equity firm, acquired a stake in NSO Group. The firm has been trying to help NSO Group polish its image, highlighting the use of its technology in notable crime fighting, like the arrest of Joaquín Guzmán, the drug cartel leader known as El Chapo.
Stephen Peel, Novalpina Capital’s founding partner, said in a letter to human rights groups that the company was determined to make sure its technology was used for “the prevention of harm to fundamental human rights arising from terrorism and serious crime,” and not abused.
But Citizen Lab said in a statement that it had repeatedly raised questions to Novalpina about whether its public statements about human rights compliance made any difference, given how frequently NSO’s spyware had been abused.