Facebook just escalated its lawsuit over surveillance firm NSO Group’s WhatsApp call exploit attacks. The WhatsApp team has filed accusations that NSO relied on US-based servers to stage its spyware attacks using Pegasus software. NSO reportedly used the Los Angeles hosting service QuadraNet “more than 700 times” to infect users with malware, while an Amazon server was also involved. If so, that would directly contradict NSO’s claims that it couldn’t run operations in the US, and support assertions that it’s a hacking service rather than just a software developer.

The Facebook legal team also sought to shoot down NSO’s beliefs that it’s out of jurisdiction and that it has immunity due to its government clientele. Lawyers noted that the company hadn’t named a specific country buying its surveillance offerings, or any other proof that it couldn’t be held responsible for what its clients did. It was trying to “cloak” itself in the immunity of its customers, attorneys said.

In a statement sent to Engadget, the NSO Group has strongly denied that it had a hand in the attacks. It also claimed that its surveillance technology called Pegasus, which it sells to governments around the world, is being used to save lives:

“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.

The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.

We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights — including the right to life, security and bodily integrity — and that’s why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.”

The WhatsApp attackers inserted Pegasus into victims’ phones by calling them — the victims didn’t even have to pick up the phone to be infected. Facebook’s lawsuit says that while the spyware isn’t capable of breaking WhatsApp’s encryption, it can access the messages after they’ve been decrypted on the receiver’s device.

The NSO Group previously confirmed that Pegasus was used to target the phone of a British lawyer, who contacted Citizen Lab and kickstarted the investigation that led to this lawsuit. That lawyer had represented plaintiffs who accused NSO of providing the tools to hack the phones of a Saudi Arabian dissident, as well as of Mexican journalists, among others. The company, however, denied that it uses its own technology to “target any person or organization.” Pegasus, it said, is solely operated by “intelligence and law enforcement agencies,” or its clients, in other words.

WhatsApp head Will Cathcart, however, explained that the company is confident NSO was behind the attacks in a piece published by The Washington Post. “[W]e learned that the attackers used servers and Internet-hosting services that were previously associated with NSO,” he wrote. “In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”

He also wrote:

“NSO has previously denied any involvement in the attack, stating that ‘under no circumstances would NSO be involved in the operating… of its technology.’ But our investigation found otherwise. Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act…

…NSO said in September that ‘human rights protections are embedded throughout all aspects of our work.’ Yet it maintains that it has no insight into the targets of its spyware. Both cannot be true. At a minimum, leaders of tech firms should join U.N. Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.”

While the perpetrators haven’t been identified, there are suspicions that it may be a Middle Eastern country trying to clamp down on criticism of its human rights practices. There was a failed attempt on May 12th to compromise the phone of a UK-based human rights lawyer who helped a Saudi dissident in Canada and helped sue NSO for allegedly sharing in the liability of actions perpetrated by its customers. NSO pitches its software to Middle Eastern intelligence agencies, and rights activists in the region have previously received text messages attempting to install Pegasus on their devices.

WhatsApp has alerted human rights groups and the US Justice Department. It also said the effort had “all the hallmarks” of a private company that works with governments to push spyware. NSO, however, rejected the notion that it was involved. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology,” the company said. It further claimed it screened customers and investigated abuse, including the attack on the UK lawyer.

The flaw should be fixed as you read this. WhatsApp delivered a server-side fix on May 10th, and release patched versions of its apps on May 13th. However, that doesn’t address accusations that companies like NSO, Hacking Team and others have knowingly sold spyware to countries with histories of cracking down on dissidents. There are efforts to curtail these relationships, such as an imminent challenge to NSO Group’s export abilities on May 15th. Unless those efforts are successful, though, it may be difficult to prevent spyware campaigns like this.