At least nine U.S. State Department employees saw their iPhone hacked by unknown attackers wielding Pegasus spyware from the Israel-based NSO Group. The attacks occurred over several months, Reuters reported Friday.
Reuters said the hacks infiltrated iPhones belonging to Uganda-based U.S. officials or others working on matters concerning that East African country.
The intrusions represent the most significant hacks of U.S. officials through NSO’s spyware, though other have likely been attempted, Reuters reported. It couldn’t pinpoint who launched the latest cyberattacks, however.
NSO said it plans to investigate
For its part, NSO Group said Thursday it did not have any indication its tools were used. But the group said it canceled the relevant accounts and planned to investigate.
“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place,” said an NSO spokesperson. NSO will “cooperate with any relevant government authority and present the full information we will have,” they added.
It has long been NSO’s stance that it sells its products only to government law enforcement and intelligence clients. It said it does so to assist them in monitoring security threats. NSO has denied direct involvement in surveillance operations.
Uganda embassy officials in Washington, D.C., did not comment and an Apple spokesperson declined to comment, Reuters said.
Also declining to comment about the hacks, a State Department spokesperson pointed to the Commerce Department’s recent decision to add NSO to an entity list. That makes it more difficult for U.S. companies to work with the group.
NSO Group and one other spyware maker were “added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” the Commerce Department announced in November.
Not difficult to identify
NSO software can capture encrypted messages, photos and other sensitive information from infected phones. And it can also turn the phones into recording devices, Reuters noted.
An alert Apple sent to users with infected iPhones did not name the creator of the spyware used in the hack. Victims notified by Apple could be identified as U.S. government because they associated email addresses ending in “state.gov” with their Apple IDs.
Spyware infected phones of those victims and other targets in multiple countries through the same graphics processing vulnerability Apple did not fix until September, sources told Reuters.
Since February or earlier, the flaw allowed some NSO customers to seize control of iPhones by sending invisible iMessage requests to the device, said researchers investigating the situation.
A successful hack required no awareness by or input from victims. It would simply allow installation of Pegasus spyware.
NSO has stated its technology inhibits terrorism. The group said it installed controls to stop or reduce spying on innocent targets. Its system can’t infect phones with phone numbers starting with the country code +1, for example. In the Uganda case, targeted officials were using foreign phone numbers.
Biden administration response
Speaking on condition of anonymity, a senior Biden administration official said the threat to U.S. personnel in other countries constituted a reason the administration is confronting organizations like NSO and pursuing back and forth communication internationally about spying limits.
The official referred to “systemic abuse” involving Pegasus spyware in various countries.
NSO Group’s most well-known past clients include Saudi Arabia, the United Arab Emirates and Mexico.
NSO is closely tied to Israel’s defense and intelligence communities. The Israeli Ministry of Defense must approve export licenses for the sale of the group’s technology internationally.
The Israeli embassy in Washington said in a statement that targeting American officials constitutes a major breach of its rules.
“Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes,” an embassy spokesperson said. “The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions.”