At least nine employees of the US State Department working in or with Uganda had their iPhones hacked with spyware made by NSO Group, according to a report from Reuters. The Wall Street Journal has corroborated the story, putting the number of US and Ugandan embassy workers hacked at 11. While it’s unclear who carried out the attacks, NSO Group says it only sells its software to government organizations that have gotten approval from the Israeli government.
NSO has claimed that its spyware isn’t able to target US phone numbers (that is, numbers with a country code of +1). This case doesn’t seem to disprove that claim — Reuters reports that, while the people targeted were employees of the State Department, they were using foreign telephone numbers. Still, the devices were used for official State Department business, suggesting NSO may now be implicated in an espionage effort against the US government.
According to Reuters, the attacks happened in “the last several months.”
NSO’s Pegasus spyware is capable of remotely logging data from an infected iOS or Android device and can be used to covertly turn on a phone’s microphones or cameras. It’s also designed to infect phones using a “zero-click” attack, in which spyware can be installed without the target clicking a link or otherwise taking action.
Pegasus is also not supposed to leave any traces, though investigators have developed some methods to determine if a phone was hacked by it. You can read our explainer on it here, which goes into the media investigations of its usage by governments to target journalists, politicians, and activists.
NSO, based in Israel, has to get approval from the Israeli Ministry of Defense before it sells its software to another government agency. NSO co-founder Shalev Hulio has insisted that the company doesn’t know who its clients are spying on using its software. The company also says that it will investigate clients if they’re using Pegasus on off-limits targets and cut off the client’s access to the software if there’s evidence of abuse.
An NSO spokesperson told Reuters that the company would be investigating its reports, and the Israeli embassy told the outlet that a government targeting US officials with Pegasus would be “a severe violation” of its licensing agreements.
The US recently added NSO to its entity list, which puts heavy restrictions on American companies being able to sell their products or services to the group. In the private sector, Apple filed a lawsuit against NSO Group, claiming that the company broke Apple’s terms of service by creating over a hundred iCloud accounts to send malicious data via iMessage. Apple says that it patched the specific vulnerability NSO used to install Pegasus with iOS 14.8 and that it had added additional protections in iOS 15, which the company says it hasn’t seen Pegasus breach yet.
When the company announced its lawsuit, Apple said it would also notify users who had been targeted by a state-sponsored spying campaign. Ugandan politician Norbert Mao tweeted in November that he received one of the notifications. The Wall Street Journal reports that the US officials also received these notifications.
There are also reports that the US government is working on an initiative with other countries to prevent surveillance tools and technology from being sold to authoritarian governments. According to The Wall Street Journal, the effort will focus on export controls and will likely be announced at the Summit for Democracy, which starts December 9th.
Update December 3, 5:35PM ET: Added information from The Wall Street Journal’s report.