WASHINGTON — The iPhones of 11 U.S. embassy employees working in Uganda have been hacked with spyware developed by Israel’s NSO Group, the surveillance company that blacklisted the United States a month ago and says the technology was foreign governments have been used to suppress dissent, several acquaintances with the violation said on Friday.
The hack is the first known case of the spyware, known as Pegasus, being used against US officials. Pegasus is an advanced surveillance system that can be remotely implanted into smartphones to extract audio and video recordings, encrypted communications, photos, contacts, location data and text messages.
There is no suggestion that NSO hacked the phones itself, but rather that one of its clients, mainly foreign governments, targeted embassy employees.
The revelation will no doubt increase tension with Israel over the recent US crackdown on Israeli companies that create surveillance software that has been used to track the locations of dissidents, eavesdrop on their conversations and secretly download files sent through their phones go. President Biden plans to make efforts to further crack down on the use of such software, a key part of a summit next week at the White House to which he has invited dozens of countries, including Israel.
US diplomats have been hacked before, most notably by Russia, which has repeatedly pierced the State Department’s unclassified email systems. But in this case, the software was written by a company that works closely with one of the United States’ most vital allies — and a country that often collaborates with the National Security Agency to conduct cyber operations, including against Iran.
NSO has long insisted that it selects its customers carefully and rejects many. But the United States last month concluded that the company’s software and its activities conflicted with US foreign policy interests, and placed it on the Commerce Department’s “Entity List” prohibiting it from key technologies. may receive.
Representatives from the State Department and Apple declined to comment.
NSO said in a statement it would conduct an independent investigation into the allegations and cooperate with any government investigation.
“We have decided to immediately terminate relevant customers’ access to the system due to the seriousness of the allegations,” the company said. “Until now, we have not received any information, neither the phone numbers nor any indication that NSO’s tools were used in this case.”
Reuters reported earlier on Friday that Apple notified the employees of the US embassy in Uganda about the hack on Tuesday. According to one person familiar with the attack, the people affected were a mix of foreign service officers and local residents working for the embassy, all of whom had their Apple IDs linked to their State Department email addresses.
“Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID,” the Apple statement said.
“These attackers are probably targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they could potentially gain remote access to your sensitive data, communications, or even the camera and microphone. While this may be a false alarm, you should take this warning seriously,” Apple said in the statement.
NSO is one of many companies that make money by finding vulnerabilities in the operating system and selling tools that can exploit them.
Among the targets were confidants of Jamal Khashoggi, the Washington Post columnist who was dismembered by Saudi agents in Turkey; a range of human rights lawyers, dissidents and journalists in the Emirates and Mexico, and even their relatives living in the United States.
The Biden administration last month blacklisted NSO, its subsidiaries, and an Israeli company called Candiru for knowingly supplying spyware that has been used by foreign governments to “malicately” attack the phones of dissidents, human rights activists, journalists and others. to attack”.
NSO and Candiru are not accused of maliciously hacking phones themselves, but of selling tools to customers when they knew they would be used in malicious attacks.
The blacklist, which prevents US suppliers from doing business with those companies, marked a remarkable break with Israel and was the strongest move yet by a White House to curb abuse in the shady, unregulated global spyware market.
The government phones targeted so far have not been classified and there is no evidence that the NSO exploits were used to access classified information, a senior government official said.
“We were also very concerned about it because it poses a real and current counterintelligence and security risk to US personnel and US systems around the world,” a senior government official said.
Apple released a patch in September that fixes the weakness in its mobile operating system. Since that patch only protects a phone after a user downloads the updated software, it’s possible that hackers could continue to exploit the weakness to infiltrate phones that had yet to be updated.
Apple asked State Department employees to take several precautions, including immediately updating their iPhones with the latest software available, including the patch. The company said the attacks that Apple had detected are “ineffective against iOS 15 and later”.
Apple’s notice to diplomats and the US government came after the tech company filed suit against NSO for what it believes are violations of the Computer Fraud and Abuse Act, a law passed in 1986 when many computers had less computing power than the current phones.
It’s not clear that Apple will prevail, as the statute is meant to protect computer users, not manufacturers. But the gist of the lawsuit, and NSO’s addition to a US blacklist, is an attempt to place the Israeli company in the same category as Chinese or Russian hacking groups, or ransomware operators who rent out their capabilities.
China has used similar types of spyware to suppress Muslim minorities, as has Russia against dissidents. Saudi Arabia is said to have used it in Khashoggi’s murder and subsequent attempt to cover up the crime.
But until now, it was not known to target American diplomats.
The government’s actions, combined with Apple’s legal action, should amount to a “multi-faceted effort” to stop NSO and make its spy software less effective. According to public reports, Apple has informed people in El Salvador, Uganda and Thailand that their phones have been compromised.
The concern is that the spy technology is extremely stealthy and can be placed on phones without users doing anything. Detecting that a phone has been compromised can also be quite difficult, the official said.
Kellen Browning contributed reporting from San Francisco, and Ronen Bergman from Tel-Aviv.