Cybersecurity: NSO Group Spyware hacks the iPhones of At Least 9 US State Officials

According to four people familiar with the situation, at least nine US State Department employees’ Apple iPhones were hacked by an unknown assailant using sophisticated spyware developed by Israel-based NSO Group.

The hacks, which occurred in the last few months, targeted US officials who were either based in Uganda or focused on issues concerning the East African country, according to two of the sources.

The intrusions, which were first reported here, represent the most extensive known hacks of US officials using NSO technology. Previously, a list of numbers with potential targets that included some American officials surfaced in NSO reporting, but it was unclear whether intrusions were always attempted or successful.

Reuters was unable to determine who was behind the most recent cyberattacks.

NSO Group said in a statement on Thursday that it had no evidence that its tools had been used, but that it had canceled access for the relevant customers and would investigate based on the Reuters inquiry.

“If our investigation reveals that these actions were indeed carried out using NSO’s tools, such customer will be permanently terminated and legal action will be taken,” said an NSO spokesperson, adding that NSO will also “cooperate with any relevant government authority and present the full information we will have.”

NSO has long stated that it only sells its products to government law enforcement and intelligence clients in order to assist them in monitoring security threats, and that it is not directly involved in surveillance operations.

The Ugandan embassy in Washington declined to comment. Apple’s spokesperson declined to comment.

A State Department spokesperson declined to comment on the intrusions, instead pointing to the Commerce Department’s recent decision to place the Israeli company on an entity list, making it more difficult for US businesses to do business with them.

The Commerce Department said last month that NSO Group and another spyware firm were “added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.”

Easily distinguishable

According to product manuals reviewed by Reuters, NSO software is capable of not only capturing encrypted messages, photos, and other sensitive information from infected phones, but also converting them into recording devices to monitor their surroundings.

The creator of the spyware used in this hack was not named in Apple’s alert to affected users.

According to two of the people who were notified by Apple, the victims included American citizens who were easily identified as U.S. government employees because they associated email addresses ending in state.gov with their Apple IDs.

According to the sources, they and other targets notified by Apple in multiple countries were infected by the same graphics processing vulnerability that Apple did not learn about and fix until September.

According to researchers who investigated the espionage campaign, this software flaw has allowed some NSO customers to take control of iPhones since at least February simply by sending invisible but tainted iMessage requests to the device.

For the hack to be successful, the victims would not see or interact with a prompt. Versions of the NSO surveillance software, known colloquially as Pegasus, could then be installed.

Apple announced that it would notify victims on the same day that it sued NSO Group last week, accusing it of assisting numerous customers in breaking into Apple’s mobile software, iOS.

In a public statement, NSO stated that its technology aids in the prevention of terrorism and that controls have been put in place to prevent spying on innocent targets.

NSO, for example, claims that its intrusion system will not work on phones with US phone numbers beginning with the country code +1.

However, in the Uganda case, the targeted State Department employees were using iPhones with foreign phone numbers, according to two of the sources, and without the US country code.

This year, Uganda has been roiled by an election marred by reported irregularities, protests, and a government crackdown. The Ugandan government has reacted angrily to attempts by US officials to meet with opposition leaders. There is no evidence that the hacks were related to current events in Uganda, according to Reuters.

According to a senior Biden administration official who spoke on the condition of anonymity, one of the reasons the administration was cracking down on companies like NSO and pursuing new global discussions about spying limits was the threat to US personnel abroad.

The official went on to say that the government has witnessed “systemic abuse” involving NSO’s Pegasus spyware in a number of countries.

However, in the Uganda case, the targeted State Department employees were using iPhones registered with foreign phone numbers, according to two of the sources, and without the US country code.

Uganda has been roiled this year by an election marred by reported irregularities, protests, and a government crackdown. The Ugandan government has reacted angrily to US officials’ attempts to meet with opposition leaders. There is no evidence that the hacks were connected to current events in Uganda, according to Reuters.

A senior Biden administration official, speaking on the condition of anonymity, said the threat to US personnel abroad was one of the reasons the administration was cracking down on companies like NSO and pursuing new global discussions about spying limits.

The official went on to say that the government has seen “systemic abuse” in multiple countries involving NSO’s Pegasus spyware.