Israel's NSO Group's Pegasus spyware was used to hack the iPhones of 11 U.S. State Department employees working in Uganda, an anonymous source said Friday.
In an Associated Press report, the source said they were not authorized to speak publicly about the investigation.
Reuters reported that the NSO Group said it would investigate the incident, and, if it showed NSO technology was in fact used, terminate the customers and seek legal action against them. In the meantime, they have canceled the suspected customers' access. They have not specified who the customers are.
This marks the first reported hacking against U.S. government workers using the NSO technology, according to the AP.
"We have been acutely concerned that commercial spyware like NSO Group software poses a serious counterintelligence and security risk to U.S. personnel," White House press secretary Jen Psaki said at a briefing.
The hacked employees included some foreign service workers as well as local Ugandan workers.
According to the AP, the NSO Group is "the world's most infamous hacker-for-hire company." The U.S. Department of Commerce recently blacklisted the company, not allowing them to use any U.S. technology. This is a move NSO is working to reverse.
For more reporting from the Associated Press, see below.
Senior researcher John Scott-Railton of Citizen Lab, the public-interest sleuths at the University of Toronto who have been tracking Pegasus infections for years, called the discovery a giant wake-up call for the U.S. government about diplomatic security.
"For years we have seen that diplomats around the world are among targets," he said, "and it looks like the message had to be brought home to the U.S. government in this very direct and unfortunate way. There is no exceptionalism when it comes to American phones in diplomats' pockets."
News of the hacks, which were first reported by Reuters, comes a month after the U.S. Commerce Department blacklisted NSO Group, barring U.S. technology from being used by the company. And Apple sued NSO Group last week seeking to effectively shut down its hacking of all iPhones and other Apple products, calling the Israeli company "amoral 21st century mercenaries."
In announcing the lawsuit, Apple sent out notifications globally to people whose iPhones were hacked with Pegasus in countries ranging from El Salvador to Poland. The targeted State Department employees were among them.
Apple declined comment Friday on the Uganda hacks.
Marketed to governments for use solely against terrorists and criminals, Pegasus has been abused by NSO customers to spy on human rights activists, journalists and politicians from Saudi Arabia to Mexico, including such high-profile targets as the fiancee of Jamal Khashoggi, the Saudi journalist murdered in his country's consulate in Istanbul.
NSO Group has been broadly denounced for allowing such targeting, and its placement on the Commerce Department's "entity list" last month was the first time a company outside of China had been added over human rights violations, said Kevin Wolf, an attorney at Akin Gump and former top commerce official in the Obama administration.
Analysts wonder whether NSO Group can survive financially under such circumstances. Last week, Moody's downgraded NSO Group's financial outlook to negative, saying it risked defaulting on more than $300 million in loans as a result of "high uncertainty" of its ability to sell new licenses. It said NSO Group, which is privately held, has about 750 employees with 60 customers in more than 35 countries
The impact on companies blacklisted by the Commerce Department, about half of which are Chinese, is often far broader than barring them from using U.S. technology. Wolf said many companies choose to avoid doing business with them completely "in order to eliminate the risk of an inadvertent violation" and the legal costs of analyzing whether they can.
NSO Group was asked by the Associated Press prior to Friday's news whether it could survive as long as it is on the entity list. While not directly responding, it said it was "working on all appropriate channels to reverse the Department of Commerce's decision."
The company again claimed that it does not operate the Pegasus command-and-control system that remotely manages hacks "and has no access to the data collected by its customers." Cybersecurity researchers who have closely tracked NSO's spyware dispute that claim. They say NSO's government clients are incapable of running the online infrastructure and their sleuthing has confirmed centralized control of post-infection operations.
Apple's lawsuit added major heft to a Big Tech legal onslaught against NSO Group. Facebook sued it in 2019 for allegedly hacking its globally popular encrypted WhatsApp messaging app. Last month, a U.S. federal appeals court ruled that the case could go forward, rejecting NSO's claim it should be thrown out because it is a "sovereign entity."
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
