/cloudfront-us-east-2.images.arcpublishing.com/reuters/JEUL2B5V7BJCFMRTKGOS3ZSN4Y.jpg "Hungary’s anti-LGBTQ law breaches international rights standards – European rights body")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/DYF5BFEE4JNPJLNCVUO65UKU6U.jpg "The curious case of a map and a disappearing Taiwan minister at U.S. democracy summit")
/cloudfront-us-east-2.images.arcpublishing.com/reuters/UF7R3GWJGNMQBMFSDN7PJNRJ5Y.jpg "Blinken touts deeper U.S. engagement amid concern over ‘aggressive’ China")
WASHINGTON – The iPhones of 11 U.S. embassy employees working in Uganda were hacked with spyware developed by Israel’s NSO Group, the surveillance company that blacklisted the United States a month ago for it alleged the technology was used by overseas governments to quell dissent, several people familiar with the breach said Friday.
The hack is the first known case of the spyware known as Pegasus being used against American officials. Pegasus is a sophisticated surveillance system that can be remotely implanted in smartphones to extract audio and video recordings, encrypted communications, photos, contacts, location data and text messages.
There is no evidence that NSO hacked its own phones, but rather that one of its customers, mostly foreign governments, targeted it against embassy staff.
The revelation will fuel tensions with Israel over the US recent crackdown on Israeli companies that make surveillance software used to track dissidents’ locations, eavesdrop on their conversations, and stealthily download files moving over their phones strengthen. President Biden plans to make efforts to further curb the use of such software, a key element of a White House summit next week to which he has invited dozen of countries, including Israel.
US diplomats have already been hacked, particularly by Russia, which has repeatedly breached the State Department’s unclassified email systems. But in this case the software was written by a company that works closely with one of the United States’ key allies – and a nation that often collaborates with the National Security Agency to conduct cyber operations, including against Iran.
NSO has long insisted that it select its customers carefully and turns many away. But the United States concluded last month that the company’s software and operations were against the interests of US foreign policy and put it on the Department of Commerce’s “entity list” prohibiting it from obtaining key technologies.
State Department and Apple officials declined to comment.
The NSO said in a statement that it would conduct an independent investigation into the allegations and cooperate with any government investigation.
“We decided to immediately terminate relevant customers’ access to the system due to the gravity of the allegations,” the company said. “So far we have not received any information, telephone numbers or indications that NSO’s tools were used in this case.”
Reuters had previously reported on Friday that Apple had informed the employees of the US embassy in Uganda about the hack last Tuesday. Those affected include a mix of field officials and locals who work for the embassy, all of whom had their Apple IDs tied to their State Department email addresses, according to one person familiar with the attack.
“Apple believes that you are being attacked by government sponsored attackers who are trying to remotely compromise the iPhone linked to your Apple ID,” said the Apple statement.
“These attackers are likely targeting you individually because you are or what you do. If your device is compromised by a government sponsored attacker, they may be able to remotely access your sensitive data, communications, or even your camera and microphone. Although it is possible that it is a false positive, please take this warning seriously, ”Apple said in the statement.
NSO is one of several companies that make money by finding vulnerabilities in operating systems and selling tools that can exploit them.
User victims included confidants of Jamal Khashoggi, the Washington Post columnist who was dismembered by Saudi activists in Turkey; a number of human rights lawyers, dissidents and journalists in the Emirates and Mexico, and even their family members living in the United States.
The Biden government blacklisted NSO, its subsidiaries, and an Israeli company called Candiru last month, stating that they have knowingly delivered spyware that has been used by foreign governments to hit the phones of dissidents, human rights activists, journalists, and others “To attack maliciously”.
NSO and Candiru are not accused of maliciously hacking phones themselves, but rather selling tools to customers even though they knew they would be used for malicious attacks.
The blacklist banning American suppliers from doing business with these companies marked a notable break with Israel and the strongest move yet by a White House to contain abuse in the opaque, unregulated global spyware market.
The government phones so far attacked have not been kept secret and there is no evidence that the NSO exploits were used to gain access to classified information, a senior administration official said.
“We were also very concerned about this because it poses a real and ongoing security and security risk to US personnel and US systems around the world,” said a senior administration official.
Apple created a patch in September that fixes the vulnerability of its mobile operating system. Because this patch only protects a phone after a user has downloaded the updated software, it is possible for hackers to continue to exploit the vulnerability to infiltrate phones that have yet to be updated.
Apple urged State Department officials to take several precautionary measures, including immediately updating their iPhones with the latest available software that includes the patch. The company said the attacks Apple discovered “had no effect on iOS 15 and later.”
Apple’s notification to diplomats and the U.S. government came after tech company sued NSO for alleged violations of the Computer Fraud and Abuse Act, a law passed in 1986 when many computers had less processing power than current cell phones.
It’s not clear that Apple will prevail because the law is designed to protect computer users, not manufacturers. But the crux of the lawsuit and US blacklisting of NSO is an attempt to put the Israeli company in the same category as Chinese or Russian hacking groups or ransomware operators renting out their capabilities.
China has used similar types of spyware to suppress Muslim minorities, as has Russia against dissidents. Saudi Arabia reportedly used it in the murder of Mr Khashoggi and subsequent efforts to cover up the crime.
So far, however, it was not known that it was aimed at American diplomats.
The government’s actions, combined with Apple’s legal action, should constitute a “multi-faceted effort” to stop NSO and make its spy software less effective. Apple has notified people in El Salvador, Uganda and Thailand that their phones have been compromised, according to public reports.
The concern is that the spying technology is extremely stealthy and can be placed on phones without users doing anything. It can also be quite difficult to identify that a phone has been compromised, the official said.
Kellen Browning contributed the coverage from San Francisco and Ronen Bergman from Tel Aviv.
