The iPhones of at least nine US State Department employees were hacked by an unknown entity using spyware made by Israeli-based NSO Group, Reuters reported on December 4 citing unnamed sources. The Wall Street Journal later corroborated these findings and reported that the phones of eleven US officials were hacked using the Pegasus spyware.
The hacks took place over the last several months and targeted US officials either based in Uganda or focused on matters concerning the country, both reports said.
Earlier in July, an international consortium of media organisations revealed that political leaders, journalists, human rights activists, businessmen, military officials, intelligence agency officials, and several others from various countries across the world were targeted for surveillance by NSO-made Pegasus spyware, but there were no confirmed American targets then.
How were the hacks uncovered?
These hacks appear to have been uncovered after Apple notified the affected users. There were identifiable as US government employees because they associated email addresses ending in state.gov with their Apple IDs, Reuters said.
Apple in November sued NSO Group over the surveillance and targeting of Apple users with the Pegasus spyware. “Pegasus can record using a device’s microphone and camera, track the phone’s location data, and collect emails, text messages, browsing history, and a host of other information accessible through the device,” Apple said in its lawsuit.
On the same day, Apple also said that it will start notifying users who may have been targeted, in two ways:
- A Threat Notification will be displayed at the top of the page after the user signs into appleid.apple.com.
- Apple will send an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change.” – Craig Federighi, Apple’s senior vice president of Software Engineering.
What have NSO Group and the Israeli embassy said?
- NSO Group: In a statement published on its website, NSO Group said that despite no indication that NSO tools were used for the hacks, it has “immediately shut down all the customers potentially relevant to this case, due to the severity of the allegations, and even before we began the investigation.”
“If the allegations turn out to be true, they are a blunt violation of all commitments and agreements that company has with its customers, and the company will take legal action against these customers.” – NSO Group
- The Israeli embassy in Washington: In a statement to Reuters, a spokesperson for the Israeli embassy in Washington said:
“Cyber products like the one mentioned are supervised and licensed to be exported to governments only for purposes related to counter-terrorism and severe crimes. The licensing provisions are very clear and if these claims are true, it is a severe violation of these provisions.”
Do these hacks indicate NSO spyware can be used against US citizens?
NSO Group has long maintained that its spyware cannot be used against Americans. Back in July, the company said that its products “cannot be used to conduct cyber surveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers.”
In the current Ugandan case, it appears to be that the targeted US officials were using phones registered with a foreign number.
In its statement, the company reiterated:
“We emphasize that the Pegasus software is installed based on phone numbers only, and the tools are incapable of being installed on US (+1) numbers. This case doesn’t involve US phone numbers, and the company had no way to know who the persons monitored by our customers were.”
NSO Group is already part of the US Entity List
On November 3, Israel-based NSO Group and Candiru were added by the US government to its Entity List “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers,” a press release by the US Department of Commerce said.
This places severe restrictions on American companies from being able to sell their products or services to NSO.
In light of the Ugandan case, a senior Biden administration official told Reuters that the threat to US personnel abroad was one of the reasons the administration was cracking down on companies like NSO.
The US government is also reportedly working on an initiative with other countries to prevent surveillance tools and technology from being sold to authoritarian governments, which is likely to be announced at the Summit for Democracy starting on December 9.
What is happening around Pegasus allegations in India?
While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns, but rather surveillance of those who are critical of the government.
In light of this, multiple people filed petitions before the Supreme Court alleging violation of privacy and the Court in October constituted an expert committee to investigate the usage of Pegasus by the government against its own citizens. This committee on November 26 started reaching out to potential targets of Pegasus detailing the scope of the probe and asking them to join the investigation by submitting their infected mobile device and a statement.
More recently, the Indian government in response to a question asked in the parliament said that “there is no proposal for banning any group named ‘NSO group’.”
- Summary: Apple’s Lawsuit Against NSO Group For Surveilling, Targeting Its Users With Pegasus Spyware
- Pegasus Probe: SC-Appointed Committee Reaches Out To Targeted People With A Request
- Supreme Court Appoints Committee To Investigate Pegasus In India; “State Does Not Get A Free Pass”
- UN Human Rights Council Faces Pressure To Denounce And Investigate Pegasus Surveillance
- Dubai’s Ruler Used Pegasus Spyware To Spy On His Ex-Wife Haya, Confirms UK’s High Court
Have something to add? Post your comment and gift someone a MediaNama subscription.