Apple recently revealed a new policy that would notify users if their devices were the targets of a state-sponsored attack conducted using spyware from Israeli surveillance-for-hire firm NSO Group. Now, just weeks later, a new report from Reuters claims at least nine U.S. State Department officials found themselves on the receiving end of an NSO powered hack. The attacks would represent the most significant attacks on U.S. officials using the company’s spyware to date.
Citing unnamed sources, Reuters claims each of the targeted officials was either based in Uganda or was working closely on matters related to that country.
In a statement to Gizmodo, an NSO spokesperson said that, following Reuters’ inquiry on Thursday, the company had suspended “relevant accounts,” citing the “severity of the allegations.” It told Reuters that a permanent ban would follow if the allegations proved true.
The statement noted that while NSO had not seen any indication of its software being used in the attacks described, once in the hands of its customers, the company “has no way to know” whose phones are being hacked.
NSO says safeguards are built into its software to prevent attacks on phones with working U.S. phone numbers. (NSO’s software infects targets via their phone number, often via malicious SMS or email links). While the overseas officials allegedly targeted are U.S. citizens, according to Reuters, their iPhones were registered with foreign numbers.
Apple did not immediately comment on the report but directed Gizmodo to its lawsuit against NSO and previous statements.
As a fresher, NSO Group has gained international notoriety in recent years after multiple reports have shown NSO Group’s willingness to sell its Pegasus spyware and other tools to authoritarian regimes worldwide. In some cases, NSO Groups’ software has reportedly been used to target journalists, human rights advocates, children, and even some political leaders. Previous reports have also alleged NSO Group’s spyware was involved in the brutal assassination of Saudi Arabia political dissident and commentator Jamal Khashoggi, allegations the company has denied.
NSO Group has around 60 customers spread out across 40 countries and has publicly maintained that it only sells its products to government law enforcement and intelligence agents. Facing mounting pressure, the company temporarily suspended several government clients earlier this year over the potential misuse of its service.
The alleged State Department attacks come less than a month after the US Commerce Department added NSO Group to its U.S. Export Administration Regulation (EAR) “Entity List.” Those sanctions subject NSO to trade restrictions that would require U.S.-based companies to acquire a special license from the government if they want to provide services or sell products to the sanctioned party.
“Companies that enable their customers to hack U.S. government employees are a threat to America’s national security and should be treated as such by the government,” Senator Ron Wyden, a Democrat of Oregon charged with oversight of the intelligence community, told Gizmodo. “I want to be sure the State Department and the rest of the federal government has the tools to detect hacks and respond to them quickly.”
The crescendo of voices demanding a reining in of NSO Group’s reach isn’t limited to the US either. Just this week, a group of 86 human rights groups sent a letter to the European Union calling on officials to sanction NSO and take actions to limit the sale, transfer, and export of the technology. Major tech companies are also taking their own stands against the surveillance company. Back in 2019, Facebook (now Meta) filed a lawsuit against the company claiming its malware had exploited a vulnerability in WhatsApp that infected 1,400 phones with malware. Then, just last month, Apple launched its own legal battle against NSO Group that attempts to ban the company from using Apple software or services.
Update, 2:50pm: Story was updated to clarify that NSO Group had informed Reuters on Thursday that it would suspend “relevant accounts” out of caution while its own investigation is carried out.