The iPhones of at least nine US state department officials were recently hacked by a government using NSO Group spyware, according to a new report that raised serious questions about the use of Israeli surveillance tools against US government officials around the world.
The claim, which was reported by Reuters, comes just weeks after the Biden administration placed NSO on a US blacklist and said the surveillance company acted "contrary to the foreign policy and national security interests of the US".
According to Reuters, at least nine state department officials were hacked in the attack over the last several months, and the individuals who were targeted were either based in Uganda or focused on matters concerning the east African country. Reuters said it could not determine which NSO client was behind the attack.
A state department spokesperson said it could not confirm the Reuters report but that it took seriously its responsibility to safeguard its information.
"Like every large organization with a global presence, we closely monitor cybersecurity conditions, and are continuously updating our security posture to adapt to changing tactics by adversaries," the spokesperson said. The person added that NSO and another Israeli company, Candiru, had been added to the US commerce department entities list to "stem the proliferation and misuse of digital tools used for repression".
The news comes just days after Apple launched a lawsuit against NSO and reports emerged that the tech giant was beginning to alert victims around the world who had been compromised by the hacking tool. Once NSO's spyware - known as Pegasus - is successfully launched, it can hack into a mobile phone and intercept all communications, including encrypted messages. It can also turn any phone into a listening device, because once infected, a user of Pegasus can remotely control a mobile phone's recorder and camera.
In a statement released in response to the Reuters story, NSO said it had decided to "immediately terminate relevant customers' access to the system, due to the severity of the allegations".
Pressed by the Guardian to identify the customers who had been cut off, an NSO spokesperson said the company would not disclose information about its customers.
NSO said it had not received any information about the specific phone numbers that were targeted in the attack and had no indication that NSO tools were used in this case.
"On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have," the company said. NSO also reiterated that its technologies are blocked from working on US numbers, but said it had "no way to know" who the targets of its customers are and would therefore not have been aware of this case.
Researchers at Citizen Lab at the University of Toronto recently discovered the code behind an NSO exploit that was alleged to have been used to infect iPhones as recently as this July. The exploit, which was then promptly fixed by Apple, used a vulnerability in the company's iMessage function on all Apple products.
NSO has signalled that it would seek to convince the Biden administration to remove its name from the blacklist. But the latest revelation raises serious doubt that this will occur anytime soon.
Apple said it had no comment on the latest allegations.
While the report alleges the confirmed hack of US officials by a user of NSO surveillance tools, it is not the first time American citizens are believed to have been targeted. In July, the Pegasus Project, an investigation into NSO by the Guardian and other media outlets, which worked in coordination with the French non-profit media group Forbidden Stories, revealed evidence of attacks against American journalists and others.
Among the Americans who were hacked was Carine Kanimba, an activist and daughter of Paul Rusesabagina, the imprisoned Rwandan activist who gained international fame for inspiring the film Hotel Rwanda, about the Rwandan genocide. Kanimba is one of dozens of individuals who it is strongly suspected have been targeted. Rwandan authorities have staunchly denied having access to NSO Group technology, but have long been suspected of being a client of the Israeli firm.
The Pegasus Project also reported that the US phone number of a senior US diplomat, Robert Malley, who currently serves as the Biden administration's envoy to Iran and was one of the lead negotiators of the Obama administration's Iran deal, appears to have been selected as a person of interest by an NSO customer. There is no evidence that Malley was hacked and NSO has staunchly denied that the leaked database at the heart of the Pegasus Project was connected to the company or its clients.
NSO has said its government clients are prevented from deploying its software against US numbers because it has been made "technically impossible".
Reuters reported that the most "victims" who have recently been notified by Apple that they were hacked were "easily identifiable" as US government employees because of their associated email addresses, which ended in state.gov.
A senior Biden administration official, speaking to Reuters on condition that he not be identified, said the threat to US personnel abroad was one of the reasons the administration was cracking down on companies such as NSO and pursuing new global discussion about spying limits. The official added that they have seen "systemic abuse" in multiple countries involving NSO's Pegasus spyware.