At least 50 U.S. government employees in at least 10 countries overseas have had their mobile phones targeted with commercial spyware, a number that is expected to grow as the investigation continues, senior administration officials said this week.
In late 2021, Apple alerted roughly a dozen U.S. Embassy employees in Uganda that their iPhones had been hacked using Pegasus, military-grade spyware developed by NSO Group, an Israel-based company with government clients in dozens of countries. The tool allows its users to steal digital files, eavesdrop on conversations and track the movements of targets — often activated through “zero-click” malware that doesn’t even require the target to click on a link.
But the latest figure — of at least 50 government employees — shocked the Biden administration.
“We were astounded by the number,” said one senior administration official, revealing that dozens of government officials, some of them very senior, had devices that appeared or were confirmed to have been hacked by commercial spyware. The official would not specify which company’s software was used or who had deployed the malware. “We had a hunch early on, when we started this process that [such spyware] could pose counterintelligence and security risks. … We realized increasingly that the counterintelligence and security risks were profound.”
The effort to identify additional targeted personnel continues, the official said, “and we cannot rule out that there will be more instances.”
The official, who spoke on the condition of anonymity under ground rules set by the White House, noted that measures were being taken to mitigate the risks posed by the tools.
The executive order comes more than a year after the Commerce Department placed NSO Group on a trade blacklist known as the Entity List, a significant move that barred export of any hardware or software from the United States to NSO, choking off a vital source of technology and sending a signal to would-be investors. The company has said its human rights policies “are based on the American values we deeply share” and has terminated contracts when misuse is found.
But NSO Group, which has been struggling financially, is just one of what experts say are dozens of companies that produce spyware — most of them not as large or well-known as NSO Group. Many operate with impunity in a largely unregulated space, officials say. The order is a welcome move toward establishing guardrails internationally, said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, a cybersecurity research group.
“It will chill global spyware proliferation by putting companies and investors on notice that time is running out for ‘anything goes’ business practices,” said Scott-Railton, who has worked on numerous investigations of Pegasus.
The order, which grew out of a White House review begun in late summer 2021, bars federal agencies from using commercial spyware if it has been used to hack or target U.S. government devices or personnel — or if it has been used to abuse human rights, such as by targeting dissidents. It applies to spyware built by foreign or American companies, a measure to avoid creating a “perverse incentive” for companies to relocate to the United States to bypass restrictions, the official said.
There’s an exception for spyware that might be needed for helping U.S. agencies develop defensive cyber measures or testing countermeasures to defeat hackers, the official said.
Last year the FBI drew scrutiny for press reports that it had explored using Pegasus. Grilled by lawmakers at a House Intelligence Committee hearing in March 2022, Director Christopher A. Wray said the bureau purchased a license for Pegasus spyware only to evaluate it, and never used it. “The FBI has not and did not use the NSO products operationally in any investigation,” he said.
Rep. Jim Himes (Conn.), the top Democrat on the House Intelligence Committee, called the order a “really good step forward.” The United States has not been a big market for commercial spyware, Himes said, so he was initially dubious of the impact a ban might have. But, he said, the White House polled intelligence agencies and found that “various technology companies are actually very keen to sell to the U.S., which would suggest that they’re going to be very careful about the nature of their product, what it’s used for and who uses it.”
The order is “an important first step as we engage our partners around the world,” the senior administration official said. “It is also intended to make sure that we are not contributing, directly or indirectly, to the proliferation and misuse of these tools.” Countering the misuse of technology and growing “digital authoritarianism” is a key theme the United States will push at this week’s democracy summit, a second official said.
The Commerce Department’s entity listing of NSO Group and three other companies, as well as probes of Pegasus undertaken by European governments, followed a July 2021 investigation by The Washington Post and 16 other news organizations into the activities of NSO Group.