Apple has alerted 11 U.S. Embassy employees that their iPhones have been hacked in recent months with Pegasus spyware from NSO Group, an Israel-based company that licenses software to government clients in dozens of countries that allows them to secretly steal files, eavesdrop on conversations and track the movements of its targets, according to people familiar with the notifications.
The revelation, the first confirmed cases of Pegasus being used to target American officials, comes a month after U.S. officials blacklisted the NSO Group amid allegations that its foreign government clients had enabled hacking against unspecified embassy employees, political activists, human rights workers and others.
These and other actions come after the July publication of the Pegasus Project, an investigation by The Washington Post and 16 other news organizations into the activities of NSO Group. One of the investigation’s findings was that U.S. diplomats and other embassy employees were at risk from Pegasus, especially when they used phone numbers based overseas.
The hacks were concentrated at the U.S. Embassy in Uganda’s capital, Kampala, according to the people familiar with Apple’s notifications. At least some of those targeted were U.S. citizens working as Foreign Service officers, they said. Last month, Apple began alerting people who’d had been potentially compromised by a known Pegasus exploit called “FORCEDENTRY” and sued the company, seeking to prevent it from using Apple products in the future.
The news that U.S. Embassy employees being hacked was first reported by Reuters and was confirmed by The Post.
The hacks of U.S. officials by Pegasus highlights the national security threat posed by the largely unregulated global spyware market, which makes powerful malware available to countries worldwide regardless of their own technical abilities. The Israeli government controls where the NSO Group can offer its products, but there is no global regulatory framework, nor is there a system for routinely detecting abuses by the clients of private spyware companies.
News of the targeting of American diplomats working overseas helps explain the move by the Commerce Department last month to add NSO Group and another Israeli company, Candiru, to the blacklist, a relatively rare move against a business from a close ally. U.S. companies are prohibited from doing business with companies on the list, officially called the “Entity List,” which in recent years has been dominated by Chinese companies. Two other companies, one from Russia and the other from Singapore, were added to the list at the same time as NSO. Of the more than 1,600 companies on the list, nearly 40 percent are Chinese.
The National Security Council said in a statement Friday, “We have been acutely concerned that commercial spyware like NSO Group’s software poses a serious counterintelligence and security risk to U.S. personnel, which is one of the reasons the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce’s Entity List.”
Pegasus can be delivered remotely without any action, such as clicking on a link or notification. Once Pegasus penetrates a device, it essentially turns a smartphone into a spying device, allowing the operator — typically an intelligence or law enforcement official — to do anything the user can. That includes turning on the microphone, examining photos, emailing documents and tracking locations over time. Social media and contact lists can also help establish relationships with others.
“This is a direct safety threat to diplomats because Pegasus means you can live-track the locations of people,” said John Scott-Railton, a researcher with Citizen Lab, which tracks Pegasus and other spyware use worldwide and first discovered the Pegasus exploit.
NSO, which has said that Pegasus is intended to investigate only criminals, terrorists and other serious threats to security, said in a statement Friday that it had suspended accounts with clients, which it declined to name, because of the reports that Pegasus had been used to target U.S. diplomats.
The Israel-based company has long been deferential to U.S. interests and has insisted that Pegasus was not technically capable of hacking phones with U.S.-based +1 phone numbers. It is not known whether the diplomats alerted of intrusion had phones numbers based in foreign countries or the United States.
“Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,” said NSO spokesperson Oded Hershkovitz. “To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case. On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have.”
The iPhones belonged to U.S. citizens and local residents working for the U.S. Embassy in Kampala, people familiar with the notifications said. The phones were all linked to State Department email addresses using iCloud, Apple’s cloud-storage system. Those connections allowed investigators to identify them as government employees. Apple declined to comment.
Since Apple began issuing alerts to its users about possible attacks, people in numerous countries, including Uganda, Thailand and El Salvador, have reported receiving the warnings. Politician Norbert Mao, head of Uganda’s Democratic Party, tweeted last month, “When you wake up to a threat notification from @Apple that your iPhone is being targeted then you know that cyber terrorism from state sponsored cyber terrorists is real.”
A request for comment to the Ugandan embassy in Washington was not immediately returned on Friday.
The revelations could further fuel tensions between federal officials and the network of influential Washington figures NSO has paid in recent years. Rod J. Rosenstein, deputy attorney general at the Justice Department under the Trump administration, is helping defend NSO in court against an ongoing lawsuit by Facebook-owned messaging service WhatsApp, which accused NSO of spying on its customers. Rosenstein did not respond to requests for comment.
While the Pegasus Project found a wide range of abuses against lawyers, academics and political activists, government officials in the United States and elsewhere have displayed particular concern about the use of spyware against diplomats and other officials.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, said Friday, “Companies that enable their customers to hack U.S. government employees are a threat to America’s national security and should be treated as such by the government. I want to be sure the State Department and the rest of the federal government has the tools to detect hacks and respond to them quickly. Federal agencies shouldn’t have to rely on the generosity of private companies to know when their phones and devices are hacked.”
John Hudson contributed to this report.