The narrative around NSO Group’s Pegasus spyware thus far has been one of authoritarian governments using it to suppress criticism, investigation and political opposition domestically. The story may be shifting to one of international espionage with at least nine (and possibly 11) US State Department iPhones hacked by it.
Based in Israel and having direct ties to that country’s government, NSO Group recently found itself placed on the United States “Entity List“; it cannot sell its product in the US and is severely restricted in its ability to purchase from US companies. It remains unclear exactly who put the Pegasus spyware on the phones of State Department employees, but company policy is supposed to prevent it from functioning on the devices of select national allies of Israel.
Pegasus spyware hits US State Department employees in Uganda
Several anonymous inside sources told Reuters, along with other media outlets such as the Washington Post, that Pegasus spyware markers were discovered on to 9 to 11 iPhones belonging to US State Department employees whose work revolves around Uganda. Some of the iPhones hacked by the unknown threat actor were located in Uganda, other employees were apparently not based in the country.
US government employees, as well as residents of the US in general, are supposed to be beyond the reach of Pegasus spyware. NSO Group has claimed that the hacking tool contains code to automatically prevent it from working on phones that have a US country code (+1). Some of the sources indicated that the iPhones hacked in this case were registered with foreign country codes, though the Apple IDs contained US state.gov email addresses.
Given the information provided by the sources, it seems unlikely that NSO Group was directly involved in the attacks. If the reports are true, it would appear someone in Uganda either took it upon themselves to spy on foreign officials or they were caught up in some broader surveillance program. The US has long considered Uganda an ally and partner in Africa, but longtime president Yoweri Museveni’s administration has been accused of human rights violations and of using security forces to jail political opposition.
The issue does once again raise the question of NSO Group’s knowledge of (and potential facilitation of) what clients do with the Pegasus spyware once they buy it. A recent lawsuit brought by Apple revealed that NSO Group registered a number of fake Apple accounts for their clients to send malicious messages from. NSO Group has said that it does not directly assist clients with their hacking, but has also said that it vets them for legitimate law enforcement purposes. The iPhones hacked in Uganda are representative of the reasons why the company found itself placed on the Entity List in the first place; an apparent lack of control over the use of its product, and possible provision of support services (knowingly or not) to repressive regimes engaged in abuse.
iPhones hacked in Uganda first ones confirmed to belong to US officials
The iPhones hacked in this case are the first known to belong to US government members, though some officials appeared on a list of 50,000 surveillance targets leaked as part of the “Pegasus Papers” project earlier in 2021. There were no confirmed breaches among those names, but several United Nations diplomats living in the US were apparently targeted along with the Biden administration’s lead Iran negotiator.
NSO Group told the media that it could not determine who used the Pegasus spyware or confirm that it was used, but said that it would investigate and would terminate any customer found to be involved with the iPhones hacked in Uganda. Given that the firm is only supposed to be selling the Pegasus spyware to governments that can demonstrate a law enforcement need, the list of potential culprits would appear to be very small.
A Ugandan politician who leads an opposition party took to Twitter in late November to indicate they had received a threat notification from Apple, one that fits the pattern of previous iPhones hacked by Pegasus spyware. After patching out the iMessage vulnerability that Pegasus exploited in September, Apple has been observed sending out similar notifications to those who may have been targeted or breached. The spyware exploited a flaw that gave the attacker almost complete access to the phone upon receipt of a malicious message, a “zero click” that did not even require the recipient to open and view the attack message to function. As of iOS 14.8 the Pegasus spyware should no longer be able to breach devices in this way, but phones that are running older operating system versions may still be vulnerable.
Chris Risley, CEO at Bastille Networks, notes that the iPhones hacked in this case appeared to be part of a targeted collective program and that the incident could force embassies and overseas officials to revamp their security policies: “So far, this has been covered as a tech story and as an Israeli relations story. But this really is a spy story. The striking thing about this discovery is that 11 phones were compromised at once … There’s a message here for corporations and organizations as well: Millions of vulnerable smartphones enter workplaces daily. Any smartphone can now be hacked invisibly … There are probably some rooms in the U.S. Embassy in Uganda where no cell phones were allowed and we can hope that those were the only places that classified conversations took place. If not, that embassy and every embassy around the world needs to have those phone free rooms and to enforce those rules starting immediately. Also, remember that it isn’t enough to “turn your phone off.” Spyware can turn your phone on.”