The iPhones of 11 US embassy employees working in Uganda were hacked using spyware developed by Israel’s NSO Group, the surveillance firm that the US blacklisted a month ago because it said the technology had been used by foreign governments to repress dissent, several people familiar with the breach said on Friday.
The hack is the first known case of the spyware, known as Pegasus, being used against American officials. Pegasus is a sophisticated surveillance system that can be remotely implanted in smartphones to extract sound and video recordings, encrypted communications, photos, contacts, location data and text messages.
There is no suggestion that NSO itself hacked into the phones, but rather that one of its clients, mostly foreign governments, had directed it against embassy employees.
The disclosure is bound to heighten the tension with Israel over the recent American crackdown on Israeli firms that make surveillance software that has been used to track the locations of dissidents, listen in on their conversations and secretly download files that move through their phones.
President Biden plans to make efforts to further crack down on the use of such software a key element of a summit next week at the White House, to which he has invited dozens of countries — including Israel.
US diplomats have been hacked before, notably by Russia, which has repeatedly pierced the state department’s unclassified email systems.
But in this case, the software was written by a company that operates closely with one of the US’s most vital allies — and a nation that often conducts cyberoperations alongside the National Security Agency, including against Iran. NSO has long insisted that it carefully selects its clients, and turns many away.
But the US concluded last month that the company’s software, and its operations, run contrary to American foreign policy interests, and placed it on the commerce department’s “entities list’,’ which bans it from receiving key technologies.
Representatives for the state department and Apple declined to comment.
NSO said in a statement that it would conduct an independent investigation into the allegations and cooperate with any government inquiry.
“We have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,” the company said. “To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case.”
Reuters reported earlier on Friday that Apple had notified the US embassy employees in Uganda last Tuesday about the hack. The people affected include a mix of foreign service officers and locals working for the embassy, all of whom had tied their Apple IDs to their state department email addresses, according to a person familiar with the attack.
“Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID,” Apple said.
“These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously,” Apple said in the notice.
NSO is one of several companies that make money by finding operating system vulnerabilities and selling tools that can exploit them.
Among those targeted by its users were confidants of Jamal Khashoggi, the Washington Post columnist who was dismembered by Saudi operatives in Turkey.
The US last month blacklisted NSO, its subsidiaries and an Israeli firm called Candiru, saying that they knowingly supplied spyware that has been used by foreign governments to “maliciously target” the phones of dissidents, human rights activists, journalists and others.