The Pegasus spyware, developed by Israeli technology company NSO group, was used to hack the phones of at least nine employees of the US Department of State over the past couple of months, Reuters reported on Saturday, quoting four unidentified officials in knowledge of the matter.
The employees, who used Apple’s iPhones, were either based in Uganda or worked on matters related to the African country.
These are the largest reported hacks targeting US officials using the Pegasus spyware, according to Reuters. The intrusions, first reported by Reuters, have also been confirmed by unidentified officials speaking to AP and CNN.
The Pegasus spyware has been at the centre of a debate on privacy violations. In July, a global investigation involving 17 news organisations had revealed that the software was allegedly used to spy on heads of states, activists and journalists in several other countries, including India.
Pegasus is a military-grade spyware that is sold only to vetted governments.
The US citizens, whose phones were infiltrated, were identified as government officials as their email addresses, which ended in “state.gov”, had been linked with their Apple IDs, two officials told Reuters.
The revelation that US officials had been targeted using Pegasus came days after Apple sued the NSO Group. The American technology firm alleged that NSO Group and its clients conducted highly-targeted cyberattacks, allowing them access to cameras, microphones, sensitive data on Apple and Android devices.
Apple said that NSO Group used a software vulnerability to break into a user’s device and install the Pegasus spyware in it. The flaw, first identified by the Citizen Lab, a research group at the University of Toronto, has been fixed.
John Scott-Railton, a senior researcher at the lab, told AP that the latest hack targeting US officials was a wake-up call about diplomatic safety.
“For years we have seen that diplomats around the world are among targets,” he said, according to the news agency. “And it looks like the message had to be brought home to the US government in this very direct and unfortunate way. There is no exceptionalism when it comes to American phones in diplomats’ pockets.”
Meanwhile, White House Press Secretary Jen Psaki said that Pegasus poses a grave “counterintelligence and security risk to US personnel”. While Psaki did not confirm or deny the hacking, the press secretary said she was aware of reports about it.
“[This] is one of the reasons why this administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce’s Entity List,” she said at a press briefing on Friday. “We have also mobilised a government-wide effort to counter and curb proliferation of these commercial hacking tools.”
Last month, the United States Commerce Department had added NSO Group and three other companies to its trade blacklist. The decision meant that exports to the company from firms based in the United States would be restricted.
Meanwhile, the NSO Group has claimed that there was no indication that the phones of US officials had been targeted using its technology, but it had immediately “shut down all the customers potentially relevant to this case”.
“We emphasise that the Pegasus software is installed based on phone numbers only, and the tools are incapable of being installed on US (+1) numbers,” the company said. “This case doesn’t involve US phone numbers, and the company had no way to know who the persons monitored by our customers were.”
NSO Group said the allegations of hacking, if they turn out to be true, were a “blunt violation” of its commitments. “The company will take legal action against these customers,” NSO Group said.