NSO Group Spyware Hits at Least 9 US State Department Phones

Credit to Author: Lily Hay Newman| Date: Fri, 03 Dec 2021 23:23:38 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

The Israeli spyware developer NSO Group has faced increasing legal pressure and controversy as its hacking tools continue to be abused by repressive regimes and law enforcement around the world. Now Apple has informed a swath of iPhone users, including at least nine US State Department employees, that their devices were compromised in recent months by unidentified hackers wielding NSO tools.

Sources told Reuters, which first reported the news, that the affected US government officials were working in Uganda or on topics related to the country. Ugandan political figures were also seemingly targeted in the campaign. Attacks that use NSO's Pegasus spyware, which works on both Apple's iOS mobile operating system and Google's Android OS, have been detected for years. Once installed on a device, Pegasus can track the user's location, activate their microphone, steal data, and more.

This latest example of its abuse underscores exactly what privacy and human rights advocates have long warned: that NSO does not have adequate controls in place to limit how its customers use the powerful tools it sells. And that the company's repeated assurances to the contrary—including that its spyware can't be used against devices registered with a US phone number—ring hollow.

“Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are. As such, we were not and could not have been aware of this case,” said NSO Group spokesperson Liron Bruck in a statement, adding that the company had “decided to immediately terminate relevant customers' access to the system.” The statement went on to say they didn't have “any indication that NSO’s tools were used in this case.”

That claim of plausible deniability is common to NSO Group. In a July interview with Forbes, CEO Shalev Hulio compared his company to an automaker who sells a car to someone who later drives drunk. But powerful spyware wielded by governments is a far cry from an automobile, and NSO critics say the company has never done enough to curtail the inevitable abuses that its flagship product invites.

“To the extent that NSO's claims about limiting its customers' targeting were ever even credible, this shows that the guardrails in NSO's product were insufficient,” says Jake Williams, an incident responder and former NSA hacker. “This was completely predictable. When governments have capabilities sold to them by NSO and have unmet intelligence requirements, we should absolutely expect those governments to use any tool at their disposal.”

The secure messaging app WhatsApp, owned by Facebook parent company Meta, sued NSO Group in 2019 after its tools were allegedly used to hack thousands of victims by exploiting the service. Apple joined the fray with its own suit last week. And at the beginning of November, the US Department of Commerce sanctioned NSO Group over abuse of its Pegasus spyware.

“You have to wonder if these State Department attacks are the reason that NSO was sanctioned,” Williams says.

Privacy advocates and researchers add, though, that the US government response is long overdue given how many high-profile incidents of targeted surveillance have involved NSO hacking tools.

“For too long, the US government looked the other way, even though Pegasus was used against Americans and US-affiliated targets such as Jeff Bezos and associates of slain Washington Post columnist Jamal Khashoggi,” says Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory. The NSO Group has strongly denied its software's involvement in either of those cases. “Those incidents should already have demonstrated conclusively that this company operates with impunity and is not on the side of the angels as it likes to claim. It's no longer possible to ignore the danger NSO poses to our national security.”

NSO's claim that it will take legal action against customers who use its tools for purposes other than terrorism investigations and law enforcement also has dubious value.

“This is unlikely to be an effective strategy, either to obtain restitution or as a deterrent,” Williams says. “We should expect most of the government organizations NSO might take legal action against to receive protection in their local jurisdictions.”

The impact of the US sanctions and WhatsApp and Apple lawsuits on NSO's business remains to be seen. So far, it seems, its customers have only become more emboldened with time.

https://www.wired.com/category/security/feed/