WASHINGTON -- Apple alerted 11 U.S. diplomats that their iPhones had been hacked in recent months by spyware from NSO Group, an Israel-based company that helps government clients in dozens of countries steal files, eavesdrop on conversations and track the movements of its targets, according to people familiar with the notifications.
The news, first reported by Reuters and confirmed by The Washington Post, comes a month after U.S. officials blacklisted the NSO Group amid allegations that its foreign government clients had enabled hacking against embassy employees, political activists, human rights workers and others. These and other actions come after the July publication of The Pegasus Project, an investigation by The Washington Post and 16 other news organizations into the activities of NSO Group.
At least some of those whose phones were penetrated by Pegasus were U.S. citizens, according to people familiar with Apple's notifications, who added that the attacks were focused on U.S. officials working in Uganda or elsewhere in East Africa. Last month the company began alerting people who had been potentially compromised by a known Pegasus exploit called "FORCEDENTRY" and sued the company seeking to prevent it from using Apple products in the future.
The National Security Council said in a statement Friday: "We have been acutely concerned that commercial spyware like NSO Group's software poses a serious counterintelligence and security risk to U.S. personnel, which is one of the reasons why the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce's Entity List."
Pegasus can be delivered remotely without any action, such as clicking on a link, or notification. Once Pegasus penetrates a device, it essentially turns a smartphone into a spying device, allowing the operator -- typically an intelligence or law enforcement official -- to do anything the user can. That includes turning on the microphone, examining photos, emailing documents and tracking locations over time. Social media and contact lists can also help establish relationships with others.
"This is a direct safety threat to diplomats because Pegasus means you can live-track the locations of people," said John Scott-Railton, a researcher with Citizen Lab, which tracks Pegasus and other spyware use worldwide and discovered the Pegasus exploit.
NSO, which long has said that Pegasus is intended to investigate only criminals, terrorists and other serious threats to security, said in a statement Friday that it had suspended accounts with clients, which it declined to name, because of the reports that Pegasus had been used to target U.S. diplomats.
The Israel-based company has long been deferential to U.S. interests and said Pegasus was not technically capable of hacking phones with U.S.-based +1 phone numbers. It is not known whether the diplomats alerted of intrusion had phones based in foreign countries or the United States.
"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers' access to the system, due to the severity of the allegations," said NSO spokesperson Oded Hershkovitz. "To this point, we haven't received any information nor the phone numbers, nor any indication that NSO's tools were used in this case. On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have."
The iPhones belonged to U.S. citizens and local residents working for the U.S. embassy, people familiar with the notifications said. The phones were all linked to State Department email addresses using Apple's cloud-storage system, iCloud.
Information for this article was contributed by John Hudson of The Washington Post.