The State Department is in the process of trying to figure out who had access to the hacked materials on these phones and how the hack occurred, the US official said. It is possible that situation is the result of the US employees getting new iPhones and the Pegasus spyware software remaining on the devices even after they wiped them clear, the official added.
The State Department investigation is a sign that the thriving market for hacking tools sold by private firms is increasingly a threat to not just human rights, but also US national security.
The Commerce Department last month blacklisted NSO Group and another Israeli spyware firm, Candiru, accusing the companies of providing spyware to foreign governments that “used these tools to maliciously target” journalists, embassy workers and activists.
NSO Group’s main spyware product, known as Pegasus, is capable of remotely infecting mobile phones and eavesdropping on calls or text messages, according to security researchers.
The State Department is in touch with Apple Inc about the situation, the official said.
The State Department would not confirm the phones had been hacked.
“While we are unable to confirm, generally speaking the Department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected,” a State Department spokesperson said. “Like every large organization with a global presence, we closely monitor cybersecurity conditions, and are continuously updating our security posture to adapt to changing tactics by adversaries.”
The Biden administration has been “acutely concerned that commercial spyware like NSO Group’s software poses a serious counterintelligence and security risk to U.S. personnel,” a National Security Council spokesperson said, pointing to recent additions to Treasury Department’s entity list. There is also a government-wide effort to go after commercial hacking tools, the spokesperson said.
An NSO Group spokesperson said that once the firm learned of the incident, it “decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations.”
“To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case,” the NSO Group statement continued. “On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have.”
It is unclear who used the spyware to target the State Department employees’ phones.
An Apple spokesperson declined to comment.
Apple and other US tech firms have been ramping up pressure on NSO Group for alleged human rights and privacy abuses — allegations the firm denies.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which has investigated NSO’s spyware, said that the latest revelation about the alleged targeting of State Department phones shows that the department’s Bureau of Diplomatic Security needs to do more to secure those devices.
“NSO has been a plain-sight national security threat for years, and the fact that these breaches happened and Apple is required to do the notification, shows that the threat was not being taken seriously enough,” Scott-Railton told CNN.
Earlier this week the President of Uganda’s Democratic party, Norbert Mao, said he had received an Apple notification that his phone was targeted.