The Israeli spyware developer NSO Group has faced increasing legal pressure and controversy as its hacking tools continue to be abused by repressive regimes and law enforcement around the world. Now Apple has informed a swath of iPhone users, including at least nine United States State Department employees, that their devices were compromised in recent months by unidentified hackers wielding NSO tools.
Sources told Reuters, which first reported the news, that the affected US government officials were working in Uganda or on topics related to the country. Ugandan political figures were also seemingly targeted in the campaign. Attacks that use NSO's Pegasus spyware, which works on both Apple's iOS mobile operating system and Google's Android OS, have been detected for years. Once installed on a device, Pegasus can track the user's location, activate their microphone, steal data, and more.
This latest example of its abuse underscores exactly what privacy and human rights advocates have long warned: that NSO does not have adequate controls in place to limit how its customers use the powerful tools it sells. And that the company's repeated assurances to the contrary—including that its spyware can't be used against devices registered with a US phone number—ring hollow.
“Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case,” said NSO Group spokesperson Liron Bruck in a statement, adding that the company had “decided to immediately terminate relevant customers' access to the system.” The statement went on to say they didn't have “any indication that NSO’s tools were used in this case.”
That claim of plausible deniability is common to NSO Group. In a July interview with Forbes, CEO Shalev Hulio compared his company to an automaker who sells a car to someone who later drives drunk. But powerful spyware wielded by governments is a far cry from an automobile, and NSO critics say the company has never done enough to curtail the inevitable abuses that its flagship product invites.
“To the extent that NSO's claims about limiting its customers' targeting were ever even credible, this shows that the guardrails in NSO's product were insufficient,” says Jake Williams, an incident responder and former NSA hacker. “This was completely predictable. When governments have capabilities sold to them by NSO and have unmet intelligence requirements, we should absolutely expect those governments to use any tool at their disposal.”
The secure messaging app WhatsApp, owned by Facebook parent company Meta, sued NSO Group in 2019 after its tools were allegedly used to hack thousands of victims by exploiting the service. Apple joined the fray with its own suit last week. And at the beginning of November, the US Department of Commerce sanctioned NSO Group over abuse of its Pegasus spyware.
“You have to wonder if these State Department attacks are the reason that NSO was sanctioned,” Williams says.