WASHINGTON — The iPhones of 11 U.S. Embassy employees working in Uganda were hacked using spyware developed by Israel’s NSO Group, the surveillance firm that the United States blacklisted a month ago because it said the technology had been used by foreign governments to repress dissent, several people familiar with the breach said on Friday.
The hack is the first known case of the spyware, known as Pegasus, being used against American officials. Pegasus is a sophisticated surveillance system that can be remotely implanted in smartphones to extract sound and video recordings, encrypted communications, photos, contacts, location data and text messages.
There is no suggestion that NSO itself hacked into the phones, but rather that one of its clients, mostly foreign governments, had directed it against embassy employees.
The disclosure is bound to heighten the tension with Israel over the recent American crackdown on Israeli firms that make surveillance software that has been used to track the locations of dissidents, listen in on their conversations and secretly download files that move through their phones. President Biden plans to make efforts to further crack down on the use of such software a key element of a summit next week at the White House, to which he has invited dozens of countries — including Israel.
U.S. diplomats have been hacked before, notably by Russia, which has repeatedly pierced the State Department’s unclassified email systems. But in this case, the software was written by a company that operates closely with one of the United States’ most vital allies — and a nation that often conducts cyberoperations alongside the National Security Agency, including against Iran.
NSO has long insisted that it carefully selects its clients, and turns many away. But the United States concluded last month that the company’s software, and its operations, run contrary to American foreign policy interests, and placed it on the Commerce Department’s “entities list,’’ which bans it from receiving key technologies.
Representatives for the State Department and Apple declined to comment.
NSO said in a statement that it would conduct an independent investigation into the allegations and cooperate with any government inquiry.
“We have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,” the company said. “To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case.”
Reuters reported earlier on Friday that Apple had notified the U.S. Embassy employees in Uganda last Tuesday about the hack. The people affected include a mix of foreign service officers and locals working for the embassy, all of whom had tied their Apple IDs to their State Department email addresses, according to a person familiar with the attack.
“Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID,” the notice from Apple said.
“These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously,” Apple said in the notice.
NSO is one of several companies that make money by finding operating system vulnerabilities and selling tools that can exploit them.
Among those targeted by its users were confidants of Jamal Khashoggi, the Washington Post columnist who was dismembered by Saudi operatives in Turkey; an array of human rights lawyers, dissidents and journalists in the Emirates and Mexico, and even their family members living in the United States.
The Biden administration last month blacklisted NSO, its subsidiaries and an Israeli firm called Candiru, saying that they knowingly supplied spyware that has been used by foreign governments to “maliciously target” the phones of dissidents, human rights activists, journalists and others.
NSO and Candiru are not accused of maliciously hacking into phones themselves, but of selling tools to clients despite knowing that they would be used in malicious attacks.
The blacklist, which blocks American suppliers from doing business with those companies, represented a remarkable break with Israel and was the strongest step yet by any White House to curb abuses in the shadowy, unregulated global market for spyware.
The government phones that have been targeted so far have been unclassified, and there is no indication that the NSO exploits have been used to gain access to classified information, a senior administration official said.
“We were also very concerned about it because it poses a real and live counterintelligence and security risk for U.S. personnel and U.S. systems around the world,” a senior administration official said.
Apple created a patch in September that fixed the weakness in its mobile operating system. Since that patch only protects a phone after a user downloads the updated software, it is possible that hackers could continue to exploit the weakness to infiltrate phones that had yet to be updated.
Apple asked the State Department employees to take several precautions, including immediately updating their iPhones with the latest software available, which includes the patch. The company said that the attacks Apple had detected “are ineffective against iOS 15 and later.”
Apple’s notification to the diplomats, and to the U.S. government, came after the technology company filed suit against NSO for what it alleges are violations of the Computer Fraud and Abuse Act, a statute passed in 1986, when many computers had less computing power than current cellphones.
It is not clear Apple will prevail, because the statute is intended to protect computer users, not manufacturers. But the essence of the suit, and the addition of NSO to a U.S. blacklist, is an attempt to put the Israeli company in the same category as Chinese or Russian hacking groups, or ransomware operators that rent out their capabilities.
China has used similar types of spyware to repress Muslim minorities, as has Russia against dissidents. Saudi Arabia is believed to have used it in the killing of Mr. Khashoggi, and the subsequent effort to cover up the crime.
But until now, it was not known to have been directed at American diplomats.
The government actions, combined with Apple’s legal steps, should amount to a “multifaceted effort” to stop NSO and make its spying software less effective. According to public reports, Apple has notified people in El Salvador, Uganda and Thailand that their phones have been compromised.
The concern is that the spying technology is extremely stealth and can be placed on phones without users doing anything. Detecting that a phone has been compromised can also be quite difficult, the official said.
Kellen Browning contributed reporting from San Francisco, and Ronen Bergman from Tel Aviv.