The Apple iPhones belonging to nine US State Department employees show evidence of infection with NSO Group spyware.

The hacks occurred across the past few months, targeting officials overseas. These intrusions represent the most egregious attacks directed towards US officials using NSO technology.

Previously, experts obtained a list of phone numbers that represented potential hack targets, and although American officials appeared on the list, it was not immediately clear as to whether the intrusions were attempted or at all successful. Information has not yet emerged pertaining to the perpetrators of the attacks.

Pegasus spyware details…

On Thursday, the NSO Group stated that they lacked any indication that their tools had been used in the US State Department breaches. Nonetheless, administrators canceled relevant accounts and announced the launch of an investigation.

“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place,” says an NSO spokesperson.

NSO asserts that its products and tools are only sold to government law enforcement and intelligence operatives, enabling them to track security threats. NSO Group itself declines any involvement with surveillance projects.

Say what?

In Washington, officials have not yet offered comment on the matter. A spokesperson for Apple also declined a comment request. A State Department spokesperson also declined to comment, and instead observed the Commerce Department’s recent choice to add NSO Group to an entity list, making it more difficult for US enterprises to conduct business with them.

Two spyware firms, including NSO group, were added to the Entity List after officials concluded that they provided spyware to governments, which had used the tools to target journalists, government works, business persons, activists, academics and others.

According to familiar sources, NSO’s software not only captures encrypted messages, photos and other personal data, it can also use phones to record and monitor a person’s surroundings.

Apple’s response

Apple alerted affected victims, who were easily identifiable as government employees due to .gov email addresses associated with their Apple IDs.

Sources say that State Department employees’ devices were infected with the spyware via a graphics processing vulnerability that Apple fixed in September. However, NSO customers had been exploiting the vulnerability since at least February of this year.

Victims did not need to see or engage with emails, texts or ads in order for the NSO spyware to infect the devices. The software, commonly known as Pegasus, is zero-click. NSO states that its tools are intended to help prevent terrorism. Controls to curb spying on innocent targets are now in place. The company contends that its intrusion tools cannot operate on phones that begin with the country code +1 (US).

Why the phone hacks occurred…

Despite ostensible measures to prevent spying on US-based phones, these same measures do not apply if a US citizen owns a foreign telephone number.

A member of the Biden administration states that the threat to US personnel abroad represented a strong motivation to add NSO to the Entity List, and to broadly pursue new global conversations about the limits of espionage.

US officials acknowledge the systemic abuse of the NSO group’s Pegasus spyware. In the past, NSO Group’s most well-known clients have included the governments of Saudi Arabia, the United Arab Emirates and Mexico.

The Israeli Ministry of Defense is required to approve export licenses for NSO. The Pegasus creators retain close connections to Israel’s defense and intelligence communities.

The Israeli embassy in Washington states that the use of NSO spyware to target American officials would represent a serious breach of its policies. An embassy spokesperson states that cyber products, such as NSO’s spyware, are only licensed for the purpose of responding to terrorism threats and severe crimes.

For more on this emerging story, visit Reuters. Get timely reports, analyses and excusive content when you sign up for the CyberTalk.org newsletter.