US State Department Employees Targeted with NSO Group Malware

The controversial spyware maker NSO Group said it terminated access to its products for a customer who allegedly spied on at least nine U.S. State Department employees, in what would be one of the highest-profile cases of abuse of its spyware.

On Friday, Reuters reported that Apple had warned at least nine State Department employees that they had been targeted with NSO’s Pegasus spyware, citing four anonymous sources.

An NSO spokesperson told Motherboard in a statement that after being informed of the issue by Reuters, and “before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations.”

“On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have,” the spokesperson said. “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case.”

This is the latest in a seemingly endless series of scandals surrounding the Israeli spyware giant. Over the summer, a consortium of international news media outlets, working along with Amnesty International and French NGO Forbidden Stories, revealed several cases where NSO customers abused its technology to target heads of state, journalists, and human rights activists.

In early November, the U.S. government announced that it had put NSO on a blocklist, forbidding U.S. companies and individuals from selling software and services to the company.  A few days later, the newly appointed NSO CEO resigned before even starting his new job. Two weeks later, Apple filed a lawsuit against the company, alleging that it and its customers are abusing Apple infrastructure to target iPhone users. Apple has also recently warned several customers that they were targets of NSO spyware. That included American citizens, according to the Reuters report.

Reuters reported that the U.S. State Department employees targeted were based in Uganda or focused on matters related to the African country. Citing an anonymous senior Biden administration official, the targeting of U.S. diplomats abroad is one of the reasons the U.S. government put NSO on its blocklist.

Senator Ron Wyden, who has been particularly vocal about the activities of malware vendors such as NSO, told Motherboard in a statement that “Companies that enable their customers to hack U.S. government employees are a threat to America’s national security and should be treated as such by the government. I want to be sure the State Department and the rest of the federal government has the tools to detect hacks and respond to them quickly. Federal agencies shouldn’t have to rely on the generosity of private companies to know when their phones and devices are hacked.”

A State Department spokesperson told Motherboard that it was unable to confirm the specific hacks, but that the State Department takes its responsibility to protect information seriously. The spokesperson added that the State Department continuously updates its security posture in response to changing tactics by adversaries, and reiterated that the Biden and Harris Administration is taking action against the proliferation and misuse of tools used for repression.

Apple declined to comment, and instead pointed to an earlier blog post announcing its lawsuit against NSO Group.

Update: This piece has been updated to include a response from the State Department and Apple.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.