At least nine US State Department employees working in or with Uganda were hacked with spyware made by the NSO Group, according to a Reuters report.
The hacks, which have taken place in the past several months, have targeted US officials either in Uganda or focusing on matters relating to the East African country.
The Wall Street Journal confirmed the story, stating that the number of American and Ugandan embassy workers who were hacked had reached 11.
While it is not clear who carried out the attacks, the NSO Group says it only sells its software to government organizations that have received approval from the Israeli government.
The NSO Group claimed that its spyware was unable to target US phone numbers. The case of Uganda does not seem to refute this claim.
Reuters reported that while the targeted persons were employees of the Ministry of Foreign Affairs. But they were using foreign phone numbers without the US country code.
However, the devices were used for official business of the State Department. This indicates that the Israeli company may now be involved in espionage efforts against the US government.
The Pegasus spyware can remotely log data from an infected iOS or Android device. It can be used to secretly operate phone microphones or cameras. It is also designed to infect phones without the target clicking on a link or taking action.
Nor is Pegasus supposed to leave any traces. But investigators have developed some ways to determine if the phone has been hacked.
The NSO Group must obtain approval from the Israeli Ministry of Defense before it sells its software to another government agency.
The company’s co-founder insisted that the company does not know who is spying on its customers with its software. The company also says it investigates customers if they are using Pegasus against prohibited targets and cuts off customer access if there is evidence of abuse.
Major scandal of spyware vendor NSO Group
A spokesperson for NSO Group told Reuters that the company is investigating its reports. The Israeli embassy in Washington told Reuters that targeting US officials with Pegasus is a serious violation of licensing agreements.
An embassy spokesperson said: “Cyber products such as those mentioned are subject to supervision and license for export to governments only for purposes related to combating terrorism and serious crime.” The license provisions are clear and if these claims are true, they are a serious violation of these provisions.
The United States recently added the NSO Group to its list of entities. This imposes restrictions on which US companies want to do business with.
While Apple sued NSO Group, claiming it violated Apple’s terms of service by creating more than 100 iCloud accounts to send malicious data via iMessage.
Apple says it has patched the specific vulnerability that the Israeli company used to install Pegasus with iOS 14.8. She explained that she added additional protection in iOS 15.
When the company announced its lawsuit, Apple said it was informing users who had been targeted by a state-sponsored spying campaign.
Ugandan politician Norbert Mao tweeted in November that he had received one of the notifications. The Wall Street Journal reported that US officials also received these notifications.
There are also reports that the US government is working on an initiative with other countries to prevent the sale of surveillance tools and technology to authoritarian governments.
According to the Wall Street Journal, efforts are focused on export controls. It is likely to be announced at the Democracy Summit, which begins on December 9.