An unknown assailant planted NSO Group’s Pegasus spyware on the iPhones of at least nine U.S. State Department employees, according to four of Reuters’ sources who are familiar with the matter.
Two of the sources said that the attacks took place over the last several months, hitting targets either based in Uganda or focused on matters concerning the East African country, the news service reported on Friday.
We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive, anonymous Threatpost Poll!
The Israeli spyware company has repeatedly said that its surveillance tools don’t work against smartphones based in the United States, but that doesn’t necessarily protect Americans traveling overseas or using foreign phones. Two of Reuters’ sources said that the targeted State Department employees were using iPhones registered with foreign telephone numbers, without the U.S. country code.
An investigation conducted by the Washington Post along with 16 other news organizations and published in July found that Pegasus had been planted on the phones of journalists and activists worldwide. The United States was no exception: Documented surveillance targets included overseas phone numbers for about a dozen Americans, including journalists, aid workers, diplomats and others, the news organizations ascertained.
One such U.S. target is New York Times journalist Ben Hubbard: As cybersecurity watchdog and spyware-scrutinzer Citizen Lab has concluded, Hubbard was “repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021,” while he was reporting on Saudi Arabia and writing a book about Saudi Crown Prince Mohammed bin Salman.
Potentially state-sponsored mobile cyberattacks have included the reported hack of Jeff Bezos’ phone, which reports say occurred after the Amazon CEO opened a seemingly benign WhatsApp video in 2018 from the account of the Saudi Crown Prince. Similarly, Hubbard has said that someone tried to hack his phone by sending him an Arabic text message with a link for a website. Beyond these high-profile instances, various journalists and human rights activists were targeted globally after a WhatsApp zero-day vulnerability was exploited by attackers who were able to inject spyware onto victims’ phones.
Apple Alerts State Department Victims
Apple sends threat notifications to surveillance targets, including one it sent last month to Ugandan President of the Democratic Party Norbert Mao. Mao shared the notification on Twitter:
“When you wake up to a threat notification from @Apple that your iPhone is being targeted then you know that cyber terrorism from state sponsored cyber terrorists is real.” —@norbertmao
When you wake up to a threat notification from @Apple that your iPhone is being targeted then you know that cyber terrorism from state sponsored cyber terrorists is real. pic.twitter.com/1uZ9eIf1FR
— Norbert Mao (@norbertmao) November 24, 2021
Apple declined to comment, but a spokesperson pointed Threatpost to the company’s announcement last week that it was suing NSO Group “to curb the abuse of state-sponsored spyware.”
On the same day that it announced its lawsuit, Apple also said that it would notify what it called the “small number” of users that it discovered may have been targeted by FORCEDENTRY.
FORCEDENTRY is a zero-day exploit successfully deployed against iOS versions 14.4 and 14.6 that blew by Apple’s BlastDoor sandboxing feature to install spyware on the iPhones of Bahraini activists, including one who was living in London at the time.
Reuters’ sources said that in this case with the State Department, Apple notified victims that included U.S. citizens who were “easily identifiable as U.S. government employees,” given that the email addresses associated with their Apple IDs ended in “state.gov.”
Mobile Threat Is ‘Very Real’
J.T. Keating, senior vice president of marketing for mobile security provider Zimperium, said in a Monday post that the incident “should be treated as a wake-up call rather than an isolated attack.”
“We have been detecting and stopping attacks like Pegasus for over ten years,” he wrote.
The mobile threat is “very real,” he said, regardless of how sophisticated the targeted organization or how much faith they put in protections. “Even the most sophisticated organizations are successfully attacked on mobile devices. If the U.S. State Department can be compromised, any organization can be.”
Keating referred to a customer panel Zimperium hosted at a recent Gartner Security & Risk Summit in which “Every customer reiterated that mobile attacks are real and increasing. Then we had our customer advisory meeting and the attendees stated the same thing.”
On Monday, a State Department spokesperson told Threatpost that it’s unable to confirm the attack on State Department employees’ phones.
The spokesperson did, however, refer to the addition of NSO Group and Candiru to the country’s Entity List last month, based on evidence that the companies developed and supplied spyware to foreign governments that used the tools to maliciously target government officials, journalists, businesspeople, activists and academics.
At the time, NSO Group said that it would fight the trade ban, clinging to its oft-repeated mantra that its tools actually help to prevent terrorism and crime.
Threatpost has also contacted NSO Group itself, the National Security Council (NSC) and the Uganda embassy in Washington, but they didn’t immediately reply.
On Thursday, NSO Group told Reuters that it hasn’t found evidence that its tools were used against State Department employees, but that it’s canceled access for its relevant customers. The company is planning to investigate based on Reuters’ findings, NSO Group said in a statement:
“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place… [NSO Group will] cooperate with any relevant government authority and present the full information we will have.” —NSO Group spokesperson, as quoted by Reuters.
How Were the iPhones Infected?
Chris Risley, CEO at Bastille Networks, told Threatpost via email on Sunday evening that what’s striking about this story is that “[at least nine] phones were compromised at once.”
Either that many employees “were tricked into clicking on the wrong link, or more likely, the spyware was installed using ‘zero-click’ attacks,” Risley said.
There’s a lesson to be learned about how many vulnerable smartphones enter workplaces daily, and how much risk that entails, he said: “Any smartphone can now be hacked invisibly. A hacked smartphone can be used as a portal into an enterprise’s most important secrets, earnings data, trading data, merger and acquisition data.”
It’s a ” new world of smartphone spyware.” he continued, making it “imperative to have security protocols in place to manage the secure use of smartphones in the workplace. If security teams didn’t think smartphones in the facility were an important threat yesterday, they certainly should think they are an important threat now.”
Risley imagined that there are “probably some rooms in the U.S. Embassy in Uganda where no cell phones were allowed.” Hopefully, those are the only rooms where classified conversations took place, he said.
If embassies don’t have phone-free rooms, they should set them up “immediately,” he said. As well, organizations should be aware that turning off phones isn’t enough to ensure that spyware can’t be used to spy on targets, given that spyware can turn phones on.
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!