Israeli spyware was used against US diplomats in Uganda
The advanced spyware Pegasus, created by Israeli firm NSO
Group and used by governments like Saudi Arabia to gather intelligence on those
it deems terrorists or criminals, has reportedly been detected on at least 11
iPhones used by US officials in Uganda or conducting business related to the
country, as well as locals working for the embassy.
That news — first reported Friday by Reuters — will likely
exacerbate NSO Group’s fraught relationship with the US government; while the
company claims that Pegasus can’t be used on phones with US numbers, the recent
hack shows there are loopholes which allow foreign governments to spy on US
citizens and government employees. It’s the first known incident of the
technology being used against American officials, although it’s not yet known
which of NSO Group’s clients hacked the devices.
NSO Group has long claimed that its clients — which run the
gamut from from monarchies like the UAE to democratic nations like Germany and
Mexico — are closely vetted, but there is a long record of its technology being
misused for nefarious purposes, like spying on dissidents or estranged spouses,
as the ruler of Dubai is alleged to have done.
NSO Group scandals also pose a diplomatic problem; though
NSO is a private company, it’s closely linked to the Israeli government, and
Israel’s defense ministry has to sign off on the export license for the
technology, ostensibly ensuring that it’s used only for the purposes “of
preventing and investigating crime and counterterrorism,” according to an
Israeli defense spokesperson who spoke to the Washington Post in July.
Extensive reporting from 17 outlets and more than 80
journalists proves, however, that that hasn’t always been the case: Among other
incidents, Pegasus was allegedly used to surveil Saudi dissident and Washington
Post columnist Jamal Khashoggi before his murder in October 2018.
More recently, the US has started to take action against the
company. In November, NSO Group was placed on the Commerce Department’s “entity
list,” which severely restricts the export of American technologies that could
be used by NSO Group to support Pegasus and similar projects.
Now, given the recent reporting on Pegasus’s use against
State Department employees, harsher crackdowns on NSO and similar technology
could be on the horizon. On Thursday, the Biden administration announced plans
for a US-led initiative on the use of surveillance technology — like Pegasus —
by authoritarian regimes. The aim, according to the Wall Street Journal, is to
create a framework around the export and licensing controls of such technology,
as well as create an information-sharing network to detect and report on its
misuse.
According to the Washington Post, 11 people connected to the
US embassy in the Ugandan capital Kampala — including some US citizens working
as foreign service officers — were notified by Apple that their devices had
been hacked.
While NSO has previously said Pegasus can’t be used against
US-based devices, Americans working overseas can — and often do — acquire local
phone numbers, which may be vulnerable to Pegasus attacks.
According to the New York Times, the targets were easily
identifiable as State Department employees — they had used their professional
email addresses to create their Apple IDs. While it’s not clear who perpetrated
the attack, and there is no indication it was NSO Group or the state of Israel,
using the Pegasus exploit, hackers could look at and copy files from targets’
devices, as well as track their movements and record conversations.
NSO Group maintains that governments that purchase Pegasus
are carefully vetted and are not to use the product besides for specific
purposes; however, the company has repeatedly sold Pegasus to countries known
to use surveillance technology to track dissidents, lawyers, journalists, and
other members of civil society.
Extensive reporting in July showed that security services
and law enforcement agencies in places like Saudi Arabia, Mexico, Azerbaijan,
and Morocco appeared to have purchased the technology, according to reporting
by the Pegasus Project, a consortium of 17 news outlets including the
Washington Post, the Guardian, Die Zeit, and French outlet Forbidden Stories.
According to the Pegasus Project, a list of 50,000 potential
target phone numbers was hacked, apparently from servers in Cyprus, and leaked
to Forbidden Stories and Amnesty International, who shared it with journalists.
They were able to identify 1,000 different potential targets from the phone
numbers, including politicians like French President Emmanuel Macron, a key US
ally, as well as journalists, activists, and lawyers from around the world.
Pegasus is so useful — or so dangerous, depending on one’s
perspective — because it can access a target’s phone completely undetected.
While the spyware can infect via a link sent through a messaging service like
WhatsApp, it’s also possible for users to access targets’ phones through a
so-called “zero-day” exploit — a bug that the device manufacturer hasn’t yet
detected. The exploit can be active and present on a device for months before
the manufacturer finds the flaw and fixes it.
According to Reuters, the devices infected in the attacks
against State Department officials were initiated through a graphics processing
vulnerability which had been open to exploitation since at least February of
this year, and wasn’t been patched until September. Other victims include Thai
dissidents and a Ugandan opposition leader.
Once a device has been infected, Pegasus can access even
encrypted messaging systems like Signal, as well as cameras and microphones —
enabling the hacker to record conversations and turning the device into a secret
surveillance tool in itself, according to the Organized Crime and Corruption
Reporting Project. The Guardian’s reporting at the time suggested that in
addition to attacking via widely-used messaging apps, Pegasus could potentially
have the capability to attack through the Photos and Music apps on Apple
devices.
In November, the company and another Israeli tech
manufacturer, Candiru, were added to the US Commerce Department’s entity list,
a move which prohibits NSO Group from purchasing US technology.
According to the Commerce Department, the decision to do so
was made “based on evidence that these entities developed and supplied spyware
to foreign governments that used these tools to maliciously target government
officials, journalists, businesspeople, activists, academics, and embassy
workers,” as well as evidence that the companies’ spyware was being used by
governments to suppress dissent on a global scale.
The decision puts NSO Group in the company of firms like
Huawei, the Chinese technology manufacturer which many Western governments have
accused of digital espionage. It’s an undesirable position for a company so
closely tied to the government of a US ally — one whose military and defense
industries are deeply entwined with the US.
NSO Group is in debt and under pressure
Shortly after NSO Group was added to the entity list last
month, according to Axios, former NSO Group CEO and co-founder Shalev Hulio
wrote to Israeli officials, including Prime Minister Naftali Bennett and
Defense Minister Benny Gantz, asking Israel to lobby Washington on NSO’s
behalf. Hulio reportedly claimed that the addition of NSO Group to the entity
list was a coordinated campaign by anti-Israeli organizations to damage the
reputation of Israeli businesses, and NSO Group said publicly it was “dismayed”
by the decision and had terminated contracts with government agencies which
misuse its products.
Indeed, it’s an unusually forceful move for the US to place
such severe restrictions on businesses in a closely allied country; however,
Friday’s reports of the hacks on the phones of US officials in Uganda said the
spying had been going on for months, a fact which could have influenced the
decision to punish NSO Group so severely.
In a November statement announcing NSO Group’s addition to
the entity list, the Commerce Department specifically cited embassy workers as
a potential target for Pegasus.
We have been acutely concerned that commercial spyware like
NSO Group’s software poses a serious counterintelligence and security risk to
US personnel, which is one of the reasons the Biden-Harris Administration has
placed several companies involved in the development and proliferation of these
tools on the Department of Commerce’s Entity List,” the National Security
Council said in a statement to the Washington Post on Friday.
In response to NSO Group’s inclusion on the entity list,
Israel’s government has sharply limited the number of nations that NSO Group
and other spyware vendors are allowed to sell to, from 102 to 37.
Some groups, however, say it’s not far enough. On Friday, 81
human rights organizations from around the world, including Amnesty
International, Human Rights Watch, and Reporters Without Borders, called on the
European Union to impose sanctions on the company for its repeated enabling of
human rights abuses, including the recent targeting of Palestinian activists.
“There is overwhelming evidence that Pegasus spyware has
been repeatedly used by abusive governments to clamp down on peaceful human
rights defenders, activists and perceived critics,” Deborah Brown, a senior
digital researcher and advocate for Human Rights Watch, said. “The EU should
immediately sanction NSO Group and ban any use of its technologies.”
This summer, after the Pegasus Project reporting came out,
the UN Human Rights Office of the High Commissioner also called for a
moratorium on the sale of such surveillance technology until an international
framework on the safeguarding of human rights and the use of surveillance tech
like Pegasus is in place.
Sen. Ron Wyden (D-OR), who is a member of the Senate
Intelligence Committee, has repeatedly and forcefully condemned NSO Group,
saying that the US should “[cut] them off from the American financial system
and investors by issuing sanctions under the Global Magnitsky Act,” which
targets corruption and human rights abuses.
International opprobrium isn’t NSO Group’s only problem,
either: According to recent reports, the firm is $500 million in debt, and
risks defaulting. As Bloomberg reported in November, Moody’s dropped the
company’s credit rating to Caa2 — eight grades below investment grade,
indicating that Moody’s believes NSO highly likely to default on its debts.
The downgrade and low cashflow are due to lower revenue and
the payment of dividends to shareholders, but the consistent bad press and
placement on the entity list will likely only contribute to NSO Group’s
problems.
Comments
Post a Comment