Citing anonymous sources, Reuters reported on Thursday that at least nine workers based in the US Embassy in Uganda or specialising in the country were targeted using NSO’s Pegasus software by parties unknown.
Another report by the New York Times put the number of officials at 11, saying embassy staff had received a warning from Apple that “state-sponsored attackers are trying to remotely compromise the iPhone associated with your Apple ID”.
Pegasus is a military-grade surveillance suite that can infect an iPhone without the user’s knowledge and allow its wielder to snoop on everything from voice calls through location data to encrypted chat messages.
A spokesperson for NSO said it would conduct an independent investigation and cooperate with any government probe, as well as “immediately terminating” some customers’ access. There is no suggestion NSO conducted or knew about the hack.
This is the first known case of US government officials being targeted with Pegasus, and will deepen tensions between the US and Israel over whether NSO has been properly supervised.
Last month President Joe Biden blacklisted NSO as “contrary to the national security or foreign policy interests of the United States”, accusing it of knowingly selling spyware to governments that used it to “maliciously target” dissidents and journalists.
Pegasus spyware: How does it work?
NSO is one of the brightest stars in Israel’s thriving cybersecurity industry, and insists that it only sells its software to carefully vetted intelligence agencies, law enforcement bodies or militaries to fight crime and terrorism.
But a global investigation by human rights groups and 17 media outlets found evidence that Pegasus had been used to target journalists, human rights activists, lawyers and opposition politicians. NSO denied those claims.
NSO said: “We have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations.
“To this point, we haven’t received any information, nor the phone numbers, nor any indication that NSO’s tools were used in this case…
“If our investigation shall show these actions indeed happened with NSO’s tools, [any] such customer will be terminated permanently and legal actions will take place.”
The company claimed that it blocks its products from working on US numbers and that it had “no way to know” who its customers target.
Mr Biden has invited Israel and many other countries to the White House next week in the hope of cracking down on the largely unregulated global spyware market.
Meanwhile, Apple has issued an emergency security patch and filed a lawsuit against NSO seeking damages for “flagrant violations of US federal and state law arising out of its efforts to target and attack Apple and its users”.