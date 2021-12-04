News of the targeting of American diplomats working overseas helps explain the move by the Commerce Department last month to add NSO Group and another Israeli company, Candiru, to the blacklist, a relatively rare move against a business from a close ally. U.S. companies are prohibited from doing business with companies on the list, officially called the "Entity List," which in recent years has been dominated by Chinese companies. Two other companies, one from Russia and the other from Singapore, were added to the list at the same time as NSO. Of the more than 1,600 companies on the list, nearly 40% are Chinese.

The National Security Council said in a statement Friday, "We have been acutely concerned that commercial spyware like NSO Group's software poses a serious counterintelligence and security risk to U.S. personnel, which is one of the reasons the Biden-Harris Administration has placed several companies involved in the development and proliferation of these tools on the Department of Commerce's Entity List."

Pegasus can be delivered remotely without any action, such as clicking on a link or notification. Once Pegasus penetrates a device, it essentially turns a smartphone into a spying device, allowing the operator - typically an intelligence or law enforcement official - to do anything the user can. That includes turning on the microphone, examining photos, emailing documents and tracking locations over time. Social media and contact lists can also help establish relationships with others.

"This is a direct safety threat to diplomats because Pegasus means you can live-track the locations of people," said John Scott-Railton, a researcher with Citizen Lab, which tracks Pegasus and other spyware use worldwide and first discovered the Pegasus exploit.

NSO, which has said that Pegasus is intended to investigate only criminals, terrorists and other serious threats to security, said in a statement Friday that it had suspended accounts with clients, which it declined to name, because of the reports that Pegasus had been used to target U.S. diplomats.

The Israel-based company has long been deferential to U.S. interests and has insisted that Pegasus was not technically capable of hacking phones with U.S.-based +1 phone numbers. It is not known whether the diplomats alerted of intrusion had phones numbers based in foreign countries or the United States.

"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers' access to the system, due to the severity of the allegations," said NSO spokesperson Oded Hershkovitz. "To this point, we haven't received any information nor the phone numbers, nor any indication that NSO's tools were used in this case. On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have."

The iPhones belonged to U.S. citizens and local residents working for the U.S. Embassy in Kampala, people familiar with the notifications said. The phones were all linked to State Department email addresses using iCloud, Apple's cloud-storage system. Those connections allowed investigators to identify them as government employees. Apple declined to comment.

Since Apple began issuing alerts to its users about possible attacks, people in numerous countries, including Uganda, Thailand and El Salvador, have reported receiving the warnings. Politician Norbert Mao, head of Uganda's Democratic Party, tweeted last month, "When you wake up to a threat notification from @Apple that your iPhone is being targeted then you know that cyber terrorism from state sponsored cyber terrorists is real."

A request for comment to the Ugandan embassy in Washington was not immediately returned on Friday.

The revelations could further fuel tensions between federal officials and the network of influential Washington figures NSO has paid in recent years. Rod Rosenstein, deputy attorney general at the Justice Department under the Trump administration, is helping defend NSO in court against an ongoing lawsuit by Facebook-owned messaging service WhatsApp, which accused NSO of spying on its customers. Rosenstein did not respond to requests for comment.

While the Pegasus Project found a wide range of abuses against lawyers, academics and political activists, government officials in the United States and elsewhere have displayed particular concern about the use of spyware against diplomats and other officials.

Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee, said Friday, "Companies that enable their customers to hack U.S. government employees are a threat to America's national security and should be treated as such by the government. I want to be sure the State Department and the rest of the federal government has the tools to detect hacks and respond to them quickly. Federal agencies shouldn't have to rely on the generosity of private companies to know when their phones and devices are hacked."

