The Ugandan Government Bought Pegasus Two Years Before the Attack on State Department iPhones

There’s little doubt that NSO Group’s Pegasus Spyware is a nasty little beast, and while most of us mere mortals are unlikely to find ourselves facing it, it’s becoming pretty clear why Apple wants to sue NSO Group out of existence.

Pegasus has been around since at least 2014, but it recently gained a lot more public attention when forensic researchers with Amnesty International and the University of Toronto’s Citizen Lab discovered dangerous zero-click exploits that were being used by Pegasus to actively target more than 80 “human rights defenders (HDRs) and journalists around the world,” across 17 media organizations in 10 countries.

This took on a whole new level of gravity when Apple began notifying iPhone users who may have been victims of Pegasus, revealing dozens of new targets, ranging from Thai activists and a Polish prosecutor to employees of the U.S. State Department.

Although Pegasus was ostensibly created for use by government agencies in fighting terrorism and other similar high crimes, it’s become clear that the tool has been put to much more malicious use — and Apple believes that NSO Group’s hands are far from clean here either.

In fact, in its lawsuit, Apple goes so far as to describe those who work for the company as “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”

Ivan Krsti?, Apple’s head of Security Engineering and Architecture, also added that Apple wants to send a clear message that “In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place.”

The Ugandan Connection

Although the source of the recent cyberattacks on U.S. State Department officials was unclear, many speculated that the Ugandan government was behind them, since most if not all the employees involved were dealing with the political unrest in that country.

U.S. State Department officials also weren’t the only folks being targeted by Pegasus, likely by the same shadowy forces for similar reasons. Norbert Mao, President of the Democratic Party in Uganda, was also notified by Apple back in November that his iPhone had been targeted by Pegasus.

Despite this, however, the original report from Reuters emphasized that there was “no evidence the hacks were related to current events in Uganda,” and of course there are many other countries where NSO’s Pegasus Spyware is being used — and abused.

A new report from Ars Technica is making a much stronger case that the Ugandan government was indeed behind these attacks. While the evidence is still circumstantial, that fact that an Israeli woman with ties to both NSO Group and the intelligence community pitched Pegasus to the son of Uganda’s president over two years ago is hard to ignore.

In February 2019, an Israeli woman sat across from the son of Uganda’s president and made an audacious pitch—would he want to secretly hack any phone in the world? After all, the woman, who had ties to Israeli intelligence, was pitching him Pegasus, a piece of spyware so powerful that Middle East dictators and autocratic regimes had been paying tens of millions for it for years.

Ars Technica

The report goes on to note that NSO’s CEO, Shalev Hulio, travelled to Uganda only a few months later to close the deal by demonstrating “in real time how it could hack a brand-new, boxed iPhone.”

Ugandan officials reportedly paid between $10 million and $20 million for Pegasus — a small fraction of the NSO Group’s total revenue, which was estimated to be around $243 million in 2020.

To be clear, this is merely one smoking gun, and as Ars Technica adds, Uganda’s neighbouring country, Rwanda, has also been using Pegasus to hack iPhones inside Uganda.

The Future of NSO Group

Although NSO has always told its customers that U.S. phone numbers are blacklisted from being used by Pegasus, the 11 State Department officials in this case were using Ugandan numbers — although their Apple IDs clearly identified them as U.S. officials, with email addresses ending in “state.gov.”

Almost immediately after these allegations were revealed, NSO said it shut down access for “customers relevant to this case,” and that it would investigate the issue further. Sources have also said that NSO Group has cut off its ties with its African customers entirely.

Meanwhile, NSO Group remains on a U.S. blacklist that prevents it from buying any equipment, service, or intellectual properly from U.S.-based companies. Since most of its business runs on products from companies like Dell, Intel, Cisco, and the Windows operating system, it’s a move that should cripple the company, particularly as time goes on and new equipment and parts are needed.

The Israeli government has also begun expression some irritation with the company that was once one of its crown jewels. According to Ars Technica, former Prime Minister Benjamin Netanyahu had previously used Pegasus as “a diplomatic calling card” with countries that didn’t have official relations with Israel, such as the UAE, Morocco, Bahrain, and Saudi Arabia. It’s unclear which, if any, of those countries actually purchased Pegasus, but it’s clear that Israeli officials used the technology as a way of facilitating discussions.

Now, however, officials are becoming frustrated that the NSO Group issue is interfering with relations between Israel and the U.S. and wasting time that should be spent on more important things, like talking about policies related to Iran.

NSO Group’s diminishing reputation has also made it difficult to recruit the kind of top talent the company needs to create such sophisticated spyware. In the past, graduates of Israel’s elite signals intelligence units were eager to join the company, which probably explains why Pegasus was able to pull off such astonishing feats of hacking.

For instance, Google’s Project Zero researchers recently discovered that the hack used against U.S. diplomats employed a tiny piece of code used in Xerox machines int he 1990s to build a complete mini-computer into a single GIF file. The complexity of what NSO Group has managed to pull off has blown the minds of security researchers around the world.

As John Scott-Railton, the senior researcher at the University of Toronto’s Citizen Lab who first discovered the zero-click exploits used by Pegasus, said, “You can count on one hand the number of teams in the world that could create something like that.”