50 US government staff targeted with commercial spyware

'We were were astounded by the number,' says senior official

At least 50 US government personnel are believed to have been targeted with commercial spyware, allowing hackers to gain access to and spy on the victims' devices.

According to senior administration officials who talked to the Washington Post, the known victims work in "at least 10 countries" spanning different continents and that there could be more such instances.

"We were astounded by the number," said one senior administration official.

The official did not reveal which company's software was used or who was responsible for deploying the malware.

"We had a hunch early on, when we started this process that [such spyware] could pose counter-intelligence and security risks. … We realised increasingly that the counter-intelligence and security risks were profound."

The official, who spoke on the condition of anonymity in accordance with the ground rules set by the White House, said the effort to identify other employees who may have been targeted is continuing, and steps were being taken to mitigate the risks associated with these tools.

Previously, there has only been one other reported incidence of spyware being used to infect the devices of American officials.

In 2021, Reuters reported that nine State Department employees were hacked using Pegasus, the primary product of the Israeli spyware company NSO Group.

At that time, Apple sued the Israeli company for misusing its services and products to place a spyware on users' iPhones. The US also sanctioned NSO Group, as well as, another spyware outfit named Candiru.

NSO's spyware is capable of not only capturing photos, messages and other sensitive information from compromised devices, but also turning them into recording devices to monitor their surroundings.

US bans some, but not all, spyware

This latest disclosure comes after president Biden issued an executive order on Monday prohibiting US government agencies from using commercial spyware if it presents a danger to national security or human rights.

The new presidential order is meant to put pressure on the secretive business by placing additional restrictions on US government intelligence, law enforcement and military purchase decisions.

The goal is to change the way the shadowy market functions and limit the sales to certain actors by setting stronger controls on which firms may do business with the US government.

The US State Department and other relevant agencies will investigate whether producers of such hacking tools have business relationships with foreign countries with a history of poor human rights records.

If such a link is discovered, the makers could be prohibited from selling their products to US agencies.

Moreover, if the US intelligence community discovers proof that a particular commercial spyware platform was used in the targeting of US government officials, that platform will be subject to the new restrictions as well.

"Foreign governments and persons have deployed commercial spyware against United States government institutions, personnel, information, and information systems, presenting significant counter-intelligence and security risks to the United States government," the White House said in a press statement.

"Foreign governments and persons have also used commercial spyware for improper purposes, such as to target and intimidate perceived opponents; curb dissent; limit freedoms of expression, peaceful assembly, or association; enable other human rights abuses or suppression of civil liberties; and track or target United States persons without proper legal authorisation, safeguards or oversight."

The signing of the executive order follows multiple recent revelations about the deployment of sophisticated smartphone spyware by various government agencies across the globe.

In 2018, Citizen Lab, a University of Toronto internet and technology initiative, published a paper claiming that a single type of spyware was used by 36 distinct operators in 45 countries.

In a report release last year, Citizen Lab claimed that NSO Group's Pegasus spyware was used to infect a mobile phone connected to the UK prime minister's office in 2020 and 2021.

Also last year, the Israeli police was accused of conducing warrantless phone surveillance of Israeli citizens, including activists and politicians, using the Pegasus spyware.

Israeli newspaper Calcalist reported that police had access to the Pegasus spyware since 2013 and began to use the tool after December 2015 against targets including anti-government protest leaders, sometimes without the necessary court orders.