• United States



Contributing Writer

Spyware infections continue as the U.S. federal government takes notice

News Analysis
Jul 27, 20226 mins

As more high-profile instances of spyware misuse come to light, the U.S. government begins to take action to address the threat.

spyware alert notification
Credit: Daviles / Getty Images

The U.S. House Intelligence Committee is holding a rare open public hearing today to discuss the proliferating and increasingly troublesome threats from foreign spyware. Despite the mounting evidence that invasive spyware apps such as NSO Group’s Pegasus software are used somewhat indiscriminately by despotic regimes against political foes, the U.S. government has done little to address this crisis.

The evidence is increasingly hard to ignore, which has prompted the Biden administration and Congress to take limited steps to curtail the abuses of foreign spyware.

Defense contractor’s bid to buy spyware accelerated action

In November 2021, the U.S. Commerce Department put NSO Group on its entity list that bans U.S. companies from doing business with the Israeli spyware purveyor, judging it as a national security risk, an action that NSO has seemingly tried to reverse. The following month, in December 2021, Congress, in passing its annual National Defense Authorization Act (NDAA), included a provision in that bill mandating that the State Department submit a spyware company list annually to Congress for five years.

The stiff-arming by the U.S., and other political controversies, created turmoil at the surveillance giant, prompting it to enter talks to sell out to a company run by ex-U.S. soldiers. Following the unexpected revelation that American defense contractor L3Harris was also in talks to purchase NSO Group’s spyware, with the reported support of some U.S. intel agencies, the White House let it be known that any attempt by American defense firms to buy the spyware would meet with stiff resistance. The U.S. is not alone in examining the use of NSO spyware. The European Parliament launched a committee of inquiry to investigate the use of surveillance software in European member states.

Earlier this month, the Intelligence Committee introduced a bill that would empower the U.S. director of national intelligence to bar any contract between spyware makers and the intelligence community. It would also authorize the White House to sanction them if they target U.S. spies.

Mounting mass of spyware instances discovered

The backdrop to these actions is the mounting mass of discovered instances where spyware from NSO and other foreign firms has been used against political enemies, even in democratic nations, leading to a creeping concern that the Pegasus one-click malware or its equivalent could be used against anyone, anywhere in the world. Last April, Israel’s Haaretz newspaper developed a complete listing of 450 phones targeted by NSO clients, ranging from an investigative journalist in Azerbaijan to 11 U.S. State Department officials stationed in Uganda.

Since then, a steady stream of new reports involving additional instances of foreign spyware infections has emerged. Among the latest revelations are:

  • Pegasus spyware infections within official UK networks. In 2020 and 2021, multiple suspected instances of Pegasus spyware infections within official UK networks were discovered by Citizen Lab. Targets included the Prime Minister’s office and the Foreign and Commonwealth Office.
  • An extensive espionage campaign against Thai pro-democracy protesters. At least 30 activists and protestors were infected with NSO Group’s Pegasus spyware between October 2020 and November 2021.
  • A widespread infection of Catalan civil society groups in Spain. The infection is known to have reached as far as Spanish Prime Minister Pedro Sánchez and Defense Minister Margarita Robles in what has come to be called Catalangate. Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware, including Pegasus, malware from another spyware maker, Candiru, and HOMAGE, a previously undisclosed iOS zero-click vulnerability used by NSO Group.
  • Spyware made by an Italian company, Milan-based RCS Lab, was used to spy on Apple and Android smartphones in Italy and Kazakhstan, according to Google. Google dubbed the spyware Hermit. Apple and Google said they had taken steps to protect their users from spyware.
  • A nephew of a Rwandan government critic was hacked with NSO spyware. Forensic experts at Citizen Lab said that the mobile phone of a Belgian citizen who is the nephew of Paul Rusesabagina, a jailed critic of the Rwandan government made famous by his portrayal in Hotel Rwanda, was hacked nearly a dozen times in 2020 with Pegasus spyware.
  • An exploited flaw in Google Chrome was linked to spyware maker Candiru, also known as Saito Tech. Researchers at Avast discovered an actively exploited but fixed flaw in Google Chrome linked to Israeli spyware company Candiru. The flaw was used for targeting individuals in Turkey, Yemen, and Palestine and journalists in Lebanon, where Candiru infected a website used by employees of a news agency. Like NSO, Candiru and been placed on the Commerce Department entities list along with two other malware makers, Computer Security Initiative Consultancy PTE (COSEINC) and Positive Technologies.
  • A Greek leader was targeted by Predator software. Nikos Androulakis, leader of Greece’s third-largest political party and a member of the European parliament, said his parliament’s cybersecurity service had informed him of an attempt to infect his mobile phone with Predator spyware, sold in Greece by a company called Intellexa.

The Intel Committee hearing is a chance to clear the air on needed government actions as it grapples with this epidemic of infections. “This is an opportunity for the U.S. to really set some standards and some norms,” Citizen Lab Senior Researcher John Scott-Railton said.

The private sector is taking action, too

The government is not alone in trying to grapple with the problem of foreign spyware. Apple took a big step earlier this month to protect its most likely targeted users from “mercenary” spyware by introducing Lockdown Mode. Starting this fall with iOS 16, iPadOS 16, and macOS Ventura, Lockdown mode is an “extreme” option for the very small number of users who face grave, targeted threats to their digital security.” It “hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware,” according to Apple.

Verizon claims that its Internet Security Suite includes anti-spyware protection as part of the core technology. Google says it tracks more than 30 spyware makers and warns customers whose devices are compromised.