The iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using spyware from Israeli cybersecurity firm NSO Group, Reuters reported today.

Reuters cited sources as saying that the breaches took place over the past few months. The cyberattacks reportedly targeted State Department employees who are based in Uganda or focus on matters concerning the country. Apple Inc. is said to have notified affected individuals via alerts.

The spyware used to infect the targeted State Department employees’ iPhones is said to have exploited a vulnerability that Apple fixed in September. The vulnerability, a so-called zero-day flaw not known to the cybersecurity community prior to its publication, made it possible to infect iPhones via Apple’s iMessage messaging app. Users don’t have to perform any action, such as opening a message, for malicious code to be downloaded onto their smartphones.

In a statement about today’s report, NSO Group told Reuters that it did not have any indication that its tools were used, but canceled the relevant accounts and would launch an investigation. “If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place,” an NSO Group spokesperson said. The spokesperson added that NSO Group will “cooperate with any relevant government authority and present the full information we will have.”

Last month, the U.S. Commerce Department sanctioned NSO Group and three other companies after finding that they have engaged in malicious cybersecurity activities. The firms were placed on the Entity List maintained by the Commerce Department’s Bureau of Industry and Security. 

Cybersecurity publication The Record reported at the time that U.S.-based organizations are now prohibited from buying, exporting or transferring any cybersecurity tools developed by NSO Group unless they receive a special license. The Commerce Department said that organizations applying for such a license should expect a “presumption of denial.”

Last week, Apple sued NSO Group in the United States District Court for the Northern District of California over the use of its spyware to hack iPhones. Apple said that it wants to hold the company accountable for the targeting of iPhone users. Additionally, the iPhone maker is seeking to bar NSO Group from using its mobile devices, other hardware products and services. 

In its announcement of the lawsuit, Apple also stated that it’s taking steps to notify users if they’re targeted by spyware. “Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices,” the company detailed. Previously, Meta Platforms Inc.’s WhatsApp unit launched a lawsuit against NSO Group in 2019. 

Image: NSO Group