Mobile phones belonging to at least 50 federal employees, some of whom held senior positions, were confirmed or were suspected to have been hit by hacking attacks in 10 foreign countries across multiple continents, government officials told reporters.
“We were astounded by the number,” said one senior official, The Washington Post reported on Monday. The tally, which is higher than previously known publicly, could rise as efforts to examine the vulnerability continue.
In conjunction with the disclosure, President Joe Biden unveiled an executive order that seeks to institute rules that restrict federal agencies’ “operational use” of commercial spyware that the White House said poses risks to national security or has been misused by foreign actors to enable human rights abuses.
Governments from around the world, including the United States, have purchased from vendors commercial spyware that works to gain access to electronic devices and surreptitiously collect their data. That includes, for instance, the Drug Enforcement Administration using a spyware tool called Graphite created by Israeli firm Paragon, according to The New York Times.
The federal government blacklisted another Israeli company, NSO Group, in 2021 over accusations of spyware abuse. The firm developed Pegasus, a mobile phone hacking tool alleged to have been used to monitor journalists, activists, and politicians. Apple notified 11 U.S. Embassy employees in Uganda that their phones were hacked by Pegasus spyware, The Washington Post reported in December 2021.
An NSO Group executive told The Wall Street Journal in January that it cut ties with 10 customers for allegedly misusing its technology, which the company insisted “is only licensed, as a lawful solution, to government intelligence and law-enforcement agencies for the sole purpose of preventing and investigating terror and serious crime.”
FBI Director Wray told Congress last year that the bureau purchased a license for Pegasus for evaluation but insisted “the FBI has not and did not use the NSO products operationally in any investigation.”
The White House released a fact sheet on Monday that said Biden’s new order identifies “concrete remedial steps that commercial spyware vendors can take to reduce identified risks, such as cancelling relevant licensing agreements or contracts that present such risks,” and directs “important new reporting and information-sharing requirements within the Executive Branch.”
Matthew Duss, a visiting scholar in the American Statecraft program at the Carnegie Endowment and former foreign policy adviser to Sen. Bernie Sanders (I-Vt), said he has been “critical of the Biden administration for falling short on human rights commitments but clamping down on spyware and similar tools of repression is an area where they deserve great credit. This is really strong and welcome.”
The order precedes the second “Summit for Democracy,” which Biden is expected to co-host this week with leaders of other countries. The White House said Biden’s order will “serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform.”