Spy Tool Was Deployed in State-Sponsored Hack of Ugandans
NAIROBI, Kenya — Apple warned two Ugandan journalists and an opposition figure last week that their iPhones may have been hacked by a state-sponsored surveillance entity, the targeted people said on Saturday, and at least one attack appeared to have employed spyware from an Israeli company blacklisted by the United States.
The latest revelations add Uganda to the list of countries where journalists, human rights activists and lawyers have been targeted using the sophisticated Israeli-made spyware, known as Pegasus.
The disclosure of the Apple warning notices to the three Ugandans came one day after reports that American diplomats in the East African nation also had their iPhones hacked with Pegasus.
Those diplomats were the first American government officials known to have been targeted by the Pegasus tool, which is designed to sneak into a user’s phone and give the invader access to its contents without being detected. Apple has said iPhones equipped with its latest software are not at risk.
Last month, the United States blacklisted the NSO Group, the Israeli company that created Pegasus, after saying its tools were used to target government officials, dissidents and journalists worldwide. The blacklisting has created a source of tension between the United States and Israel, a staunch American ally.
NSO has said that it had no awareness of these attacks, adding in a statement that the company was “committed to human rights and the protection of the national security and safety of the U.S. and its allies.”
The State Department would not confirm the breaches of American diplomats’ phones in Uganda, but said the U.S. government took measures to protect sensitive information. “Like every large organization with a global presence, we closely monitor cybersecurity conditions, and are continuously updating our security posture to adapt to changing tactics by adversaries,” a department spokesman said in an emailed statement.
Raymond Mujuni, a Ugandan investigative journalist, said he had received an email from Apple on Nov. 23 warning that it believed he was “being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID.”
Canary Mugume, another reporter, said he received a similar communication two days later, telling him that “these attackers are likely targeting you individually because of who you are or what you do.” Norbert Mao, a Ugandan opposition leader and former presidential candidate, also confirmed he had received the same email from Apple.
Apple recommended that all three users upgrade their iPhones with the latest operating systems, saying the attacks were “ineffective against iOS 15 and later.” Mr. Mao said he “did that immediately.”
Apple also suggested they enlist “emergency security assistance” with the New York-based digital nonprofit group, Access Now. Mr. Mujuni said that he reached out to the group, which following an analysis, concluded that the Pegasus software had been used to compromise his phone.
It was not immediately clear who might have targeted the trio’s phones or if Mr. Mao’s and Mr. Mugume’s phones had been targeted using the Pegasus software. An Apple spokesman declined to comment.
Ofwono Opondo, the Ugandan government spokesman, and Okello Oryem, the state minister for foreign affairs, did not respond to multiple calls and messages seeking comment.
Peter Micek, the general counsel at Access Now, said he was not able to comment on particular cases but that the group’s helpline service had been “receiving more requests related to Pegasus in large part due to Apple sending notice about our services to those who may have been targeted.”
In July, a consortium of journalists published The Pegasus Project, which showed how dozens of countries had deployed the tool to muzzle dissent. The Pegasus tool allows users to remotely extract a phone’s contents, tap into the camera and microphone and access calls, location information, photographs and messages.
In Africa, countries listed in The Pegasus Project included Togo, where religious leaders and opposition leaders were targeted. Also on the list was Morocco, where activists who were targeted either fled the country or were imprisoned.
Other African countries, in which politicians, journalists, dissidents or military officials were hacked, included Rwanda, Burundi and South Africa. Among those targeted was Carine Kanimba, the daughter of Paul Rusesabagina, a vocal critic of President Paul Kagame of Rwanda, who is currently serving a 25-year prison term in Kigali, the capital. Mr. Kagame has repeatedly denied that Rwanda obtained or used the Israeli-made software.
In recent years, Uganda has tightened censorship and expanded its digital surveillance capabilities, particularly against opposition figures. President Yoweri Museveni, a key Western ally, has also cracked down on critics, with his government engaging in a campaign of arrests and disappearances following a contentious election in January.
Both Mr. Mujuni and Mr. Mugume, the journalists, have extensively reported on these clampdowns and the tensions that gripped Uganda before and after the vote.
In the weeks before being contacted by Apple about the hack, both said they had received phishing messages from a local Ugandan number asking them to participate in a sales deal or click on a link that would win them up to $1,000. Mr. Mugume said the analysis on his phone had showed there were unsuccessful attempts to access his location data using food-delivery or ride-hailing applications.
Since receiving the alert messages from Apple, Mr. Mujuni said he had been worried about whether any of his journalistic sources may have been compromised.
“It’s very concerning for me,” he said.
Katie Benner contributed reporting from Washington and Musinguzi Blanshe from Kampala, Uganda.