Senior officials in the European Union were allegedly targeted with NSO Group's infamous Pegasus surveillance tool, according to a new report from Reuters.
At least five individuals, including European Justice Commissioner Didier Reynders, are said to have been singled out in total, the news agency said, citing documents and two unnamed E.U. officials. However, it's not clear who used the commercial spyware against them or what information was obtained following the attacks.
NSO Group said in a statement shared with Reuters that it was not responsible for the hacking attempts, adding that the targeting "could not have happened with NSO's tools."
The intrusions are said to have come to light after Apple notified the victims of state-sponsored attacks last November as part of its efforts to stop the Israeli surveillance firm from targeting its customers.
That same month, the iPhone maker filed a lawsuit against NSO Group, seeking a court-issued injunction aimed at banning the company from using its products and services to develop and launch spyware attacks.
Apple called NSO Group as "notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse."
Pegasus, typically deployed through sophisticated "zero-click" exploits like FORCEDENTRY, grants its government and law enforcement customers complete access to a target's device, including their personal data, photos, messages, and precise location.
The widespread abuse of Pegasus to systematically spy on civil society in recent years has led the U.S. government to add NSO Group to its trade blocklist, in turn prompting Israel to restrict the number of countries to which local security firms can sell offensive hacking and surveillance tools.
In February 2022, the European Data Protection Supervisor called for a ban on the development and the use of Pegasus-like commercial spyware in the region, pointing out the technology's "unprecedented level of intrusiveness" that could endanger users' right to privacy.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
But despite attempts to regulate the use of spyware, a forensic investigation released by Front Line Defenders last week found that the iPhone belonging to Suhair Jaradat, a Jordanian journalist and human rights defender, was hacked with Pegasus via a malicious WhatsApp message in December 2021, weeks after Apple initiated legal proceedings.
"The fact that the targeting we uncovered happened after the widespread publicity around Apple's lawsuit and notifications to victims is especially remarkable," the report said.
"A firm that truly respected such concerns would have at least paused operations for government clients, like Jordan, that have a widely publicized track record of human rights concerns and had enacted emergency powers giving authorities widespread latitude to infringe on civil liberties."