It sounds impossible: a cell of nine spies finding their way into a US embassy undetected.

But that’s just what happened recently in Uganda.

These spies had the ability to follow US embassy employees around and could listen in on any conversation they had. Some of those conversations were unimportant but some may have been classified. That information could then be relayed back to a foreign government for espionage purposes.

The catch? The cell of spies were not physically present humans in the building. They were the employee’s own cell phones.

SpyPhones

The attackers targeted and infiltrated employee iPhones so that the victims were unaware they were carrying around the spies in their pockets, purses or briefcases to all areas of the building where phones were allowed.

Email phishing was unlikely to have duped all nine employees (Image credit: Getty)

So how did the iPhones get hacked in the first place? That’s still up for debate, but based on the fact that it was a total of nine phones phones infected, it’s unlikely that all nine victims fell for a traditional phishing attack with a malicious link.

What's more believable is that the attackers executed a zero-click attack where the attacker sends a silent message that requires no user action to trigger installation of the spyware.

It’s just another weapon in the arsenal of spyware attackers looking to exploit vulnerabilities in smartphones and other IoT devices.

NSO Group's Pegasus spyware

The NSO Group works with anti-terrorism government agencies (Image credit: NSO Group)

The attack is suspected to have been done using NSO Group’s Pegasus spyware which has been at the center of several controversies in recent months.

In July 2021, allegations came to light that Pegasus had been planted on the phones of journalists, activists, aid workers, diplomats and more around the world. Some of the victims included Americans. The US Commerce Department has since blacklisted NSO Group, prohibiting US companies from doing business with them.

However, NSO has initially denied that they were involved and NSO might be right. NSO is only the most famous spyware company. There are dozens of others in Russia, China, Eastern Europe and in North America. NSO has pioneered several spyware techniques like Zero Click attacks but once they demonstrate a new attack vector, other spyware companies rush to duplicate those features.

NSO charges millions of dollars per year for the use of its Pegasus technology so some organizations feel safe because they don’t think spying on their team is worth NSO’s prices. However, other spyware companies charge much less. You can purchase spyware designed to spy on wayward spouses for $200 but it can also be turned to industrial espionage purposes. So, no organization big or small is safe from smartphone spyware.

As a result, the threats against smartphones need to be taken more seriously than ever before. These are no longer hypothetical situations; these are proven, successful attacks that will no doubt be carried out again in the future.

A lesson to learn

With most workers entering the workplace with a smartphone each day, the risk of an attack similar to the one carried out at the Ugandan embassy increases. As a result, security teams must factor in these emerging smartphone threats into their security plans.

While simply banning smartphones isn’t likely, given how necessary and important they have become in our daily lives, the incorporation of phone-free zones should be mandatory, especially in meeting rooms where sensitive information is discussed. It is not enough to demand phones simply be turned off, as spyware allows intruders to remotely turn on phones.

Further, as part of its security posture, security teams should leverage technology that provides the visibility needed to identify and ensure that smartphones and other potentially vulnerable IoT devices are not illegally entering a building and taking part in any nefarious activities.

Failure to do so and you might as well just invite the actual cell of spies right into your organization.

Chris Risley is CEO at Bastille Networks.