Potential iPhone Spyware Campaign Targets High-Profile Americans, Including Political Figures and AI Executives

Possible iPhone spyware campaign inside U.S. discovered by researchers

Why it matters: iPhones tied to people in an EU member state's government, U.S. political campaign, media organizations and an AI company could have all been targeted as part of this operation, according to the report from mobile research company iVerify. Zoom in: iVerify released a report indicating that the hackers may have targeted six iPhones through the "Nickname" feature in iOS, which sends a notification whenever someone's iCloud photo or name changes. Yes, but: Apple has fixed the flaw -- which was present in iOS versions through 18.1.1 -- but disputes that it was ever used to hack devices. The intrigue: iVerify has not identified who was behind the activity. But the known potential targets had previously been surveilled or hacked by Chinese state-linked groups, Cole said. What to watch: iVerify is sharing its findings publicly after consulting with several large tech firms and four EU government entities, and the company hopes their findings will encourage more security researchers to investigate the campaign further. The bottom line: iVerify recommends that high-risk users keep their phones updated and turn on Apple's Lockdown Mode, which is designed to guard against spyware. Cole said that it's likely that Lockdown Mode could have prevented these potential infections.

Harris-Walz campaign may have been targeted by iPhone hackers, cybersecurity firm says

Then-Vice President Kamala Harris, the Democratic presidential nominee, at a campaign event Wilkes-Barre, Pa., last year.Jacquelyn Martin / AP file One of the few companies to specialize in iPhone cybersecurity said in a report Thursday that it has uncovered evidence in a handful of mobile phones of a potential hacking campaign targeting five high-profile Americans in media, artificial intelligence and politics, including former members of Kamala Harris' presidential campaign. The preliminary research, conducted by the cybersecurity firm iVerify, includes a "significant amount of circumstantial evidence," iVerify CEO Rocky Cole said. Apple, the maker of the iPhone, refuted the findings. But Cole said the report was worth publishing for use by the cybersecurity research community. Apple's reputation is sterling among security professionals, and if it is confirmed a hack occurred, it would be a significant development in the cybersecurity industry. IVerify has not identified who may be behind the potential hacking operation, but believes the targets and technical sophistication suggest a capable spy agency may have been involved. Two people familiar with the investigation told NBC News that former members of the Harris-Walz campaign were some of the people iVerify believes were targeted. It's not clear what initially set off the investigation. IVerify said that in addition to the Americans who were targeted, a European government official's iPhone had indications of remote tampering. It appears that last year, a hacker remotely and secretly installed a type of invasive, malicious program known as spyware to snoop on those users without their knowledge, iVerify said. Out of nearly 50,000 phones that iVerify analyzed, it found only six -- all belonging to high-profile people who would be potential targets for an espionage campaign -- that showed evidence of exploitation. Apple disputed iVerify's conclusion that its evidence is a strong indication that iPhones were hacked. "We've thoroughly analyzed the information provided by iVerify, and strongly disagree with the claims of a targeted attack against our users. Based on field data from our devices, this report points to a conventional software bug that we identified and fixed in iOS 18.3," Ivan Krstić, the head of Apple Security Engineering and Architecture, said in an emailed statement. Apple is "not currently aware of any credible indication that the bug points to an exploitation attempt or active attack," Krstić said. IVerify CEO Rocky Cole responded in a statement: "In light of the recent public conversation around mobile security, there is ample evidence in the report worth sharing with the research community. We've never claimed there is a smoking gun here, only a significant amount of circumstantial evidence." iVerify's report makes it clear it did not directly catch malicious software that took over phones. Instead, its researchers found evidence that it had been installed, then deleted. The phones suspected of being hacked displayed suspicious activity in crash logs, the records a computer or a smartphone automatically writes when the operating system encounters an error or a program fails. That indicates tampering, the company said. "We identified exceedingly rare crash logs that appeared exclusively on devices belonging to high-risk individuals including government officials, political campaign staff, journalists, and tech executives," the report says. "At least one affected European Union government official received an Apple Threat Notification approximately thirty days after we observed this crash on their device, and forensic examination of another device revealed signs of successful exploitation." Andrew Hoog, a co-founder of the mobile phone security company NowSecure, told NBC News that he found iVerify's "analysis and conclusions credible and consistent with what we've observed over nearly a decade of mobile zero-click attacks." If a spyware campaign has been taking over high-profile Americans' phones, it would be a major escalation in the back-and-forth between cyberspies and the security engineers who try to stop them. The iPhone's cybersecurity is widely revered, and cybersecurity experts largely view iPhones as some of the most secure devices that are commercially available. Apple routinely updates its operating system to fix flaws that hackers use to break in. But it has also designed the iPhone operating system to share very little information with cybersecurity researchers, far less than most other operating systems. iVerify's claim comes in the context of other allegations that cyberspies snooped on the 2024 presidential campaigns, including the United States' accusing China of listening to both parties' presidential campaigns' phone calls and Iran of hacking Trump campaign emails and sending stolen information to Biden campaign officials. The Biden administration's Justice Department charged three Iranians in connection with the operation in September. Researchers have for years tracked governments' use of spyware to spy on journalists and activists in other countries. Politicians in France and Spain have been targeted by spyware, prompting national scandals. IVerify's report is the first major public claim of spyware's successfully breaking into iPhones tied to American phone numbers and high-profile Americans. There is precedent for cyberspies' targeting major political campaigns. Last year, Microsoft, Google and several federal agencies said Chinese intelligence had hacked several major telecommunications companies, including AT&T and Verizon, and used that access to specifically spy on both the Trump and Harris campaigns' conversations. The White House did not respond to a request for comment. The Trump campaign did not hire iVerify, so it does not have data from it to analyze. Sources who confirmed that members of the Harris-Waltz campaign were among those whom iVerify has investigated as targets of the campaign did not identify those people. iVerify also discovered a potential way hackers could have gotten in: a vulnerability in iMessage, the chat app that comes preloaded in Apple phones, that appears to be a zero-click vulnerability, meaning a hacker could exploit it without the user's even knowing. Apple has since patched the vulnerability. Spyware can give remote hackers remarkable insight into their victims' personal messages and accounts. While confirmed instances are rare, it is the only proven tactic for hackers to reliably bypass the major privacy protections available for commercial phones, like the encrypted messaging app Signal. A hacker who successfully deploys spyware on politicians' phones, for instance, could read all their Signal chats, track their browsing histories, listen to their phone calls and even turn the phones into covert listening devices to spy on conversations while they are in the targets' pockets. By giving a hacker remote access to a phone, spyware goes beyond even the Salt Typhoon espionage campaign, in which the United States accused China last year of hacking AT&T and Verizon to intercept phone calls and text messages as they traveled from one person to another -- including targeting the messages of both the Trump-Vance and Harris-Walz campaigns. The most commonly identified spyware in such cases is designed by the Israeli company NSO Group, which is sanctioned by the United States and has long claimed its products cannot be used to hack phones with American numbers. An NSO Group spokesperson told NBC News it was not involved in the incidents iVerify's research identified. American diplomats and embassy workers abroad have also been infected with NSO spyware, according to the Biden White House, but evidence that such technology had targeted a U.S. presidential campaign or other high-profile Americans in the United States has never been previously reported. "I think it illustrates that mobile compromise is real, not academic or hypothetical, and it's happening here in the United States in a systematic way," said Cole, iVerify's CEO. He declined to specify the identities of the five people whose phones exhibited signs of having been targeted with spyware, except to say that they are all Americans who work in politics, media and artificial intelligence and that all would be of interest to a foreign intelligence service. The fact that sophisticated phone spyware is becoming the most reliable way to read a person's otherwise secure messages makes it an obvious tactic for spy agencies, despite its technical difficulty, said Patrick Arvidson, a National Security Agency veteran who worked on mobile phone security at the agency, who viewed iVerify's report before it was published. "I think that you're going to see in the coming year, two years, three years, more and more of these kinds of mass-scale incidents," he said.