Last week’s revelation that Ugandan security tried to hack phones of US embassy diplomats has created tensions in the diplomatic community as well as raised doubts about the safety of Uganda’s financial sector.
On December 21, the Financial Times reported that Ugandan security used Israeli spyware; Pegasus to hack into phones of 11 US embassy diplomats but the attempt failed after notifications were sent out by Apple, when the iPhone maker discovered and closed a flaw in its operating system in November.
The story highlighted that NSO always told its customers that US phone numbers are off-limits. In this case, however, the targets were using Ugandan numbers but the hack was foiled because they had Apple logins using their US state department emails.
As a result, the US authorities blacklisted NSO Group Technologies,
the Israeli Technology Company behind Pegasus, which supplied the spyware to Ugandan government.
DIPLOMATIC WORRY
Several diplomatic sources who preferred anonymity have told The Observer that they are reviewing their security systems in light of the development but could not speak freely due to the sensitivity of the matter.
“We know spying is part and parcel of the survival of governments but we are a bit surprised to the extent they [Uganda government] do it,” said a diplomatic source.
“
Who knows, our systems and phones could be already hacked and we will need some assurances [from Uganda] next time we have a meeting.”
In spite of the blacklist by the US, it remains unclear whether government is continuing to use the Pegasus spyware for other purposes.
MULTIBILLION DEAL
According to the Financial Times story, the deal to procure Pegasus spyware was allegedly brokered two years ago by Gen Muhoozi Kainerugaba, the first son and commander of the UPDF Land forces, and Shalev Hulio, the NSO chief executive.
At the time, Gen Muhoozi was the senior presidential adviser for Special Operations. The story further says Uganda paid between Shs 35bn and Shs 70bn for the spyware, which is also used by Rwanda and several Middle East governments.
KANDIHO LINK?
A senior government official who preferred anonymity said the blacklisting of NSO does not in any way affect its operations in Uganda.
“The US has the biggest spy network in the world and it is within our rights to also protect ourselves by identifying any suspicious information. We shall continue to use all means to protect the sovereignty of our country, even if it means hacking, because everyone does it.”
He further hinted that the US’ recent sanctioning of Maj Gen Abel Kandiho, the Chief of Military Intelligence (CMI), could be related to the hacking.
“He [Kandiho] is deployed to basically gather military intelligence and in this fast advancing tech and cyber world, you never take any chances on any reported threat, even if it means knowing what your friend is doing,” he said rhetorically.
Of late, the US has increased its influence in Ugandan politics and often meets leading opposition figures for high-level meetings. Meanwhile, questions are still raised what this latest development means for the US-Uganda ties after several key figures in government have been slapped with sanctions.
Kandiho joined Gen Kale Kayihura on the sanctions list whereas other military figures such as Lt Gen Peter Elwelu, Maj. Gen. James Birungi, Maj. Gen. Don William Nabasa, Maj. Gen. Steven Sabiiti Muzeyi, AIGP Frank Mwesigwa, and Col. Chris Serunjogi Ddamulira are on the US watch list.
FINANCIAL INDUSTRY CONCERN
Meanwhile, the blacklisting of NSO has raised fresh concerns in the Ugandan financial sector, which greatly depends on Pegasus technology for financial and billing solutions for companies. These include banks, telecoms and utilities.
However, an industry expert has allayed fears that the Pegasus spyware used in hacking is different from Pegasus technology.
“There is no need to worry because these are two different entities and operate differently,” said a Finance ministry official who preferred anonymity.
However, some are worried about their privacy.
“If the parent company is involved in spying, you cannot assure me that the localised one is not involved,” said a telecom official who preferred not to be named.
This fear stems from the night of October 3, 2020, when unidentified hackers broke into the mobile money systems of Pegasus Technologies and made off with about Shs 20bn within just a few hours. The affected included Stanbic bank, Airtel and MTN Uganda, among others.
In a joint statement by the firms, they noted that Pegasus Technologies experienced a system incident which impacted bank to mobile money transactions. Alvin Mugerwa, a Stanbic bank employee, was charged for the hacking and the case is still in court.
In October, 2021, Pegasus Technologies Limited, which identifies itself as an indigenous Ugandan company, received a license from the Bank of Uganda to operate as a Payment Service Operator (PSO). Efforts to reach out to Ronald Azairwe, the Pegasus Technologies managing director, were futile.
The Observer