(Bloomberg) -- Government hackers are likely using commercial spyware to breach phones belonging to US officials stationed around the world, the chairman of the House intelligence committee said on Wednesday.

Reports last year that attackers infiltrated the phones of US diplomats in Uganda using a kind of spyware known as Pegasus, developed by the Israeli vendor NSO Group, provide only a hint of the scale of the issue, said Representative Adam Schiff, the California Democrat and chairman of the House Permanent Select Committee on Intelligence.

“It is my belief that we are very likely looking at the tip of the iceberg, and that other US government personnel have had their devices compromised, whether by a nation-state using NSO’s services or tools offered by one of its lesser known but equally potent competitors,” Schiff said during a committee hearing on commercial surveillance technology, known as spyware.

The Biden administration has begun to address the use of commercial spyware tools following a series of revelations by activists and media organizations. The most sophisticated spyware, such as Pegasus, can access a victim’s messages, camera and microphone without the victim clicking on a single link.

In one case, a victim was simultaneously targeted by two programs – Pegasus and another hacking tool called Predator, made by the Israeli company, Cytrox Ltd., said John Scott-Railton, senior researcher at Citizen Lab, an internet watchdog group at the University of Toronto.

“I see the threat from proliferation as inevitable,” Scott-Railton told the committee, warning the technology could spread beyond nation-state purchasers to non-state actors and even to ransomware. “It’s totally out of control.”

Carine Kanimba, a US citizen who said her father was lured from his home in San Antonio, Texas, before being abducted in Dubai and imprisoned in Rwanda, told the committee her phone had been targeted by NSO’s Pegasus spyware. Her father, Paul Rusesabagina, whose actions during the 1994 Rwandan genocide to save people inspired the movie “Hotel Rwanda,” had spoken out against human rights abuses in Rwanda.

An NSO Group spokesperson said customers can’t target US numbers and its software cannot be operated on US soil except by a US agency. It said it terminates contracts when illegal use is found. The company didn’t directly respond to series of questions from Bloomberg about Wednesday’s testimony.

Shane Huntley, director of a security team at Alphabet Inc.’s Google, told the committee his group had found 30 spyware tools in recent years.

Spyware vendors are increasingly selling their tools to authoritarian governments, according to written testimony that Microsoft Corp. submitted to the committee. In one case, Microsoft said, it disrupted the use of a tool that hackers used to breach law firms, banks and consultancy firms in Austria, the UK and Panama. The expanding industry is worth more than $12 billion, according to Microsoft’s testimony.

“For there to be real change, the United States will need to help advance global norms on surveillance software and the protection of human rights and privacy,” Microsoft said in its testimony.  

The US should add more spyware groups to the entity list and regulate the use of spyware sold by “cyber mercenaries,” the company said.  

The hearing came amid growing scrutiny on the spyware industry. 

Meta Platforms Inc.-owned WhatsApp has filed a lawsuit against NSO Group, accusing the company of aiding hackers who breached WhatsApp users. 

The US Department of Commerce’s move in November to block four companies, including NSO Group, from accessing US technology by adding them to a so-called Entity List, hasn’t prevented spyware sales, said Schiff. Representative Mike Turner, the Ohio Republican on the House intelligence committee, said the US needed to put a greater emphasis on the threat, which he described as exceptionally hard to track and combat. 

The National Security Council didn’t immediately respond to a request for comment.

©2022 Bloomberg L.P.