• United States



Contributing Writer

Spyware was used against Catalan targets and UK prime minister and Foreign Office

News Analysis
Apr 19, 20228 mins
Advanced Persistent ThreatsMalware

Researchers at the Citizen Lab says dozens of officials' phones were compromised by spyware sold by NSO Group or Candiru.

spyware alert notification
Credit: Daviles / Getty Images

Researchers at The Citizen Lab at the University of Toronto revealed two significant findings that further highlight the widespread use of Israeli mercenary spyware apps. First, the group released fresh rounds of forensic results that uncovered Catalans’ phones targeted in Spain. Secondly, they discovered that spyware infiltrated the Prime Minister and Foreign and Commonwealth offices in the UK.

These revelations also appeared in conjunction with a lengthy investigation by journalist Ronan Farrow appearing in the New Yorker. Farrow’s research offers new details into the rise of the spyware industry, the troubles facing the spyware purveyors, the efforts by tech companies to circumscribe the highly sophisticated malware, and the Biden administration’s planned actions regarding this trend.

Effort to plant spyware spans broad spectrum in Catalonia

In what it calls CatalanGate, the Citizen Lab, in collaboration with Catalan civil society groups, identified at least 65 individuals across a broad spectrum of society in Catalonia who were targeted or infected with mercenary spyware in “an extremely well-informed and widespread effort to monitor Catalan political processes.” Sixty-three of these individuals were targeted or infected by NSO Group’s Pegasus spyware, while four were targeted by spyware made by an NSO rival, Israel’s Candiru. In addition, 51 victims were confirmed successfully infected with Pegasus via forensic tests on their phones.

Members of the European Parliament, Catalan presidents, legislators, jurists, members of civil society organizations, and some family members were targeted or infected with the spyware. Almost all the spyware incidents occurred between 2017 and 2020, although the Citizen Lab found an instance of targeting in 2015. Because Spain has a high prevalence of Android users over iOS, and the Citizen Lab’s forensic tools are much more developed for iOS, the organization believes that its report heavily undercounts the number of individuals likely targeted and infected with Pegasus.

Every Catalan Member of the European Parliament (MEP) that supported independence was targeted directly with Pegasus or via suspected relational targeting. Three were directly infected, and two more had staff, family members, or close associates targeted with Pegasus.

Multiple Catalan civil society organizations that support Catalan political independence were targeted with Pegasus, including Òmnium Cultural and Assemblea Nacional Catalana (ANC). Catalans working in the open-source and digital voting communities were also targeted. Moreover, lawyers representing prominent Catalans were targeted and infected with Pegasus, some extensively.

Techniques included a new zero-click exploit called Homage

The Catalan attackers infected Pegasus victims through at least two exploits: zero-click exploits and malicious SMS messages. Zero-click exploits are challenging to defend against, given that they do not require victims to engage in any activity.

The Citizen Lab discovered a new, not previously described exploit called Homage that appears to have been in use during the last months of 2019. Homage was fired on at least six dates in 2019 and 2020 and was not used against a device running a version of iOS greater than 13.1.3. The Citizen Lab reported the exploit to Apple and said it does not have evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.

Another zero-click exploit deployed was KISMET, a zero-day used against iOS 13.5.1 and iOS 13.7 during the summer of 2020. Although the exploit was never captured and documented, it was seemingly fixed by changes introduced into iOS14, including the BlastDoor framework, a new security system that Apple adopted in January 2021.

Strong nexus to the Spanish government

The SMS attacks involved operators sending convincing text messages containing malicious links to trick targets into clicking. For example, Jordi Baylina, the technology lead at popular decentralized Ethereum scaling platform Polygon, received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he had purchased, suggesting the attackers had access to Baylina’s passenger name record (PNR) or other information collected from the carrier.

The Citizen Lab’s analysis of Candiru’s spyware showed that Candiru was designed for extensive access to the victim device, such as extracting files and browser content and stealing messages saved in the encrypted Signal Messenger Desktop app. Three of the Candiru targets received a malicious phishing email in early February 2020 featuring the official emblem of the Government of Spain and reporting that the World Health Organization had declared COVID-19 to be a “public health emergency of international importance” in January. One of the Candiru targets received an email impersonating the Mobile World Congress (MWC) with a link to tickets.

Although the Citizen Lab is not conclusively attributing these hacking operations to a particular government, it says a range of circumstantial evidence points to a strong nexus with one or more entities within the Spanish government.

UAE, India, Cyprus and Jordan linked to the UK infections

Although the Citizen Lab primarily focuses on digital threats to civil society, it did find instances where governments use spyware to undertake international espionage against other governments. In 2020 and 2021, the organization observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks

The UK instances include several affecting the Prime Minister’s Office (10 Downing Street) and The Foreign and Commonwealth Office (FCO, now the Foreign Commonwealth and Development Office, or FCDO). The Citizen Lab discovered that phones connected to the Foreign Office were hacked using Pegasus on at least five occasions from July 2020 through June 2021.

The suspected infection at the UK Prime Minister’s Office was associated with a Pegasus operator linked to the UAE. The suspected infections relating to the FCO were associated with Pegasus operators that the Citizen Lab links to the UAE, India, Cyprus and Jordan.

In his report, Director of the Citizen Lab Ron Deibert said, “We believe that it is critically important that [UK government] efforts [related to cyber policy] are allowed to unfold free from the undue influence of spyware. Given that a UK-based lawyer involved in a lawsuit against NSO Group was hacked with Pegasus in 2019, we felt compelled to ensure that the UK Government was aware of the ongoing spyware threat, and took appropriate action to mitigate it.”

Almost all European governments use NSO tools

In addition to revealing new details and offering further color on both the Catalan and UK government mercenary spyware infections, Farrow’s New Yorker investigation offers other new nuggets related to the spyware industry. For example, Farrow began interviewing Shalev Hulio, NSO Group’s CEO, in 2019 and, since then, has had access to NSO Group’s staff, offices and technology.

The embattled spyware pioneer is countering numerous lawsuits, dealing with debt, fighting its corporate backers, and failing to sell its products to U.S. law enforcement. Last year, the U.S. Commerce Department added NSO Group and several other spyware makers to a list of entities blocked from purchasing technology from American companies without a license.

The company told Farrow that it had been “targeted by a number of politically motivated advocacy organizations, many with well-known anti-Israel biases,” and added that, “We have repeatedly cooperated with governmental investigations, where credible allegations merit, and have learned from each of these findings and reports and improved the safeguards in our technologies.”

The company also told Farrow regarding the UK infections, “Information raised in the inquiry indicates that these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”

Hulio told Farrow, “Almost all governments in Europe are using our tools.” A former senior Israeli intelligence official said that “NSO has a monopoly in Europe. German, Polish, and Hungarian authorities have admitted to using Pegasus. Belgian law enforcement uses it, too, though it won’t admit it.”

Biden administration is launching a review

Although the New York Times has already reported that the CIA paid for Djibouti to acquire Pegasus to fight terrorism, Farrow reveals a previously unreported investigation by WhatsApp that states the technology was also used against members of Djibouti’s own government, including its Prime Minister, Abdoulkadar Kamil Mohamed, and its Minister of the Interior, Hassan Omar.

He also reveals that the Biden Administration is investigating additional targeting of U.S. officials. Last year, reports emerged that the iPhones of 11 people working for the U.S. government abroad, many of them at its embassy in Uganda, were hacked using Pegasus.

Furthermore, the administration has launched a review of the threats posed by foreign commercial hacking tools. In addition, the White House told Farrow that it is also looking into “a ban on U.S. government purchase or use of foreign commercial spyware that poses counterintelligence and security risks for the U.S. government or has been improperly used abroad.”