Security researchers from Citizen Lab have uncovered evidence that commercial spyware was used to hack into the mobile phones of Catalan politicians, lawyers, and their families.
Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with either Israeli firm NSO Group’s Pegasus, another commercial surveillance app called Candiru, or both.
Victims included members of the European Parliament, regional politicians, and members of civil society organizations. In some cases, family members were also affected.
Some instances of Pegasus infection arose from the deployment of a previously-undisclosed iOS zero-click vulnerability, according to Citizen Lab, which double checking its forensic methodology with Amnesty International’s Tech Lab.
“We saw evidence that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with Pegasus between 2017 and 2020,” security researchers at Citizen Lab reports.
Attempts were made to exploit the Homage (reckoned to have been fixed by iOS 13.2) and later Kismet iMessage zero-click exploit, a zero-day in the summer of 2020 against iOS 13.5.1 and iOS 13.7.
“Though the exploit was never captured and documented, it was apparently fixed by changes introduced into iOS14, including the BlastDoor framework,” according to Citizen Lab.
Citizen Lab previously confirmed that multiple Catalans were among those targeted with Pegasus through the 2019 WhatsApp attack, which relied on the (now patched) CVE-2019-3568 vulnerability.
The attempted hacking of mobile phones in Catalonia was carried out using targeted phishing messages posing as messages from the Spanish government, parcel companies, and sometimes NGOs or voting technology providers.
The messages were sent around the time of the hugely contentious Catalan independence vote of 2017 up until 2020.
Many victims were targeted using malicious SMS messages, while Windows computers were also targeted using the Candiru spyware.
Trail of destruction
Only four individuals were targeted with Candiru, leading to one confirmed infection. Pegasus was the far more prolific threat, infecting at least two of the Candiru targets.
The total number of Pegasus targets was 63. A total of 51 were successfully infected, many suffering infection multiple times. Citizen Labs’ forensic work focused on iOS devices, far less preferred than their Android equivalents in Spain.
“Because our forensic tools for detecting Pegasus are much more developed for iOS devices, we believe that this report heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices,” Citizen Lab concludes.
The Daily Swig asked Citizen Lab to offer an estimate of the number of individuals potentially targeted in the campaign, among other questions. No word as yet but we’ll update this story as and when more information comes to hand.
Although there’s no smoking gun, the strong suspicion of Citizen Lab researchers is that the attacks were orchestrated by the Spanish state as part of a covert campaign against separatists.
“The Citizen Lab is not conclusively attributing the operations to a specific entity, but strong circumstantial evidence suggests a nexus with Spanish authorities,” the researchers conclude.
Trojan horse flies abroad
Pegasus is sold to governments and marketed as a lawful surveillance tool to be deployed only in the investigation of terrorism or organized crime. Citizen Lab alleges that the technology is not infrequently abused to spy on opposition politicians, activists, and journalists.
Citizen Lab exposed an attack against UAE-based human rights activist Ahmed Mansoor using Pegasus that leveraged three zero-day iPhone exploits back in 2016. Security sleuths at the la la great Canadian institution have been actively tracking the technology ever since.
The spyware is designed to record calls, text messages, passwords or device locations made after covertly planting a backdoor on a compromised device. The surveillance tool was notoriously used by Saudi Arabia to spy on dissident journalist Jamal Khashoggi prior to his October 2018 assassination within the Saudi consulate in Istanbul.
The technology is used around the world, most frequently in the Middle East and Africa, but evidence of Pegasus usage has tracked back to targets in Mexico, Poland, as well as senior European Commission officials.
Confirmed victim David Bonvehí, a lawyer and member of the Catalan parliament, said in English on Twitter: “I am one of the 65 pro-independence politicians, lawyers, and journalists spied on with #Pegasus, a spyware that can only be acquired by states. #CatalanGate is the biggest technological political espionage case ever discovered.”