Pegasus, NSO Group's spyware used to hack iPhones, has been caught up in another spying scandal, with the surveillance tool used against devices owned by civil society and political figures in Catalonia, Spain.
NSO Group, who made Pegasus and sold it to law enforcement agencies and governments.
Following a 2020 report claiming senior Catalonian politician Roger Torrent and pro-independence supporters were targeted by "government-grade spyware" via WhatsApp, Citizen Lab launched an investigation into wider spyware use against officials and people of interest in the region. On Monday, the investigation revealed evidence that another tool was used: Pegasus.
At least 63 people were targeted or were infected by Pegasus, the report claims, while four others were targeted by Candiru spyware, and two were targets of both tools. The list of victims included Catalan presidents, legislators, members of civil society organizations, members of the European Parliament, and family members.
While Citizen Lab doesn't directly attribute blame for the attacks, it does say there's extensive circumstantial evidence pointing in the direction of the Spanish government.
As one of the wealthiest autonomous regions of Spain, Catalonia has a long history of attempting to grow its autonomy, typically opposed by the Spanish government. This was especially evident in 2017 during an independence referendum that was deemed illegal by the Spanish Constitutional Court, with police allegedly turning away voters and supposedly using excessive force.
Shortly after the vote was approved by the Catalan Parliament, the Spanish government dissolved that parliament and scheduled new elections. Since then, participants in the referendum were sent to prison, and Spain continues to fight the independence movement.
The investigation determined that of 63 targets, 51 were found to have forensically-confirmed infections. However, since Spain has a high prevalence for Android over iOS, and that forensic tools used by investigators are more developed for iOS, the report believes it "heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices."
Several instances of "off-center" targeting were spotted, where family members, close members of staff, and other individuals connected to a person of interest were infected, enabling data collection about the subject without necessarily maintaining a connection.
All Catalan Members of the European Parliament that supported independence were targeted, either directly or off-center, including three direct infections of MEPs and two off-center attacks.
Other identified targets include civil societies that supported political independence, such as Assemblea Nacional Catalana, Omnium Cultural, and lawyers representing prominent Catalans.
"Homage" and evidence
In terms of how Pegasus worked, zero-click iMessage exploits were attempted between 2017 and 2020, a pretty common technique. However, in late 2019, a zero-click exploit was discovered, which has been called "Homage."
Homage involved an iMessage zero-click component launching a WebKit instance, after performing a lookup for a Pegasus email address. JavaScript scaffolding was fetched by the WebKit instance, which then fetched the exploit itself.
The scaffolding could even determine the model of iPhone by comparing screen resolutions for possible matches, whether "display zoom" mode is engaged, and the time it took to encrypt a buffer.
It appeared that domains linked to the exploits were controlled by a single Pegasus customer, indicating that it was all performed by one entity. Spain's Centro Nacional de Inteligencia (CNI) was reportedly a customer of NSO Group, with the country's Ministry of Interior potentially able to perform the same attacks.
Other circumstantial evidence includes the timing of targeting that appeared to be of interest to the Spanish government, the content of bait text messages inferred access to personal information like official ID numbers, and the targets being of "obvious interest to the Spanish government."
Citizen Lab believes the seriousness of the case "clearly warrants an official inquiry to determine the responsible party, how the hacking was authorized," the legal framework, the scale of the operation, and what hacked data was used for. It also viewed the case as notable "because of the unrestrained nature of the hacking activities."
The report into Catalan attacks using Pegasus arrive a week after it was determined senior European Commission officials were targeted by attackers in 2021, using the same tools to try and gain access to smartphones.