Catalan Politicians and Activists Were Targets of Israeli Spyware

At least 65 Catalan political figures and activists have been targeted in a mercenary spyware campaign, according to researchers at Citizen Lab. The Toronto-based organization said that it found Pegasus and Candiru spyware on the victims’ devices. In some cases, they found evidence of spyware on the devices of a primary target’s spouses, parents, siblings, staff, or close associates.

Citizen Lab also believes that the number of targeted individuals is probably much higher. Spain’s smartphone market is dominated by Android (above 80%). Citizen Lab’s forensic tools for detecting Pegasus are far more advanced for iOS devices.

So far, Citizen Lab has not managed to conclusively attribute the campaign to any entity. However, the organization said, based on a variety of circumstantial evidence, that entities within the Spanish government could be responsible.

What is Pegasus Spyware?

Pegasus is a zero-click exploit developed by the NSO Group, an Israeli company. Usually, when a hacker wants to infect a device, they trick the victim into clicking on a malicious link or attachment. However, in a zero-click exploit, the cybercriminal can compromise the target’s device without any action on the part of the victim. For this, hackers take advantage of inherent security flaws in devices before they are patched.

Once a device is infected, Pegasus gives its operator near-total access to the contents of the device, like call data, messages, photos, videos, etc. The operator can also turn on the victim’s microphone and camera at will. This way, they can carry out real-time surveillance of their targets.

To ensure that their spyware does not fall into the wrong hands, the NSO group claims it only sells Pegasus to recognized and vetted entities within national governments. However, both Pegasus and the NSO Group have come under immense scrutiny since last year, when it was discovered that many national governments were using the spyware to target political opponents and activists. Since that story broke, there have been consistent reports of the misuse of Pegasus by governments around the world. Most recently, a report stated that high-ranking members of the EU Commission were also the target of Pegasus spyware attacks.

Targeting of Catalonia Separatists

The targeting of Catalan political figures and activists fits into what appears to be a pattern of Pegasus misuse by other governments. Catalonia is an autonomous region in northeastern Spain. As detailed in Citizen Lab’s report, Catalan leaders have locked horns with the Spanish government for independence for several decades.

Citizen Lab’s investigation revealed that 63 individuals had evidence of Pegasus on their devices. Furthermore, four others had Candiru spyware, and at least two devices had evidence of both. The victims included senior officials in government and related organizations. Citizen Lab said they were “members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organizations.”

Possible Role of the Spanish Government

Citizen Lab said that some circumstantial evidence indicates that “one or more entities within the Spanish government” played a role in the spyware attacks. However, it is unable to conclusively attribute the campaign to any entity yet.

Here are some of the reasons why the organization suspects the Spanish Government:

• “The targets were of obvious interest to the Spanish government
• The specific timing of the targeting matches events of specific interest to the Spanish government
• The use of bait content in SMSes suggests access to target’s personal information, such as Spanish governmental ID numbers
• Spain’s CNI has reportedly been an NSO Group Customer, and Spain’s Ministry of Interior reportedly possesses an unnamed but similar capability.”

Furthermore, Citizen Lab believes it is unlikely that a Pegasus operator outside of Spain would carry out such an extensive campaign within the country.