INTRODUCTION
At least 63 were targeted or infected with Pegasus, and four others with Candiru. At least two were targeted or infected with both.
Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organizations. Family members were also infected in some cases.
Identified evidence of HOMAGE, a previously undisclosed iOS zero-click vulnerability used by NSO Group that was effective against some versions prior to 13.2.
The Citizen Lab is not conclusively attributing the operations to a specific entity, but strong circumstantial evidence suggests a nexus with Spanish authorities.
Shared a selection of Pegasus cases with Amnesty International’s Tech Lab, which independently validated our forensic methodology.
FINDING
Catalans Targeted with Pegasus
With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.
Almost all the incidents occurred between 2017 and 2020, although we found an instance of targeting in 2015. All targets publicly named in this report consented to be identified as such.
In addition to the forensic confirmations, we identified additional cases of Catalans targeted by Pegasus infection attempts, but where we were unable to forensically validate an infection. This was due to multiple reasons, ranging from changed or discarded devices to the limitations of our forensic tooling.
Spain has a high Android prevalence over iOS (~80% Android in 2021). Anecdotally, this is somewhat reflected in the individuals we contacted. Because our forensic tools for detecting Pegasus are much more developed for iOS devices, we believe that this report heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices.
Target: Members of the European Parliament
Every Catalan Member of the European Parliament (MEP) that supported independence was targeted either directly with Pegasus, or via suspected relational targeting. Three MEPs were directly infected, two more had staff, family members, or close associates targeted with Pegasus.
SMS-Based Targeting
Many victims were targeted using SMS based attacks, and we have collected more than 200 such messages. These attacks involved operators sending text messages containing malicious links designed to trick targets into clicking. In this approach, once a victim clicks on a link, the device is infected via a Pegasus exploit server.
Sophistication and personalization of the messages varied across attempts, but they reflect an often-detailed understanding of the target’s habits, interests, activities, and concerns. In many cases, either the timing or the contents of the text were highly customized to the targets and indicated the likely use of other forms of surveillance.
Many messages masqueraded as Twitter or news updates, typically focused on topics of interest to the target.
News organizations impersonated included international outlets such as The Guardian, Financial Times, and Die Welt, English language media like the Columbia Journalism Review, as well as regional media like La Vanguardia, Europa Press, El Temps, El Confidencial, and so on.
CONCLUSION
This report details extensive surveillance directed against Catalan civil society and government using mercenary spyware. According to NSO Group, Pegasus is sold exclusively to governments, and finding such an operation inevitably implicates a government. While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.
Call for an Investigation
The seriousness of the case clearly warrants an official inquiry to determine the responsible party, how the hacking was authorized, what legal framework governed the hacking and what judicial oversight applied, the true scale of the operation, the uses to which the hacked material was put, and how hacked data was handled, including to whom it may have been provided.
Subscribe to our channel and do not miss new collections of tools in various areas of Information Security.
Posted by: @ESPYER.