MADRID – The phones of dozens of pro-independence supporters in northeastern Catalonia, including the regional leader and other elected officials, have been hacked with controversial spyware available only to governments, a rights group said Monday. matters of cybersecurity.
Citizen Lab, a research group affiliated with the University of Toronto, said a large-scale investigation it conducted in conjunction with Catalan civil society groups found that at least 65 people were targeted or that their devices were infected with what he calls “mercenary spyware” being sold. by two Israeli companies, NSO Group and Candiru.
NSO said the claim “could not be linked to NSO products”. Candiru could not be reached for comment by The Associated Press.
Almost all of the incidents occurred between 2017 and 2020, when efforts to create an independent state in northeast Spain led to the country’s deepest political crisis in decades. The former Catalan cabinet that organized an illegal referendum on independence has been sacked. Most of its members have been imprisoned or fled the country, including former regional president Carles Puigdemont.
NSO’s Pegasus spyware has been used around the world to break into the phones and computers of human rights activists, journalists and even Catholic clergy. The firm was subject to export limits by the US federal government, which accused NSO of carrying out “transnational repression”. NSO has also been taken to court by major tech companies, including Apple and Meta, the owner of WhatsApp.
Citizen Lab said its investigations into Spain’s use of Pegasus and spyware developed by Candiru – another Israeli company founded by former NSO employees – began in late 2019 after a handful of cases targeting pro-independence Catalan figures have come to light. Amnesty International said its technical experts had independently verified the attacks.
The Toronto-based nonprofit said it could not find conclusive evidence to attribute the hacking of Catalan phones to a specific entity.
“However, a series of circumstantial evidence points to a close connection to one or more entities within the Spanish government,” Citizen Lab said.
The Spanish Interior Ministry said that no ministerial department, nor the National Police or the Civil Guard, “has ever had a relationship with the ONS and therefore has never contracted any of its services”. The ministry’s statement said that in Spain, “any communication intervention is carried out under judicial order and in full respect of legality.”
The prime minister’s office did not immediately respond to questions from AP. A spokeswoman for the Ministry of Defense, which oversees Spain’s armed forces and intelligence services, declined to say whether he had contracted the NSO or Candiru software.
“The Spanish government always acts in accordance with the law,” said the spokeswoman, who was not authorized to be named in the media.
Pegasus infiltrates phones to suck up personal and location data and also surreptitiously controls smartphone microphones and cameras, turning them into real-time surveillance devices. NSO Group’s most stealthy hacking software uses “zero click” exploits to infect targeted mobile phones without any user interaction.
NSO Group claimed it was being targeted by Citizen Lab and Amnesty International with “inaccurate and unsubstantiated reports” and “false” claims that “could not be linked to NSO products for technological and contractual reasons”.
“We have repeatedly cooperated with government investigations, where credible allegations warrant it,” an ONS spokesperson said in a statement.
Citizen Lab said signs of a previously unidentified zero-click exploit were found in Catalans’ infected devices in late 2019 and early 2020 before Apple updated its mobile operating system to fix the vulnerabilities. .
Among those targeted were at least three European lawmakers representing Catalan separatist parties, members of two prominent pro-independence civil society groups, their lawyers and various elected officials.
The revelations come as European Union lawmakers hold the first meeting of a committee on Tuesday to investigate breaches of EU law associated with the use of pirate spyware for pay.
Four former Catalan regional presidents, including Puigdemont and his successor Quim Torra while in office, were also the subject of direct or indirect espionage, the researchers said.
Current Catalan President Pere Aragonès, whose phone was infected, according to Citizen Lab, while he was deputy for Torra from 2018 to 2020, said that “massive espionage against the Catalan independence movement is an unjustifiable disgrace , an attack on fundamental rights and democracy”.
Since the software can only be acquired by state entities, the Spanish government must provide an explanation, Aragonès said in a series of tweets.
“No excuse is valid,” he wrote. “Spying on citizen representatives, lawyers or civil rights activists is a red line.”
In response to Amnesty International’s official request in 2020 for full disclosure of contracts with private digital surveillance companies, Spain’s Defense Ministry said the information was classified, the rights group said on Monday.
“The Spanish government needs to make it clear whether or not it is a client of the NSO Group,” said Likhita Banerji, researcher at Amnesty International. “He must also carry out a thorough and independent investigation into the use of the Pegasus spyware against the identified Catalans.”
In a separate report also published on Monday, Citizen Lab said it also found evidence in 2020 and 2021 that the UK Prime Minister’s office was infected with UAE-linked Pegasus spyware. He said he found suspicious infections in the UK Foreign Office linked to the United Arab Emirates, India, Cyprus and Jordan.
The group said it informed the UK government of the results.
Other countries where Citizen Lab and other public interest researchers have confirmed Pegasus infections in political dissidents and journalists critical of governments include Poland, Mexico, El Salvador and Hungary.
NSO Group says it only sells Pegasus to government agencies to target criminals and terrorists, but hundreds of cases have been documented of its use against human rights and other activists, lawyers, journalists and their relatives.
Frank Bajak in Boston and Jill Lawless in London contributed to this report.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.