Spyware use on separatists in Spain ‘extensive,’ cybersecurity group says
MADRID — The phones of dozens of pro-independence supporters in Spain’s northeastern Catalonia, including the regional chief and other elected officials, were hacked with controversial spyware available only to governments, a cybersecurity rights nonprofit said Monday.
Citizens Lab, a research group affiliated with the University of Toronto, said that a large-scale investigation it had conducted in collaboration with Catalan civil society groups found that at least 65 individuals were targeted or infected with what it calls “mercenary spyware” sold by two Israeli companies, NSO Group and Candiru.
Catalonia’s efforts to separate from Spain have long been a thorn in the side of Spanish governments.
NSO’s Pegasus has been used around the world to break into the phones and computers of human rights activists, journalists, and even members of the Catholic clergy. The firm has been subject to export limits by the U.S. federal government, which has accused NSO of conducting “transnational repression.” NSO has also been brought to court by major technology companies.
Citizens Lab said its investigations into the use in Spain of Pegasus and spyware developed by Candiru — another Israeli firm founded by former NSO employees — started in mid-2020 after a handful of cases also targeting high-profile Catalan pro-independence individuals were revealed.
The group said that it could not find conclusive evidence to attribute the hacking to a specific entity.
“However, a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government,” Citizens Lab said on its website.
Spain’s Interior Ministry said that no ministry department, nor the National Police or the Civil Guard law enforcement bodies “have ever had any relation with NSO and have therefore never contracted any of its services.”
The ministry’s statement said that in Spain, “All intervention of communications are conducted under judicial order and in full respect of legality.”
Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously controls the smartphone’s microphones and cameras. Researchers have found several examples of NSO Group tools using so-called “zero-click” exploits that infect targeted mobile phones without any user interaction.
Citizens Lab said that signs of a “zero-click” exploit not previously identified were found in infected devices of Catalans running on an older operating system at the end of 2019 and early 2020.
Among the targeted individuals were at least three European lawmakers representing Catalan separatist parties, members of two prominent pro-independence civil society groups, their lawyers and elected officials at various levels, including three former regional presidents, including Quim Torra while he was holding office.
Current Catalan President Pere Aragonès, whose phone was also infected according to Citizens Lab while he served as deputy of Torra in the 2018-2020 administration, said that “the operation of massive espionage against Catalan independentism is an unjustifiable shame, an attack on fundamental rights and democracy.”
Aragonès said in a series of tweets that because the software can only be acquired by state entities, the Spanish government must offer explanations.
“No excuses are valid,” he wrote. “To spy on representatives of citizens, lawyers or activists of civil rights is a red line.”
Spain’s Ministry of Defense, which oversees the country’s armed forces and intelligence services, and the prime minister’s office didn’t immediately respond to questions from The Associated Press.
Gloss