Pegasus spyware was used to hack the mobile phones of Spain’s prime minister and defence minister, the Madrid government said on Monday, in the first confirmed use of the espionage software against a serving head of government.
The phones of prime minister Pedro Sánchez and Margarita Robles, defence minister, were illicitly breached on three occasions last year and swaths of data exposed to illegal access, Félix Bolaños, a cabinet minister, told a news conference.
“There’s no doubt that this was an unlawful intervention made from outside the state without any judicial authorisation,” Bolaños said, adding that details of the incidents in May and June 2021 had been sent to Spain’s national court for investigation. He did not comment on where the attacks may have originated.
French president Emmanuel Macron changed his phone and number last year after media reports that he and 14 French government ministers had been targeted using Pegasus. Spain’s allegations, however, are the first time a government has confirmed use of the spyware against a national leader.
Pegasus was developed by Israel’s NSO Group as a cyber tool to be used by authorised governments to fight terrorism and crime. But its alleged use against opposition politicians, rights activists and others has been widely criticised by Amnesty International and other human rights groups.
The spyware, which is officially available only to government agencies, can breach mobile phones by taking advantage of undiscovered vulnerabilities in their operating systems and then, without the phone owner’s knowledge, harvest data on the device and transmit it to the attacker. It can also be used for real-time surveillance by activating microphones and cameras.
The disclosure that the phones of top Madrid government officials had been infected by Pegasus came as the regional government in Catalonia accused Spain’s National Intelligence Centre (CNI) of using the same spyware to hack the mobile phones of dozens of separatist politicians between 2017 and 2020.
According to Citizen Lab, a cyber security watchdog based at the University of Toronto, the phones of more than 60 people linked to Catalonia’s independence movement, including the current and three former regional presidents, were targeted using Pegasus and spyware developed by Candiru, another Israeli company.
Pere Aragonès, leader of Catalonia’s regional government, condemned the espionage against Sánchez and Robles on Monday, but accused the Madrid government of being slow to act on allegations of widespread spying on Catalan politicians and other independence supporters.
“I know what it feels like to be spied on, for your intimacy and political activity to be violated,” he said on Twitter. “But there is a clear double standard here.” Madrid was taking immediate action, while “mass surveillance against Catalan institutions has been met with silence and excuses”.
The NSO Group has said it practises a zero-tolerance policy on the use of its software against political targets. The EU has condemned the illicit use of Pegasus and promised legislation to tighten privacy rules. But it has said that the prosecution of specific cases is the responsibility of national authorities.
In February, the EU’s data agency recommended that the use of Pegasus be banned within the bloc. A European parliament committee last week began an inquiry into the alleged use of the spyware in countries including Spain, Hungary, Poland and Greece.
The NSO Group said in a statement that it would co-operate with the Spanish government’s investigations. It described any potential targeting of journalists, dissidents and politicians as “a severe misuse” of it’s technology.
“While we have not seen any information related to this alleged misuse and we are not familiar with the details of this specific case, NSO’s firm stance on these issues is that the use of cyber tools in order to monitor politicians, dissidents, activists and journalists goes against the desired use of such critical tools.”