The phones of dozens of pro-independence supporters in Spain’s northeastern Catalonia, including the regional chief and other elected officials, were hacked with controversial spyware available only to governments, a cybersecurity rights group said Monday.
Citizen Lab, a research group affiliated with the University of Toronto, said a large-scale investigation it had conducted in collaboration with Catalan civil society groups found that at least 65 individuals were targeted or their devices infected with what it calls “mercenary spyware” sold by two Israeli companies, NSO Group and Candiru.
NSO said the allegation “could not be related to NSO products.” Candiru couldn’t be reached for comment by the Associated Press.
Almost all of the incidents occurred between 2017 and 2020, when efforts to carve out an independent state in northeastern Spain led to the country’s deepest political crisis in decades. The former Catalan Cabinet that pushed ahead with an illegal referendum on independence was sacked. Most of its members were imprisoned or fled the country, including onetime regional president Carles Puigdemont.
NSO’s Pegasus spyware has been used around the world to break into the phones and computers of human rights activists, journalists and even Catholic clergy. The firm has been subject to export limits by the U.S. federal government, which has accused NSO of conducting “transnational repression.” NSO has also been brought to court by major technology companies, including Apple and Meta, the owner of WhatsApp.
Citizen Lab said its investigations into the use in Spain of Pegasus and spyware developed by Candiru — another Israeli firm founded by former NSO employees — started in late 2019 after a handful of cases targeting high-profile Catalan pro-independence individuals were revealed. Amnesty International said its technical experts had independently verified the attacks.
The Toronto-based nonprofit said it could not find conclusive evidence to attribute the hacking of Catalan phones to a specific entity.
“However, a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government,” Citizen Lab said.
Spain’s Interior Ministry said no ministry department, nor the National Police or the Civil Guard, “have ever had any relation with NSO and have therefore never contracted any of its services.” The ministry’s statement said that, in Spain, “all intervention of communications are conducted under judicial order and in full respect of legality.”
The prime minister’s office didn’t immediately respond to questions from AP. A spokeswoman with Ministry of Defense, which oversees Spain’s armed forces and intelligence services, declined to clarify if it had contracted NSO or Candiru software.
“The government of Spain always acts according to the law,” said the spokeswoman, who wasn’t authorized to be named in the media.
Pegasus infiltrates phones to vacuum up personal and location data and also surreptitiously controls the smartphone’s microphones and cameras, turning them into real-time surveillance devices. NSO Group’s stealthiest hacking software uses “zero-click” exploits to infect targeted mobile phones without any user interaction.
NSO Group claimed it was being targeted by Citizen Lab and Amnesty International with “inaccurate and unsubstantiated reports” and “false” allegations that “could not be related to NSO products for technological and contractual reasons.”
“We have repeatedly cooperated with governmental investigations, where credible allegations merit,” an NSO spokesperson said in a statement.
Citizen Lab said signs of a “zero-click” exploit not previously identified were found in infected devices of Catalans at the end of 2019 and in early 2020 before Apple updated its mobile operating system to patch vulnerabilities.
Among the targeted individuals were at least three European lawmakers representing Catalan separatist parties, members of two prominent pro-independence civil society groups, their lawyers and various elected officials
The revelations come as European Union lawmakers on Tuesday are holding the first meeting of a committee looking into breaches of EU law associated with the use of hacker-for-hire spyware.
Four former regional Catalan presidents, including Puigdemont and his successor Quim Torra while he was holding office, were also subject to direct or indirect spying, the researchers said.
Current Catalan President Pere Aragonès, whose phone was infected, according to Citizen Lab, while he served as Torra’s deputy from 2018 to 2020, said “massive espionage against the Catalan independence movement is an unjustifiable disgrace, an attack on fundamental rights and democracy.”
Because the software can only be acquired by state entities, the Spanish government must offer an explanation, Aragonès said in a series of tweets.
“No excuses are valid,” he wrote. “To spy on representatives of citizens, lawyers or civil rights activists is a red line.”
In a response to Amnesty International’s formal request in 2020 for full disclosure on contracts with private digital surveillance companies, Spain’s Defense Ministry said that information is classified, the rights group said Monday.
“The Spanish government needs to come clean over whether or not it is a customer of NSO Group,” said Likhita Banerji, an Amnesty International researcher. “It must also conduct a thorough, independent investigation into the use of Pegasus spyware against the Catalans identified.”
In a separate report also released Monday, Citizen Lab said it had also found evidence in 2020 and 2021 that the British prime minister’s office was infected with Pegasus spyware linked to the United Arab Emirates. It said it found suspected infections at Britain’s Foreign Office linked to the UAE, India, Cyprus, and Jordan.
The group said it had informed the British government about the findings.
Other countries where Citizen Lab and other public-interest researchers have confirmed Pegasus infections on political dissidents and journalists critical of governments include Poland, Mexico, El Salvador and Hungary.
NSO Group claims it only sells Pegasus to government agencies to target criminals and terrorists, but hundreds of cases have been documented of its use against human rights and other activists, lawyers, reporters and their relatives.