Pixel Envy

Written by Nick Heer.

NSO Group and Candiru Spyware Allegedly Used by Spanish Government Against Catalan Independence Movement Leaders

John Scott-Railton, et al., of the University of Toronto’s Citizen Lab:

In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world with Pegasus. At the same time, WhatsApp notified 1,400 users who had been targeted with the exploit. Among the targets were multiple members of civil society and political figures in Catalonia, Spain. The Citizen Lab assisted WhatsApp in notifying civil society victims and helping them take steps to be more secure.

The cases were first reported by The Guardian in 2020. Following these reports, the Citizen Lab, in collaboration with civil society organisations, undertook a large-scale investigation into Pegasus hacking in Spain. The investigation has uncovered at least 65 individuals targeted or infected with Pegasus or spyware from Candiru, another mercenary hacking company.

Not only did researchers find spyware on the devices of activists and political figures, but also on the devices of family members.

Ronan Farrow, in a deeply reported article for the New Yorker:

The Citizen Lab’s researchers concluded that, on July 7, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom. A government official confirmed to me that the network was compromised, without specifying the spyware used. “When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, recalled. “We suspect this included the exfiltration of data,” Bill Marczak, another senior researcher there, added. The official told me that the National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street, including Johnson’s. It was difficult to conduct a thorough search of phones — “It’s a bloody hard job,” the official said — and the agency was unable to locate the infected device. The nature of any data that may have been taken was never determined.

The Citizen Lab suspects, based on the servers to which the data were transmitted, that the United Arab Emirates was likely behind the hack. “I’d thought that the U.S., U.K., and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security,” Scott- Railton said. “I realized I was mistaken: even the U.K. was underestimating the threat from Pegasus, and had just been spectacularly burned.” The U.A.E. did not respond to multiple requests for comment, and NSO employees told me that the company was unaware of the hack. One of them said, “We hear about every, every phone call that is being hacked over the globe, we get a report immediately” — a statement that contradicts the company’s frequent arguments that it has little insight into its customers’ activities. In its statement, the company added, “Information raised in the inquiry indicates that these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”

Does the NSO Group receive regular activity reports or does it not? That should be such a simple question for the company to answer, but Farrow quotes an employee wholly contradicting NSO Group’s public statements. This whole spyware industry is built on a sketchy foundation and these companies beg for trust, yet it seems we just do not know such a fundamental truth about how they operate: do they or do they not know what devices are being targeted by their clients?

As a result of this incident, Farrow reports, U.K. numbers — like U.S. numbers — have been disallowed from targeting. For those of us elsewhere, our activists and lawmakers and journalists are simply not valuable enough for NSO Group to treat with the same dignity or respect for privacy. As Farrow reports, this spyware is a tool for diplomacy as much as it is a product for warfare. Non-American and non-British people are apparently undeserving of the same level of humanity.