What you need to know
- A new report says a multitude of Catalonian figures were targeted by Pegasus spyware
- At least 65 individuals were targeted, including members of the European Parliament, Catalan Presidents, and more.
- The Citizen Lab says it has also identified a previously undisclosed iOS zero-click vulnerability.
A new report from The Citizen Lab reveals that at least 65 individuals connected to Catalonia were targeted by Pegasus spyware, identifying on the way a previously-undisclosed iOS zero-click vulnerability.
Citizen Lab says it has uncovered hacking that "covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organizations (NGOs)" as well as government and elected officials including Catalan presidents, members of the European Parliament, legislators, staff, and even their families. The report says that "extensive circumstantial evidence points to the Spanish government as the source of the hacking.
The report notes the tumultuous relationship between Catalonia and the rest of Spain, notably a continued desire from some parts of the region to gain full independence from the country. The report notes that the Spanish government has been confirmed as a customer of NSO Group, maker of the controversial Pegasus tool that was unearthed last year as a major weapon of surveillance.
The report says that at least 63 individuals were targeted between 2017 and 2020, with 51 individuals successfully infected. However, this number is likely skewed somewhat:
Spain has a high Android prevalence over iOS (~80% Android in 2021). Anecdotally, this is somewhat reflected in the individuals we contacted. Because our forensic tools for detecting Pegasus are much more developed for iOS devices, we believe that this report heavily undercounts the number of individuals likely targeted and infected with Pegasus because they had Android devices.
Noting several high-profile targets, the report says that some individuals were targeted using zero-click iMessage exploits, including a new previously unidentified exploit:
We have identified signs of a zero-click exploit that has not been previously described, which we call HOMAGE. The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
This exploit was not used on any iOS version after 13.1.3, meaning iOS 14 and iOS 15 users are not at any risk. The Citizen Lab has also reported its findings to Apple.
Others were targeted using a zero-click exploit called KISMET as recently as December 2020, while others still were attacked through a widespread 2019 WhatsApp attack. Still, others were targeted using SMS-based attacks. The report concludes:
This report details extensive surveillance directed against Catalan civil society and government using mercenary spyware. According to NSO Group, Pegasus is sold exclusively to governments, and finding such an operation inevitably implicates a government. While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.
The Citizen Lab says that the seriousness of the case calls for an official inquiry to determine the responsible party, how the hacking was authorized, and more. It also notes that the suspected number of victims and targets is much higher than the initial report indicates. The report also warns that the case is notable "because of the unrestrained nature of the hacking activities" in targeting elected officials including "every Catalan member of the European Parliament that supported independence."
The Citizen Lab notes the case is also notable because Spain a democracy, and adds to "the growing number of other democracies we have discovered that have abused mercenary spyware".
You can read the full report here.
