UK Prime Minister, Catalan groups ‘targeted by NSO Pegasus spyware’

Citizen Lab has reported finding suspected surveillance software on devices associated with both the UK Prime Minister’s Office and what was formerly called the British Foreign and Commonwealth Office.

The Canadian research outfit also said it had identified at least 65 individuals linked with Catalan civil society groups in Spain who were targeted by, or infected with, surveillance software. Catalonia is an autonomous region within Spain where there’s an ongoing politically divisive fight for national independence.

On Monday, Citizen Lab, a part of at the University of Toronto’s Munk School, said it had found likely NSO Group Pegasus spyware infections on devices associated with UK Prime Minister Boris Johnson’s office, 10 Downing Street, and on devices linked to the FCO, now called the FCDO, or the Foreign Commonwealth and Development office.

“We confirm that in 2020 and 2021 we observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks,” said Ron Deibert, director of the Citizen Lab and professor of political science at the University of Toronto’s Munk School of Global Affairs & Public Policy, in a statement.

Deibert said the suspected infection associated with 10 Downing Street was linked to a Pegasus operator with ties to the United Arab Emirates while the FCO suspected infection appears to be linked to Pegasus operators associated with UAE, India, Cyprus, and Jordan.

He cautioned that because the FCO/FCDO have employees in various countries, the suspected infections observed may be related to devices located abroad that used foreign SIM cards, an attack vector seen in the compromised devices of US State Department personnel in Uganda in 2021.

• European officials reportedly targeted by NSO spyware
• Apple emits emergency fix for exploited-in-the-wild WebKit vulnerability
• Whistleblower claims NSO offered ‘bags of cash’ for access to US phone networks
• US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions

In November, 2021, a group of UK MPs urged Johnson to sanction NSO Group as the US has done. NSO Group has been under fire from civil society groups for years for enabling authoritarian regimes to surveil and punish human rights advocates and journalists. The Israel-based firm was sued by Meta/Facebook’s WhatsApp in 2019 for enabling the monitoring of WhatsApp’s Android users (and two years later by Apple).

The WhatsApp case has not gone well for NSO Group which only a week ago asked the US Supreme Court to recognize its claim of immunity as a foreign government agent, a gambit already twice rejected by lower courts.

The rain in Spain

With regard to Catalan groups in Spain, Citizen Labs said it has identified at least 63 individuals targeted with Pegasus, and another four targeted with Windows surveillance software from Candiru, another Israel-based spyware maker that has also been sanctioned in the US. The victims, two of whom were linked both to Pegasus and Candiru, are said to include members of the European Parliament, legislators, jurists, members of civil society, and every Catalan president since 2010.

In conjunction with the Catalan findings, Citizen Lab said multiple zero-click iMessage exploits were used to attack victims’ iOS devices between 2017 and 2020. One of these the lab dubbed HOMAGE, an exploit for WebKit – the Safari browser code that Apple insists is the only rendering engine allowed on iOS for the sake of security.

“The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address,” CitizenLab said. “The WebKit instance in the com.apple.mediastream.mstreamd process fetched JavaScript scaffolding that we recovered from an infected phone.”

The malware performs a test on the target device and, if it’s vulnerable, fetches the WebKit exploit. HOMAGE is believed to have been patched in iOS 13.2, released October 28, 2019. Citizen Lab also saw another exploit, KISMET, a zero-day used in mid-2020 against iOS 13.5.1 and iOS 13.7 before it was apparently patched in iOS 14.

Citizen Lab said because its tools focus on iOS forensics, it believes Android-based Pegasus infections are undercounted. The research group did not attribute the Catalan surveillance to a particular entity but said there’s strong circumstantial evidence that Spanish authorities were involved.

Amnesty International, which helped confirm Citizen Labs’ findings, urged the Spanish government to say whether or not it is an NSO Group customer and called on the European Parliament to do more to stop human rights violations conducted using government-directed spyware.

“We urge the European Parliament Committee of Inquiry to leave no stone unturned when documenting the human rights violations enabled by unlawful spyware, including by investigating these new revelations,” said Likhita Banerji, Amnesty International’s technology and human rights researcher, in a statement.

“Governments around the globe have not done enough to investigate or stop human rights violations caused by invasive spyware like Pegasus. The use, sale and transfer of this surveillance technology must be temporarily halted to prevent further abuses of human rights.”

A European Parliament Committee of Inquiry, formed following revelations about Pegasus use reported in July 2021, is scheduled to hold its first meeting on Tuesday to discuss Pegasus and similar spyware.

The Register was unable to reach NSO Group for comment. ®