When you have such a good lead, it’s hard to let go. The Canadian NGO Citizen Lab has published a long report detailing the espionage techniques used against Catalan officials, including several elected members of the European Parliament.
Citizen Lab blames two spyware marketed by Israeli companies: the now well-known Pegasus, developed by NSO, and Candiru, another lesser-known Israeli spyware. These two companies had notably been sanctioned by the American authorities in 2021.
Tribute to Catalonia
This new publication echoes revelations from Reuters, which announced a week earlier that several high-ranking officials of the European Commission had also been targeted by spyware marketed by an unnamed Israeli company. Among them was Didier Reynders, current European Commissioner for Justice.
In the case that Citizen Lab calls the “CatalanGate”, researchers managed to identify 63 individuals targeted by Pegasus, 51 of whom were actually infected with the malware.
To these are added individuals targeted by Candiru spyware, developed by an Israeli company close to NSO (the two companies share several shareholders and founders). This software had already been identified by Citizen Lab, but the data collected made it possible to identify new targets for this software within the Catalan community. The targets of this campaign mainly focus on MEPs, political activists and civil servants who have in common their commitment to the independence of Catalonia.
Targeted Phishing and Zero-Click Vulnerability
Among the techniques used by attackers to infect the devices of their targets with the Pegasus software, we find the classic techniques of sophisticated phishing via SMS containing booby-trapped links.
Citizen Lab details several examples of phishing techniques used by attackers: in at least one case, a fake SMS was sent containing a link to a boarding pass for a flight actually booked by the target. “Targeting, in this case, indicates that the Pegasus operator may have had access to passenger name record (PNR) or other information collected from the carrier,” Citizen Lab explains.
But where traditional techniques fail, Pegasus can also exploit a vulnerability in the iOS operating system to infect the target’s device without requiring user interaction. This “zero-click” flaw has been dubbed “HOMAGE” by CitizenLab researchers and appears to have been exploited “during the last months of 2019”. Citizen Lab estimates that this flaw only worked on versions of iOS prior to version 13.2, and that Apple has probably fixed it in new versions of its mobile operating system.
The usual suspects
If the infections by Pegasus and Candiru have indeed been noted by Citizen Lab, the NGO remains more cautious before attributing the paternity of the attacks. His findings on the similarity of the infrastructures used in the various attacks targeting the Catalan officials nevertheless suggest that a single actor would be at work in these various attacks.
The elements collected by Citizen Lab do not allow it to conclude on the identity of the operator of the spyware in this campaign, but the NGO nevertheless underlines that serious clues seem to point to the Spanish government or one of its entities.
Since the initial revelations concerning the use of spyware, cases involving this spy tool have multiplied in Europe. Thus, attacks involving Pegasus were also detected in the direct entourage of the British Prime Minister, in 2020 and 2021, by Citizenlab. Finnish diplomats also announced earlier this year that several of their aircraft had been targeted by Pegasus.