Researchers with Citizen Lab have disclosed two separate campaigns that leveraged the Pegasus spyware: One slew of attacks impacted official UK government networks including the prime minister’s office, while the other series of incidents affected Catalan presidents and civil society organization members.
Pegasus, the widely deployed spyware that is made by the NSO Group, has for years been leveraged to track and spy on targets, with previous victims including dissidents, journalists and others around the world. Citizen Lab researchers on Monday said the targeting of civil society in Catalonia “is yet another indictment” of the mercenary spyware industry and called for an official inquiry into Pegasus surveillance operations.
“This remarkable combination of high volume and unrestrained abuses points to a serious absence of regulatory constraints, both over sales by the mercenary companies involved and the use of such powerful surveillance tools by the government client or clients,” said researchers.
Citizen Lab researchers in a Monday disclosure confirmed that in 2020 and 2021 they observed the United Kingdom government being targeted with multiple suspected Pegasus infections within their official networks, including the Prime Minister’s office and the Foreign and Commonwealth office (which is now the Foreign Commonwealth and Development office). The UK government has been notified of the suspected infections, said researchers.
Citizen Labs said that the suspected infections related to the Foreign and Commonwealth office were associated with Pegasus operators linked to the UAE, India, Cyprus and Jordan, while the infection at the prime minister’s office was associated with an operator linked to the UAE.
“The United Kingdom is currently in the midst of several ongoing legislative and judicial efforts relating to regulatory questions surrounding cyber policy, as well as redress for spyware victims. We believe that it is critically important that such efforts are allowed to unfold free from the undue influence of spyware,” said Ron Deibert, Director of the Citizen Lab and Professor of Political Science at the University of Toronto’s Munk School of Global Affairs & Public Policy.
Researchers also found a series of spyware attacks occurring mostly between 2017 and 2020, which targeted or infected at least 65 victims, including members of the European Parliament, Catalan presidents, legislators, justists and civil society organization members, and, in some cases, members of their families. The attacks leveraged a previously undisclosed iOS zero-click exploit that was used in 2019 to infect dozens of victims with spyware. Of note, researchers said they do not have evidence that Apple users with up-to-date iOS versions are at risk, however. The vulnerability, which researchers with Citizen Lab call HOMAGE, was effective against some iOS versions prior to 13.2 (the current iOS version is 15.4.1).
“Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3,” said Citizen Lab researchers in a Monday analysis. “It is possible that the exploit was fixed in iOS 13.2. We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”
The campaign was unearthed after researchers, inspired by a 2019 campaign that targeted multiple members of civil society and political figures in Catalonia, Spain via a now-patched WhatsApp flaw (CVE-2019-3568), launched a large-scale investigation into Pegasus hacking in Spain. The majority of these victims were targeted with Pegasus, a notorious spyware tool made by the NSO Group. In addition to Pegasus, a few victims were infected with spyware from another mercenary hacking company called Candiru.