Security news that informs and inspires

Pegasus Spyware Operations Targeted UK Gov Officials, Catalans in Spain

By

Citizen Lab researchers disclosed two separate operations where the Pegasus spyware was deployed, including one against official UK government networks and another against 65 Catalan individuals in Spain.

Researchers with Citizen Lab have disclosed two separate surveillance campaigns that leveraged the Pegasus spyware. One slew of attacks impacted official UK government networks, including the prime minister’s office, while the other series of incidents affected dozens of Catalan individuals, including presidents and civil society organization members.

Pegasus, the widely deployed spyware that is made by the NSO Group, has for years been leveraged to track and spy on targets, with previous victims including dissidents, journalists and others around the world. Citizen Lab researchers on Monday said the targeting of civil society in Catalonia “is yet another indictment” of the mercenary spyware industry and called for an official inquiry into Pegasus surveillance operations.

“This remarkable combination of high volume and unrestrained abuses points to a serious absence of regulatory constraints, both over sales by the mercenary companies involved and the use of such powerful surveillance tools by the government client or clients,” said the researchers.

Citizen Lab researchers in a Monday disclosure confirmed that in 2020 and 2021 they observed official networks of the United Kingdom government being targeted with multiple suspected Pegasus infections, including the prime minister’s office and the Foreign and Commonwealth office (which is now the Foreign Commonwealth and Development office). The UK government has been notified of the suspected infections, said researchers. Citizen Lab said that the suspected infections related to the Foreign and Commonwealth office were associated with Pegasus operators linked to the UAE, India, Cyprus and Jordan, while the infection at the prime minister’s office was associated with an operator linked to the UAE.

“The United Kingdom is currently in the midst of several ongoing legislative and judicial efforts relating to regulatory questions surrounding cyber policy, as well as redress for spyware victims. We believe that it is critically important that such efforts are allowed to unfold free from the undue influence of spyware,” said Ron Deibert, director of the Citizen Lab.

In a separate Monday report, researchers disclosed that they had found a series of spyware attacks occurring mostly between 2017 and 2020, which targeted or infected at least 65 victims, including members of the European Parliament, Catalan presidents, legislators, justists and civil society organization members, and, in some cases, members of their families. The attacks leveraged a previously undisclosed iOS zero-click exploit that was used in 2019 to infect dozens of victims with spyware. The vulnerability, which researchers with Citizen Lab call HOMAGE, was effective against some iOS versions prior to 13.2 (the current iOS version is 15.4.1). Of note, researchers said they do not have evidence that Apple users with up-to-date iOS versions are at risk, however.

“Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3,” said Citizen Lab researchers. “It is possible that the exploit was fixed in iOS 13.2. We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”

“The case is notable because of the unrestrained nature of the hacking activities."

The campaign was unearthed after researchers, inspired by a 2019 campaign that targeted multiple members of civil society and political figures in Catalonia, Spain via a now-patched WhatsApp flaw (CVE-2019-3568), launched a large-scale investigation into Pegasus hacking in Spain. The majority of the victims uncovered were targeted with Pegasus, but a few victims were instead infected with spyware from another mercenary hacking company called Candiru.

“The hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organizations (NGOs),” said researchers. “Catalonia’s government and elected officials were also extensively targeted, from the highest levels of Catalan government to Members of the European Parliament, legislators, and their staff and family members. We do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government.”

The HOMAGE exploit used by attackers leveraged an iMessage component that looked up a Pegasus email address via com.apple.private.alloy.photostream and then launched a WebKit instance in the com.apple.mediastream.mstreamd process. This instance of WebKit, which is the web browser engine used by Safari, Mail and many iOS apps, then fetched JavaScript scaffolding, which ran a series of tests that checked things including the iPhone’s exact screen resolution in pixels (in an effort to determine the model of iPhone) and ultimately fetched a WebKit exploit from /[uniqueid]/stadium/eutopia.

Attackers also used the known 2020 KISMET exploit, which involved a zero-click exploit in iMessage. Many victims were also targeted using SMS based attacks, with one target receiving a text message that purported to be a boarding pass link for a Swiss International Air Lines flight that he had purchased, and another receiving messages masquerading as official notifications from Spanish government entities, including Tax and Social Security entities.

Catalonia is an autonomous community of Spain, however the efforts made by the former to separate from the latter have resulted in conflict over the years. There have been previous reports of various surveillance abuses in Spain and Catalonia as well, including a 2010 report that Spain’s National Intelligence Center (CNI) and National Police paid to use spyware from the Milan-based software surveillance company Hacking Team, and a 2015 report on a “suspected Spanish customer” using Finfisher, a spyware suite that is sold exclusively to governments.

“The case is notable because of the unrestrained nature of the hacking activities,” said researchers. “The list includes numerous elected officials of Catalonia’s government, as was every Catalan member of the European Parliament that supported independence. Staff members and friends are also among the list. So, too, were numerous members of Catalan civil society, as well as lawyers representing Catalans (raising questions of attorney-client privilege violations).”