By: Aritz Parra
The phones of dozens of pro-independence supporters in Spain’s northeastern Catalonia, including the regional chief and other elected officials, were hacked with controversial spyware available only to governments, a cybersecurity rights group said Monday.
Citizen Lab, a research group affiliated with the University of Toronto, said a large-scale investigation it had conducted in collaboration with Catalan civil society groups found that at least 65 individuals were targeted or their devices infected with what it calls “mercenary spyware” sold by two Israeli companies, NSO Group and Candiru.
NSO said the allegation “could not be related to NSO products.” Candiru couldn’t be reached for comment by The Associated Press.
Almost all of the incidents occurred between 2017 and 2020, when efforts to carve out an independent state in northeastern Spain led to the country’s deepest political crisis in decades. The former Catalan Cabinet that pushed ahead with an illegal referendum on independence was sacked. Most of its members were imprisoned or fled the country, including ex regional president Carles Puigdemont.
NSO’s Pegasus spyware has been used around the world to break into the phones and computers of human rights activists, journalists and even Catholic clergy. The firm has been subject to export limits by the U.S. federal government, which has accused NSO of conducting “transnational repression.” NSO has also been brought to court by major technology companies, including Apple and Meta, the owner of WhatsApp.
Citizen Lab said its investigations into the use in Spain of Pegasus and spyware developed by Candiru — another Israeli firm founded by former NSO employees — started in late 2019 after a handful of cases targeting high-profile Catalan pro-independence individuals were revealed. Amnesty International said its technical experts had independently verified the attacks.
The Toronto-based non-profit said it could not find conclusive evidence to attribute the hacking of Catalan phones to a specific entity.
“However, a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government,” Citizen Lab said.
Spain’s Interior Ministry said no ministry department, nor the National Police or the Civil Guard, “have ever had any relation with NSO and have therefore never contracted any of its services.” The ministry’s statement said that, in Spain, “all intervention of communications are conducted under judicial order and in full respect of legality.”
The prime minister’s office didn’t immediately respond to questions from AP. A spokeswoman with Ministry of Defense, which oversees Spain’s armed forces and intelligence services, declined to clarify if it had contracted NSO or Candiru software.
“The government of Spain always acts according to the law,” said the spokeswoman, who wasn’t authorized to be named in the media.
Pegasus infiltrates phones to vacuum up personal and location data and also surreptitiously controls the smartphone’s microphones and cameras, turning them into real-time surveillance devices. NSO Group’s stealthiest hacking software uses “zero-click” exploits to infect targeted mobile phones without any user interaction.
NSO Group claimed it was being targeted by Citizen Lab and Amnesty International with “inaccurate and unsubstantiated reports” and “false” allegations that “could not be related to NSO products for technological and contractual reasons.”
“We have repeatedly cooperated with governmental investigations, where credible allegations merit,” an NSO spokesperson said in a statement.
(AP)
