A few who work in cybersecurity environments may be surprised by the use of Pegasus in Spain, considering that this spyware has been used throughout the world as «government security solution against terrorism and big crime«, as described by its developer, but also against all kinds of citizens and companies that have nothing to do with ‘illegal activities’.
An investigation of Citizen Lab of the University of Toronto, claims to have found evidence of espionage through Pegasus on 65 lawyers, academics, journalists and politicians from the Basque and Catalan independence circles. It’s about the largest espionage operation against a single group of victims documented by these researchers specialized in tracking the activities of this spyware.
Taking into account those involved in this matter and that the company behind Pegasus, NSO Group, only sells this spyware to governments and official government agencies, it is suspected that the CNI (the Spanish spies to understand us) is the one behind the espionage. Reporting to the Ministry of Defense, the activities of the CNI to intervene in a citizen’s communications require judicial authorization, although it is a special and secret procedure in which a magistrate of the Supreme Court intervenes and that does not have subsequent control.
And this is if this control exists, because you already know that due to its own functioning, an intelligence agency is always on the edge of a knife. The scandal has been monumental, as expected and on several levels. Beyond the political and ideological consideration that the activities of some of the politicians involved deserve, they are citizens who -presumably- fundamental rights have been violated from a democratic state. And we are all in that group. In my opinion, the Spanish Government must give explanations and not hide behind the always helpful ‘National Security’.
Pegasus in the world
Pegasus is the best-known software from the Israeli company NSO Group and one of the most sophisticated spyware known, which is not unique because there are others such as Candiru (also from Israel) that has managed to remain more hidden from current media, but that it is suspected to be equal to or more powerful than Pegasus.
In addition to its ‘legal’ activities against terrorists and big crime, it is proven that Pegasus has been used for years in illegal activities against journalists, organizations, dissidents, politicians, academics or any target, systematically violating rights such as privacy and beyond as a result of it, as in the case of espionage on the environment of the dissident Jamal Khashoggi, later assassinated in the Saudi consulate of Istanbul.
A pioneering collaboration of more than 80 journalists from 17 major media organizations in 10 countries coordinated by Forbidden Stories, a non-profit organization based in Paris and with the technical support of Amnesty International, carried out state-of-the-art forensic tests to identify traces of the spyware, confirming that it has spied on “everything that has moved” on the Internet. For some, few terrorists and criminals and many citizens and companies.
The results allowed to argue that Pegasus is “a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, putting countless lives at risk”. The reality is that this type of technology facilitates systemic abuse under a framework of legitimacy. For all these reasons, Amnesty International called for an immediate moratorium on the export, sale, transfer and use of surveillance technology such as Pegasus.
This spyware has not only been used against dissidents or by dictatorships. Pegasus was used to spy on the US State Department and also on 13 heads of state, including French President Emmanuel Macron. Although NSO Group denies its responsibility, this development has ended up reaching everyone who could afford it. It has also been used to distribute malware, serious exploits in Microsoft or Facebook products such as WhatsApp. And it is impossible to leave this type of development out of the clutches of precisely those who claim to fight and for the activities that are advertised.
What scope Pegasus must have had for the very authorities of the state of Israel to say that its activities should be investigated and for the Americans to have asked that NSO Group be sanctioned. In the European Union, an investigation is open after a report by the European data regulator where calls for its total ban What “appropriate response to the unprecedented risks posed by this technology, not only to people and devices but to democracy itself and the rule of law”.
Pegasus in Spain
Spyware uses attacks from phishing and phishing preferably to be installed on Android and iOS mobile devices. Once inserted into the victim’s smartphone, it allows the attacker “total control”, full access to the device’s messages, emails, media, microphone, camera, calls and contacts.
According to Citizen Lab, the attacks on the group close to the Basque and Catalan separatists were designed with a great level of customization for each of them, which indicates prior knowledge of their activities probably through other means of espionage. Everything was a trap for them to bite and from what we read they did very well.
Phishing is an effective method against anyone and was the preferred attack. The attackers supplanted all kinds of organizations and companies, from the Tax Agency to Social Security, passing through courier companies or transport companies. They are the same ones used in “consumer” campaignsalthough in this case false communications from international rights organizations or ‘hooks’ were added, such as that of the former president of Catalonia and fugitive from legal action, Carles Puigdemont.
For the introduction of Pegasus were used Fraudulent SMS and messages from social networkswith dozens of intrusion attempts between 2017 and 2020. The researchers also discovered special attacks for iPhones using a 0-Day vulnerability in the Messages app, which is well known in security environments.
“Many victims were targeted by SMS-based attacks, and we have collected more than 200 such messages”explains the Citizen Lab. “The sophistication and personalization of messages vary by intent, but reflect a often detailed knowledge of the target’s habits, interests, activities, and concerns«.
The Defense Minister, Margarita Robles, has announced a secret commission in Congress to explain the use of Pegasus in Spain given the impossibility of the CNI offering them as an object (and by law). According to El País, the Spanish intelligence agency has had Pegasus for years after acquiring it for six million euros to spy abroad.
And it is certain that also at home… in “legal” activities and others. We are certainly in a very dark case where data and evidence are lacking on everything written. We will probably never meet them. Intelligence agencies and police forces must have digital weapons to fight the bad guys and protect the rest of the citizens. In this case, if confirmed in its entirety, we are talking about something that should shame a democratic state. And it should not be an excuse if they are independentists because the illegal use of these technologies will also end up reaching those of us who do not think like them.
