Dozens of high-profile politicians and activists across Europe have been targeted for surveillance with the infamous Pegasus spyware, according to new research, with the reported victims including UK Prime Minister Boris Johnson and a number of Catalan independence leaders in Spain.
Findings published on Monday by Toronto-based cyber research firm Citizen Lab indicate that the Israeli-developed Pegasus spyware program was used to illicitly surveil government institutions in the United Kingdom between 2020 and 2021, among them the prime minister’s office on 10 Downing Street and the the Foreign Commonwealth and Development Office (FCO).
“When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, told the New Yorker in an interview, while another employee said the lab suspects the breach “included the exfiltration of data.”
Though London has declined to say what software was used, an unnamed official confirmed to the outlet that government networks were “compromised,” noting that the UK’s National Cyber Security Centre later analyzed some of the devices thought to have been targeted, including Johnson’s. The infected phones or computers were unable to be identified, however, with the official stating “it’s a bloody hard job.” Whether any data was stolen, or what it might have included, remains unknown.
According to the researchers, the suspected breaches related to the FCO are believed to have been carried out from the United Arab Emirates, India, Cyprus and Jordan, while the attack on the PM’s office may have originated in the UAE. The Emirati government has been implicated in previous spying charges linked to the Pegasus program, including surveillance related to the brutally murdered Saudi journalist Jamal Khashoggi in 2018.
Moreover, more than 60 phones linked to Catalan activists were reportedly infiltrated between 2015 and 2020, including those belonging to lawyers, politicians and members of the European Parliament who’ve backed independence for the region in northeastern Spain. The New Yorker dubbed it the “largest forensically documented cluster of such attacks and infections on record.”
“Every Catalan Member of the European Parliament (MEP) that supported independence was targeted either directly with Pegasus, or via suspected relational targeting,” Citizen Lab said. “Three MEPs were directly infected, two more had staff, family members, or close associates targeted with Pegasus.”
Though the origin of the latter attacks remain unclear, Catalan politicians have pointed fingers toward the Spanish government, while previous reporting in local media indicates Spanish intelligence services have employed the Pegasus program in the past, specifically against independence figures.
The government has yet to respond to the charge, though the developer of Pegasus – Israeli cyber firm NSO Group – has denied the claims unequivocally, telling the New Yorker “These allegations are, yet again, false,” having previously rebutted similar accusations in the past. Despite a litany of other spying claims in the past, the company has insisted its products are used exclusively for legal law enforcement purposes only.