UK government networks infected with Pegasus, research group claims

19 Apr 2022

UK Prime Minister Boris Johnson in 2020. Image: Pippa Fowles/No 10 Downing Street (CC BY-NC-ND 2.0)

Citizen Lab said the spyware was also used to target leaders of the Catalan independence movement between 2017 and 2020.

The UK government was informed that multiple suspected instances of Pegasus spyware infections were discovered in its networks between 2020 and 2021, according to internet research group Citizen Lab.

In a statement yesterday (18 April), Citizen Lab claimed networks within the prime minister’s office of 10 Downing Street and the Foreign and Commonwealth Office (FCO) had suspected infections of the notorious spyware during this period.

Citizen Lab said the suspected 10 Downing Street infection was connected to a Pegasus operator linked with the United Arab Emirates (UAE). The suspected FCO attack was linked to operators in the UAE, India, Cyprus and Jordan.

With staff working around the world for the FCO and its successor office, the Foreign Commonwealth and Development Office, Citizen Lab said the suspected infections could be related to FCO devices using foreign SIM cards in other countries.

“The United Kingdom is currently in the midst of several ongoing legislative and judicial efforts relating to regulatory questions surrounding cyber policy, as well as redress for spyware victims,” Citizen Lab director Ron Deibert said in a statement. “We believe that it is critically important that such efforts are allowed to unfold free from the undue influence of spyware.”

Pegasus spyware was developed by Israel’s NSO Group, which creates surveillance technology that can be used to track targeted iOS and Android users. NSO claims its products are used by government intelligence and law enforcement agencies to prevent and investigate serious crime and terror incidents.

But the group made headlines last year when an investigation involving Amnesty International and other organisations claimed Pegasus spyware was abused and used to target journalists, activists and government officials.

Catalans targeted with spyware

Citizen Lab also said Pegasus was used to target dozens of Catalan leaders, including legislators, European Parliament members and presidents from the north-eastern Spanish region.

NSO Group has denied the allegations in both cases. A spokesperson told the Guardian: “NSO continues to be targeted by a number of politically motivated advocacy organisations like Citizen Lab and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information.

“We have repeatedly cooperated with governmental investigations, where credible allegations merit. However, information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons,” the spokesperson said.

Citizen Lab said it identified at least 65 individuals linked to the Catalan independence movement who were targeted by mercenary spyware. It claimed 63 were targeted with Pegasus while others were infected with spyware from Candiru, “another mercenary hacking company”.

Almost all of the incidents occurred between 2017 and 2020, though one instance of targeting was observed in 2015, according to the research group. A Catalan independence referendum took place in Spain in 2017.

“We do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government,” Citizen Lab said in a statement.

Catalan politician Pere Aragonès said on Twitter that the surveillance operation on the Catalan independence movement “is shameful and unjustifiable”.

“It is a very serious attack on democracy and fundamental rights,” Aragonès tweeted yesterday.  “Another example of repression against a peaceful and civic movement.”

Zero-click vulnerabilities

Citizen Lab also said it identified a previously undisclosed ‘zero-click’ vulnerability used by NSO Group on iOS devices, which it is calling Homage. A zero-click vulnerability does not require any user interaction for an attack to be successful. The Canadian research group claimed this vulnerability was exploited on devices with iOS versions earlier than 13.2.

“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1,” it said. Citizen Lab added that it does not believe up-to-date iOS devices are at risk and has reported the exploit to Apple.

Another zero-click exploit called ForcedEntry was discovered on iOS devices last year by Citizen Lab. The group claimed this exploit was used by NSO Group to infect the phone of a Saudi Arabian human rights activists with Pegasus spyware.

Apple released a set of updates to patch the exploit and sued NSO Group last November in a bid to “hold it accountable for the surveillance and targeting of Apple users”.

In February, the EU’s data protection watchdog called for a ban on the development and use of Pegasus spyware following revelations of its potential impact on privacy rights.

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy,” the European Data Protection Supervisor said in a report published on 15 February. “This fact makes its use incompatible with our democratic values.”

UK Prime Minister Boris Johnson in 2020. Image: Pippa Fowles/No 10 Downing Street via Flickr (CC BY-NC-ND 2.0)

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic