Revelations about the use of Israeli spyware Pegasus (published by NSO) and Candiru (published by the eponymous company, very close to NSO) continue to multiply. On 18 April 2022, the Canadian NGO Citizen Lab published two blog posts referring to new offensives against targets in Europe.
The first concerns Catalonia, in particular independence circles: researchers have identified 63 individuals targeted by Pegasus (51 of whom were actually infected) and a large-scale targeting campaign by Candiru, aimed in particular at MEPs, political activists, and civil servants who support Catalan independence.
The blog post also details the infection methods used, including fake SMS messages with pernicious clickable links (for example to obtain the boarding pass for a real reservation made by the target), or the exploitation of a ‘zero-click‘ flaw affecting versions of iOS prior to 13.2, called HOMAGE.
The investigation tends to prove that a single actor is behind all these hacks. And Citizen Lab indicates that many clues point to the Spanish government or one of its entities but that formal proof is lacking.
The second blog post reveals infections targeting the UK government, discovered in 2020 and 2021 and already disclosed by the NGO to the interested parties. The Prime Minister’s Office was targeted by a Pegasus operator linked to the United Arab Emirates, and the Foreign, Commonwealth & Development Office (FCDO) by Pegasus operators linked to the Emirates, India, Cyprus, and Jordan.
The NGO speculates that this latter infection may have come from FCDO staff operating abroad who have been using phones with foreign SIM cards, which are easier to hack.