Several people working in a cybersecurity environment may be surprised by the use of Pegasus in Spain, as this spyware has been used around the world as a «government security solutions against terrorism and major crime«, As described by its developer, but also against all kinds of citizens and companies that have nothing to do with” illegal activity “.

Investigation Civic laboratory from the University of Toronto claims to have found evidence of Pegasus espionage in 65 lawyers, academics, journalists and politicians from Basque and Catalan independence circles. It’s about the largest espionage operation against a single group of victims documented by these researchers who specialize in monitoring the activities of this spyware.

Given the people involved in the matter and the fact that the company behind Pegasus, the NSO Group, sells this spyware only to governments and official government agencies, there is a suspicion that the CNI (Spanish spies, to understand us) is behind the espionage. The CNI’s activities in interfering with citizens’ communications under the Ministry of Defense require judicial authorization, although this is a special and secret procedure involving a Supreme Court judge, which has no subsequent control.

And if this control exists, because you already know that, thanks to its own operation, the intelligence agency is always on the cutting edge. The scandal was, as expected, monumental and on several levels. In addition to the political and ideological considerations that some of the politicians involved deserve, there are citizens who – probably – fundamental rights have been violated from a democratic state. And we’re all in that group. In my opinion, the Spanish Government must provide an explanation and not hide behind the always useful ‘national security’.

Pegasus in the world

Pegasus is the best-known software from the Israeli company NSO Group and one of the most sophisticated known spyware, which is not unique because there are others, such as Candiru (also from Israel), that have managed to remain more hidden from the current media, but that it is assumed to be the same or stronger than Pegasus.

In addition to its “legal” activities against terrorists and high crime, it is proven that Pegasus have been used for illegal activities for years against journalists, organizations, dissidents, politicians, academics or any other target that systematically violates rights such as privacy and others, such as the environmental espionage of dissident Jamal Hashukji, who was later assassinated at the Saudi consulate in Istanbul.

Pioneering collaboration of more than 80 journalists from 17 major media organizations in 10 countries coordinated Forbidden stories, a non-profit organization based in Paris and with the technical support of Amnesty International, conducted state-of-the-art forensic tests to identify traces of spyware and confirm that it was spying “everything that moved” on the Internet. For some, few terrorists and criminals and many citizens and societies.

The results made it possible to claim that Pegasus is “weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, threatening countless lives”. The reality is that this type of technology facilitates systemic abuse within the framework of legitimacy. For all these reasons, Amnesty International has called for an immediate moratorium on the export, sale, transfer and use of tracking technologies such as Pegasus.

This spyware was not only used against dissidents or dictatorships. Pegasus was used to spy on the US State Department and also 13 heads of state, including French President Emmanuel Macron. Although the NSO Group denies its responsibility, this development eventually reached everyone who could afford it. It has also been used to distribute malware, serious exploits in Microsoft or Facebook products such as WhatsApp. And it is impossible to omit this type of development from the clutches of those who claim to be fighting and for the activities that are being advertised.

What room did Pegasus have to have for the Israeli authorities themselves to say that its activities should be investigated, and the Americans demanded that the NSO be sanctioned. In the European Union, the investigation is launched following a report by the European Data Regulator, where demands its total ban What “An appropriate response to the unprecedented risks posed by this technology, not only to people and facilities, but also to democracy and the rule of law itself”.

Pegasus in Spain

Spyware exploits attacks from phishing and phishing best to install on Android and iOS mobile devices. When inserted into the victim’s smartphone, it allows the attacker “total control”, full access to messages, e-mails, media, microphone, camera, calls and device contacts.

According to the Citizen Lab, attacks on a group close to Basque and Catalan separatists were designed with high level of customization for each of them, suggesting prior knowledge of their activities probably through other means of espionage. Everything was a biting trap for them, and from what we read, they did very well.

Phishing is an effective method against anyone and has been the preferred attack. The attackers pushed out all kinds of organizations and companies, from the tax office to social security, passing through courier companies or shipping companies. They are the same as used in “consumer” campaignsalthough false reports from international rights organizations or “hooks” have been added in this case, such as the report by the former president of Catalonia and a refugee before the legal action of Carles Puigdemont.

Pegasus was used for implementation Fraudulent SMS and messages from social networkswith dozens of intrusion attempts between 2017 and 2020. Researchers have also discovered special attacks for iPhones exploiting the 0-Day vulnerability in the News app, which is well known in security environments.

“Many victims have been the target of SMS-based attacks, and we have collected more than 200 such messages.”explains Citizen Lab. “Sophistication and personalization of messages vary by purpose, but reflect and often detailed knowledge of the habits, interests, activities and concerns of the target«.

Secretary of Defense Margarita Robles announced in Congress a secret commission to explain the use of Pegasus in Spain, given that the CNI cannot offer them as a subject (and by law). According to the daily El País, the Spanish intelligence service Pegasus has years after obtaining it for six million euros for spying abroad.

And it is certain that even at home … in “legal” activities and others. We are certainly in a very dark case where data and evidence are missing about everything that has been written. We’ll probably never meet them. Intelligence and police forces must have digital weapons in order to fight the bad guys and protect the rest of the citizens. In this case, if it is confirmed in its entirety, we are talking about something that should embarrass a democratic state. And it shouldn’t be an excuse if they’re independent, because the illegal use of these technologies will eventually reach those of us who don’t think like them.