Dozens of pro-independence Catalan figures, including the president of the north-eastern Spanish region and three of his predecessors, have been targeted using NSO Group’s Pegasus spyware, according to a report from cybersecurity experts.
The research published on Monday by Citizen Lab, considered among the world’s leading experts in detecting digital attacks, said victims of the mobile phone targeting included Pere Aragonès, who has led Catalonia since last year, as well as the former regional presidents Quim Torra, Carles Puigdemont and Artur Mas.
It also found that MEPs, legislators, lawyers, civil society activists and journalists were targeted, as were some members of their families.
Although NSO Group claims that Pegasus is sold only to governments to track criminals and terrorists, a joint investigation two years ago by the Guardian and El País established that the speaker of the Catalan regional parliament and at least two other pro-independence supporters were warned the spyware had been used to target them.
The Citizen Lab report said at least 65 individuals had been targeted or infected with mercenary spyware, of whom at least 63 were targeted or infected with Pegasus. Almost all the incidents took place between 2017 – the year of the failed bid for Catalan independence regional – and 2020. Victims’ phones were said to have been targeted using fake texts or WhatsApp messages.
It said Aragonès wastargeted while serving as vice-president of Catalonia, while Torra – who served as regional president between 2018 and 2020 – was targeted while in office. Puigdemont, who led the failed, unilateral push for independence almost five years ago, was also targeted – as was Mas, who was targeted after leaving office.
Thirty-one regional MPs – 27 of them from the three pro-independence Catalan parties – were reportedly targeted, as were nine members of the two powerful grassroots groups, the Catalan National Assembly and Òmnium Cultural.
The Citizen Lab investigation also concluded that multiple lawyers representing prominent Catalan separatists Catalans were targeted and infected with Pegasus. According to the report, they include Gonzalo Boye, who represents Puigdemont, and Andreu Van den Eynde, a lawyer for several high-profile pro-independence politicians including the former regional vice-president Oriol Junqueras.
The report said the number of confirmed mercenary spyware victims was “extraordinarily high … [and] gives a window into what is likely a larger effort to place a significant slice of Catalan civil society under targeted surveillance for several years”.
Citizen Lab pointed out that NSO Group claims that Pegasus is sold only to governments, adding: “While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.”
It called for an official inquiry to determine who had ordered the targeting, what judicial oversight had applied, and how the hacked material was used.
Aragonès said Citizen Lab’s findings, which were first reported in the New Yorker, had revealed “a case of espionage against a democratic European movement, which puts fundamental rights at risk everywhere”.
He called on the Spanish government to provide immediate explanations, saying: “Spying on public representatives, lawyers or civil right activists is a red line.”
Amnesty International, which peer-reviewed Citizen Lab’s investigation and said it had found evidence of Pegasus targeting and infection in all cases, said the Spanish government needed to clarify whether it was an NSO Group customer.
It also urged the government to conduct “a thorough, independent investigation” into the reported use of Pegasus against those identified by Citizen Lab.
“Governments around the globe have not done enough to investigate or stop human rights violations caused by invasive spyware like Pegasus,” said Likhita Banerji, Amnesty International’s technology and human rights researcher.
“The use, sale and transfer of this surveillance technology must be temporarily halted to prevent further abuses of human rights.”
A spokesperson for NSO said: “NSO continues to be targeted by a number of politically motivated advocacy organizations like Citizen Labs and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information.
“We have repeatedly cooperated with governmental investigations, where credible allegations merit. However, information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”
A spokesperson for Spain’s interior ministry said neither the ministry, the Policía Nacional, nor the Guardia Civil had ever had any dealings with NSO Group and had consequently never contracted any of its services. He added: “All communications intercepts are carried out under judicial authority and with full respect for the law.”
Spain’s National Intelligence Center (CNI) has previously told the Guardian and El País that its work is overseen by the supreme court and that it acts “in full accordance with the legal system, and with absolute respect for the applicable laws”.
In US court filings in response to claims by WhatsApp, NSO Group has denied allegations that it bore any responsibility in the targeting of individuals and said it did not operate the technology itself.