A hitherto unknown Apple iMessage zero-click exploit was used to install a mercenary spyware from NSO Group and Candiru against at least 65 people as part of a “multi-year clandestine operation.”
Of the 65 individuals, 63 were attacked with Pegasus and another four were infected with Candiru. Two of the devices would have been infected with both malware. The incidents would have occurred mostly between 2017 and 2020. In his exhaustive report the Citizen Lab does not conclusively attribute the operations to a specific entity, but strong circumstantial evidence suggests a link with the Spanish authorities.
The attacks involved the use of an iOS exploit called HOMAGE to penetrate devices running versions prior to iOS 13.2, which was released on October 28, 2019. It should be noted that the latest version of iOS is iOS 15.4.1.
The connection with the Spanish authorities suggested by the Citizen Lab is based on a “series of circumstantial evidence”. The entity also cites an exclusive report, published by The Guardian and El País in July 2020, where they revealed that the phone of Roger Torrent, president of the Parliament and number two in the political hierarchy of Catalonia, “had been hacked in what seems to be be a case of internal political espionage in a European democracy’.
In addition to relying on the now-patched WhatsApp vulnerability (CVE-2019-3568), the attacks made use of multiple zero-click iMessage exploits and malicious SMS messages to hack Catalan targets’ iPhones with Pegasus over a three-year period. .
“The HOMAGE exploit appears to have been in use for the last few months of 2019, and involved a zero-click iMessage component that launched an instance of WebKit in the com.apple.mediastream.mstreamd process, after a com.apple lookup. private.alloy.photostream for a Pegasus email address,” the researchers said.
The issue is believed to have been resolved by Apple in iOS version 13.2, as the exploit was observed to work only against devices running iOS versions 13.1.3 and below. Another exploit chain called KISMET that was present in iOS 13.5.1 has also been used.
On the other hand, the four people who were affected by the Candiru spyware were victims of an email-based social engineering attack designed to trick victims into opening seemingly legitimate links about COVID-19 and messages that they supplanted the Mobile World Congress (MWC), an annual trade fair held in Barcelona.
Both Pegasus and Candiru spyware (called DevilsTongue by Microsoft) are designed to covertly gain broad access to sensitive information stored on desktop and mobile devices.
“The spyware is capable of reading texts, listening to calls, collecting passwords, tracking locations, accessing the target device’s microphone and camera, and gathering information from applications. Encrypted calls and chats can also be monitored. The technology can even maintain access to victims’ cloud accounts after the infection is complete,” the researchers write.
Links to NSO Group’s Pegasus and Candiru stem from infrastructure overlaps, with the hacking operations likely the work of a client linked to the Spanish government due to the timing of the attacks and victimological patterns, Citizen Lab said.
“If the Spanish government is responsible for this case, it raises urgent questions about whether there is adequate oversight of the country’s intelligence and security agencies, as well as whether there is a robust legal framework that the authorities are obliged to follow when undertaking any surveillance activities.” hack. Formally, the operations of the Spanish security agencies are supervised by the judiciary and the corresponding minister. However, it is hard to see how a well-functioning oversight mechanism could allow extensive and, in some cases, reckless hacking of numerous elected officials at such a sensitive time. It is also unclear what, if any, safeguards were put in place to ensure the protection of the hacked data, nor how it was handled.”
“Hacking of the devices of family members of prime targets, such as innocent spouses and parents, is especially concerning. Such extensive clandestine hacking by a state against such targets is almost certainly outside the scope of what would be permissible under international human rights law.”
“While Europe has recently made great strides in privacy and data protection, such as the General Data Protection Regulation (GDPR), the picture is less bright when it comes to independent oversight of intelligence agencies, which they remain largely shrouded in secrecy and may be exempt from the privacy rules applied to other entities. The possibility that an EU Member State is responsible for a politically tinged domestic mass surveillance operation should serve as a wake-up call for a collective inquiry into the need for effective oversight.”
“Lastly, the case is also notable because Spain is a democracy, and this case adds to the growing number of other democracies that we have discovered to have abused mercenary espionage, such as Poland, India, Israel and El Salvador. While it is true and now widely recognized that spyware and commercial surveillance technologies embolden authoritarian regimes and contribute to the spread of authoritarian practices around the world, this case is a good reminder that all countries are prone to to abuse spyware when there are no safeguards or supervision, even democratic ones, like Spain”, the researchers conclude.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.