Citizen Lab, an affiliated research group with the University of Toronto, stated that a large-scale investigation it conducted with Catalan civil societies groups found at least 65 people were targeted and their devices infected by what it calls "mercenary spyware" sold in Israel by Candiru and NSO Group.
NSO stated that the allegation was not related to NSO products. Candiru could not be reached by The Associated Press for comment.
Most of these incidents took place between 2017 and 2020 , when attempts to create an independent state in northeastern Spain caused the country's worst political crisis in decades. The ex-Catalan Cabinet, which pushed for an illegal referendum on independence, was ousted. Many of its members were either imprisoned or fled from the country, including Carles Puigdemont, ex-regional president.
Pegasus spyware from NSO has been used to hack into computers and phones of journalists, human rights activists, and Catholic clergy around the globe. The U.S. federal government placed export restrictions on the firm. NSO was accused of "transnational repression." NSO was also brought before the courts by major technology companies like Meta, owner of WhatsApp.
Citizen Lab stated that its investigation into the use of Pegasus in Spain and spyware created by Candiru, an Israeli firm founded by former NSO employees, began in late 2019, after a few cases targeting high-profile Catalan pro independence individuals were revealed. Amnesty International claimed that the attacks were independently verified by its technical experts.
Toronto-based non profit said it couldn't find any conclusive evidence that could be used to link the hacking of Catalan phone numbers to one entity.
Citizen Lab stated that "there is a lot of evidence to suggest that there is a strong connection with Spanish government entities."
According to Spain's Interior Ministry, no ministry or police department nor the Civil Guard had ever been in contact with NSO. They also stated that all communications in Spain are handled under a judicial order and in compliance with law.
The office of the prime minister didn't respond immediately to questions from AP. The Ministry of Defense oversees Spain’s intelligence services and armed forces. A spokesperson for the Ministry of Defense declined to confirm if it had contracted NSO software.
The spokeswoman said that "The government in Spain always acts according the law," but she was not authorized to speak to the media.
Pegasus infiltrates smartphones to steal personal and location information. It also secretly controls microphones and cameras on the phone, making it a real-time surveillance device. The stealthiest hacking software by NSO Group uses "zero click" exploits to infect targeted smartphones without user interaction.
NSO Group claimed that it was being targeted in Citizen Lab and Amnesty International by "inaccurate, unsubstantiated reports" as well as "false allegations" that "couldn't be related to NSO products. This is for contractual and technological reasons."
"We have cooperated repeatedly with governmental investigations, when credible allegations merit," a spokesperson for the NSO said in a statement.
At least three European legislators representing Catalan separatist party members, two prominent pro-independence civil societies groups, their lawyers, and other elected officials were among the targets
These revelations are made as European Union legislators hold Tuesday's first meeting of a commission to investigate breaches of EU law related to hacker-for hire spyware.
Researchers found that four former Catalan presidents, including Puigdemont, and Quim Torra, were subject to indirect or direct spying.
According to Citizen Lab, Pere Aragones was the current Catalan president. His phone was infected while he was Torra's deputy between 2018 and 2020. He said that "massive spying against the Catalan independence movements is an unjustifiable shame, an attack upon fundamental rights, and democracy."
The software cannot be purchased by state entities so the Spanish government must explain, Aragones stated in a series tweets.
He wrote, "No excuses can be made." "To spy upon representatives of citizens, lawyers, or civil rights activists it is a red flag."
The Spanish Defense Ministry responded to Amnesty International's 2020 request for complete disclosure of contracts with private digital surveillance firms.
Likhita Banerji (an Amnesty International researcher) stated that the Spanish government must be transparent about whether it is a customer or not of NSO Group. It must also conduct an independent investigation into the Pegasus spyware use against the Catalans.
Citizen Lab also reported Monday that it found evidence in 2020-2021 that the British prime Minister's Office was infected by Pegasus spyware, which is linked to the United Arab Emirates. It claimed it discovered suspected infections in Britain's Foreign Office that were linked to India, Cyprus and Jordan.
According to the group, it informed the British government of the findings.
Mexico, El Salvador, Hungary, and Poland are some of the other countries in which Citizen Lab and public-interest researchers confirmed Pegasus infections on political dissidents.
NSO Group claims that it sells Pegasus only to government agencies for targeting criminals and terrorists. However, hundreds of cases have been recorded of the use of Pegasus against human rights activists, lawyers and reporters, as well as their families.