Citizen Lab Documents Israeli Surveillance Spyware Infections in Spain


Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

According to a new report from Citizen Lab, malware tools sold by Israeli firms NSO Group and Candiru were found on the devices of at least 65 Catalan individuals, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations.

The controversial NSO Group, which is being sued by U.S. tech companies, publicly claims its surveillance software is used for law enforcement and anti-terrorism activities but there have been numerous discoveries linking the high-end hacking tool to attacks on members of civil society.

“Every Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term, before, or after their retirement,” the report noted.

[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The latest Citizen Lab report stopped short of conclusive attribution but said there’s “strong circumstantial evidence” suggesting a nexus with authorities in Spain.

The report said the malware was distributed via zero-click exploits and malicious SMS messages, noting that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with NSO Group’s Pegasus between 2017 and 2020.

Citizen Lab said it worked closely with Amnesty International and Microsoft on the investigations that led to the discovery of a zero-click exploit that has not been previously described.

The group said the exploit, called HOMAGE, appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

The report noted that the HOMAGE exploit targeted older versions of Apple iOS operating system and says there’s no evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.

The report also shed new light on the operations of Candiru, a secretive Israeli hacking company caught  in the past supplying Windows zero-days to government customers. Last July, Microsoft patched a pair of Windows kernel vulnerabilities exploited by Candiru and Citizen Lab said it found a “live Candiru infection on an institutional network backbone used by a consortium of Catalan universities.”

According to data from Microsoft’s Threat Intelligence Center (MSTIC), the Candiru malware was found on more than 100 victim devices across 10 countries.  The victims included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:



Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.