Full Report
A provincial court in Barcelona has ordered that three former senior executives at NSO Group, a prominent spyware manufacturer, be indicted for their alleged role in a high-profile hacking scandal in which at least 63 Catalan civil society members were targeted with the company’s surveillance technology.
Analysis Summary
# Incident Report: Catalan Civil Society Hacking via Pegasus Spyware
## Executive Summary
Three former senior executives at NSO Group are being indicted by a Barcelona court for their alleged role in a sophisticated hacking campaign targeting at least 63 Catalan civil society members, elected officials, and MEPs between 2017 and 2020. The compromise involved the deployment of NSO's zero-click Pegasus spyware. This legal action represents a significant precedent in holding spyware manufacturers accountable in Europe, though definitive attribution for the deployment points circumstantially to the Spanish government.
## Incident Details
- **Discovery Date:** Implied ongoing discovery, with Citizen Lab report in 2022 detailing the scope.
- **Incident Date:** Most incidents took place between 2017 and 2020.
- **Affected Organization:** Individuals associated with the Catalan independence movement, including civil society members, Catalan government officials, and Members of the European Parliament (MEPs).
- **Sector:** Political/Civil Society Advocacy, Government.
- **Geography:** Catalonia, Spain.
## Timeline of Events
### Initial Access
- **Date/Time:** Between 2017 and 2020.
- **Vector:** Allegedly successful exploitation using sophisticated mobile surveillance technology (Pegasus).
- **Details:** At least 63 victims' phones were targeted and, in some cases, infected with NSO's zero-click Pegasus spyware.
### Lateral Movement
- *Not explicitly detailed in the context, but implied movement within the targeted devices to extract data.*
### Data Exfiltration/Impact
- **Impact:** Surveillance and compromise of personal devices belonging to individuals connected to the Catalonia independence movement, including elected officials.
### Detection & Response
- **Detection:** Investigation and diagnosis led by Citizen Lab.
- **Response Actions:** A provincial court in Barcelona has ordered the indictment of three former NSO Group executives (Shalev Hulio, Omri Lavie, and Yuval Somekh) for their alleged responsibility. Legal proceedings have been initiated under Barcelona’s “discovery and disclosure of secrets” statute.
## Attack Methodology
- **Initial Access:** Zero-click exploitation method utilized by Pegasus spyware (specific vulnerability not detailed).
- **Persistence:** Maintained presence via the embedded spyware package.
- **Privilege Escalation:** Not explicitly detailed, but inherent capability of spyware like Pegasus to gain deep device access.
- **Defense Evasion:** The nature of zero-click attacks inherently evades typical end-user security measures.
- **Credential Access:** Implied through device compromise.
- **Discovery:** Reconnaissance/targeting capabilities inherent in the spyware platform acquisition.
- **Lateral Movement:** Not detailed.
- **Collection:** Harvesting data from targeted mobile phones.
- **Exfiltration:** Implied data extraction following successful infection.
- **Impact:** Comprehensive surveillance of targets, including elected officials.
## Impact Assessment
- **Financial:** Not specified, but incurred significant legal and investigative costs for victims and oversight bodies.
- **Data Breach:** Sensitive personal and professional communications data from at least 63 individuals.
- **Operational:** Disruption and chilling effect on Catalan political and civil society activities due to alleged state-level surveillance.
- **Reputational:** Significant global reputational damage to NSO Group concerning the use and export of its surveillance tools.
## Indicators of Compromise
- **Network Indicators:** None provided (defanged).
- **File Indicators:** None provided.
- **Behavioral Indicators:** Unusual battery drainage, unexpected device reboots, or remote activation of microphone/camera (typical behaviors associated with Pegasus infections, though not explicitly listed here).
## Response Actions
- **Containment measures:** Not specified in the context of the technical response, but victims likely had to secure/replace affected devices.
- **Eradication steps:** Device sanitization upon confirmation of infection.
- **Recovery actions:** Pursuit of legal accountability through judicial indictment.
## Lessons Learned
- The sophisticated nature of mercenary spyware like Pegasus poses an extreme threat to civil society and democratic processes.
- Legal frameworks can be used, even against foreign entities, to hold individuals responsible for providing surveillance tools used in espionage, setting important precedents in Europe.
- Attribution remains difficult, though circumstantial evidence (pointing to the Spanish government) highlights potential misuse by state actors.
## Recommendations
- Implement rigorous Mobile Device Security (MDS) policies, emphasizing prompt patching, even when vendors do not publicly disclose vulnerabilities.
- Organizations and individuals involved in sensitive political discourse should utilize secure, end-to-end encrypted communication platforms designed to resist zero-click exploits, where possible.
- Enhance legal and international oversight mechanisms concerning the sale and deployment of offensive cyber capabilities.