Full Report
The case dates to May 2022, when the court launched a probe into the alleged spying on devices belonging to Prime Minister Pedro Sánchez and Defence Minister Margarita Robles.
Analysis Summary
# Incident Report: Spanish Government Officials Targeted by Pegasus Spyware
## Executive Summary
In May 2022, an investigation was launched by Spain's High Court into the alleged exploitation of Pegasus spyware, developed by Israel’s NSO Group, targeting the mobile devices of high-ranking government officials, including the Prime Minister and Defence Minister. The probe was ultimately closed due to a lack of cooperation from the Israeli government, which hindered the ability to determine who ordered the attacks. The incident revealed evidence of compromise that the court stated "jeopardized the security of the Spanish State."
## Incident Details
- Discovery Date: Investigation launched in May 2022. (Final closure Jan 2026)
- Incident Date: Alleged spying began around May 2022.
- Affected Organization: Spanish Government (Prime Minister Pedro Sánchez, Defence Minister Margarita Robles, Interior Minister, Agriculture Minister).
- Sector: Government/Public Sector.
- Geography: Spain.
## Timeline of Events
### Initial Access
- Date/Time: Initiated around or before May 2022.
- Vector: Zero-click functionality of Pegasus spyware (implied).
- Details: Devices belonging to PM Sánchez (infected five times), Defence Minister Robles, Interior Minister, and Agriculture Minister were allegedly targeted.
### Lateral Movement
- Details: Not explicitly detailed in the summary, but successful target compromise indicates full access to device data was achieved.
### Data Exfiltration/Impact
- Details: The nature of the compromise suggests surveillance and theft of sensitive communications and data from the targeted executive devices, leading the court to state it "jeopardized the security of the Spanish State."
### Detection & Response
- Date/Time: Probe launched May 2022. Reopened April 2024. Closed permanently January 2026.
- Details: The Audiencia Nacional high court launched a probe. It was closed initially due to obstruction, reopened in April 2024 after France shared analogous domestic Pegasus findings, and then closed again in January 2026 due to continued non-cooperation from Israel.
## Attack Methodology
- Initial Access: Pegasus spyware, likely via zero-click exploitation.
- Persistence: N/A (Device compromise assumed).
- Privilege Escalation: N/A (Pegasus grants deep system access).
- Defense Evasion: N/A (Zero-click exploits are designed to bypass typical defenses).
- Credential Access: N/A (Full device control implies data access).
- Discovery: N/A (Targeted, not broad discovery apparent).
- Lateral Movement: N/A (Focus was on government personnel devices).
- Collection: Device data collection via Pegasus.
- Exfiltration: Data extracted from infected devices.
- Impact: Compromise of executive government communications, perceived threat to state security.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Highly sensitive government communications and data from five separate compromises reportedly targeting the Prime Minister’s device.
- Operational: Disruption of trust and security protocols stemming from the sustained surveillance of leadership.
- Reputational: Significant damage to political and diplomatic relations due to the state-sponsored nature of the alleged surveillance tool (NSO Group).
## Indicators of Compromise
- Network indicators: N/A (No specific IPs/domains provided).
- File indicators: N/A (No specific file hashes provided).
- Behavioral indicators: Successful infection of high-value mobile devices with highly advanced spyware (Pegasus).
## Response Actions
- Containment measures: Not specified, though the investigation was a form of indirect response.
- Eradication steps: Not specified.
- Recovery actions: Not specified. The main action taken by the state was judicial investigation, which ultimately stalled.
## Lessons Learned
- Foreign Government Obstruction: Judicial investigative processes targeting cyberattacks originating from state-backed entities (like NSO Group, supported by Israel) face significant barriers when international judicial cooperation is denied or obstructed.
- State Security Risk: The compromise of heads of government via commercial spyware poses a direct threat to national security structures.
- International Cooperation Failures: Israel reportedly failed to respond to five official cooperation requests, illustrating the limits of international law enforcement when dealing with state-backed technology exports.
## Recommendations
- Increase proactive threat hunting specifically focused on zero-click vulnerabilities affecting high-value mobile devices used by senior leadership.
- Develop robust diplomatic and intelligence channels to counter espionage attempts when formal judicial cooperation routes are blocked by foreign governments.
- Review and strengthen Mobile Device Management (MDM) and endpoint security policies for all executive staff to mitigate risks associated with sophisticated spyware, even when zero-click vectors are involved.