Research group Citizen Lab has found that spyware made by NSO Group Ltd. was used to target a device connected to the network of 10 Downing Street, the office and residence of Britain’s prime minister.

Citizen Lab, which is affiliated with the University of Toronto, detailed its findings today. The research group also revealed that NSO Group spyware was used to target more than 60 phones in Catalonia, Spain, including devices belonging to elected officials, academics and activists.

Israel-based NSO Group is the developer of the Pegasus spyware. The company provides Pegasus to military, law enforcement and intelligence agencies. The spyware is designed to infect iPhones without requiring the user to take any action, such as opening a malicious file, and can delete itself to avoid detection.

Last year, the U.S. Department of Commerce sanctioned NSO Group after determining that the company’s spyware was used by foreign governments to target government officials, journalists, businesspeople, activists, academics and embassy workers maliciously. NSO Group was added to an Entity List maintained by the Commerce Department’s Bureau of Industry and Security. 

Citizen Lab has found that Pegasus was used on July 7, 2020, to infect a device connected to the network at 10 Downing Street in London. The research group said that the cyberattack was “associated with a Pegasus operator we link to the UAE.” 

The New Yorker reported today that the National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street including a device belonging to Prime Minister Boris Johnson. Officials have reportedly not yet located the infected device.

Citizen Lab also detected five cases in which phones connected to the U.K.’s Foreign Office were hacked using Pegasus. The incidents occurred between July 2020 and June 2021, the research group determined. A government official who spoke to the New Yorker confirmed that signs of hacking had been uncovered at the Foreign Office. 

As part of its research, Citizen Lab has also determined that NSO Group spyware was used to target more than 60 phones belonging to people in Catalonia. Citizen Lab researchers wrote that “we do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government.”

“With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections,” Citizen Lab’s researchers stated. “Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.”

Citizen Lab’s investigation revealed that the people targeted in the hacking campaign included three members of the European Parliament, academics, activists and lawyers, as well as their staff and family members in some cases. The cyberattacks were carried out between 2017 and 2020.

As part of their investigation, the researchers determined that at least four people in Catalonia were targeted using spyware made by Candiru, a startup founded by former NSO Group employees. Citizen Lab also found a zero-day or previously undisclosed vulnerability used by NSO Group. The vulnerability, dubbed HOMAGE, was reportedly used to infect Apple Inc. devices in Catalonia from 2019 to early 2020 and has since been patched by the iPhone maker.  

Image: NSO Group