Spain: Pegasus invites itself in Spanish lands

The Pegasus affair has not finished making news. A new chapter opened this April 19th in Spain. 35 MEPs would have been victims of the spyware.

Let’s have a look at Pegasus and its Spanish news.

Spain, the new chapter of Pegasus

Who is Pegasus?

Pegasus is a spyware published by the Israeli company NSO Group.

Initially intended for intelligence and the fight against crime and terrorism, its use has gone beyond these borders and seems to have been misused.

The consortium of editors Forbidden Stories revealed in July 2021 that this software would have infiltrated 17 media around the world, but also 600 politicians, military, lawyers … In total 50,000 phone numbers affected.

This is the cyber espionage case that made the headlines and continues to make news.

How Pegasus works?

Pegasus works without human intervention. It is not necessary for the victim to click to get infected, and that is the danger of the tool, it spreads by itself.

Thus, it is able to remotely enter any smartphone (iOS and Android) and siphon off all the data (photo, message, contact list, recording of phone conversations, WhatsApp…), it can even activate the phone’s camera or microphone.

To do this, it uses sophisticated functions to bypass the security of operating systems.

According to Amnesty International “NSO Group relies on the AWS CloudFront (CDN) offering to deliver its first attacks”. The company relies on zero day vulnerabilities.

Pegasus in Spain

On April 19, the PEGASUS affair was back in the news. This time in Spain.

Citizen Lab revealed that between 2017 and 2020, a total of 65 people were victims of the software, including Catalan independence politics.

Among the people targeted are the current Catalan regional president Pere Aragoné, but also Carles Puigdemont, Jordi Solé, Quim Torra and Artur Mas.

Pegasus en Espagne : Citizen Lab
Citizen Lab report on the “CatalanGate” on Twitter

The suspicion is that the Spanish government may be the sponsor. The dates would correspond to the time when the referendum for the independence of Catalonia took place.

The government denies it and undertakes to shed light on this matter.

How did Pegasus infect the phones of these victims?

Analysts have found two infection vectors:

  1. No-click exploits: this type of attack is carried out via existing vulnerabilities on the device.
  2. Malicious SMS messages, of which there were more than 200 in total. Some were personalized and therefore more credible, others were alerts on Spanish political news.

The messages came from fake institutions, such as the Social Security or the Ministry of Health. 

This case reawakens the tensions between Madrid and Catalonia, which had calmed down since 2020 thanks to the actions of Pedro Sanchez. The socialist’s government had indeed pardoned nine pro-independence activists and allowed dialogue to resume.

The president of the Generalitat de Catalunya has declared that he is suspending all dialogue with the government:

“Until an internal, independently supervised investigation is opened.”

Pere Aragonès, President of the Generalitat of Catalonia

The tensions are palpable.

TEHTRIS, a protection

In the face of this type of attack, TEHTRIS recommends a few tips such as:

  1. Turn off your phone at least once a day.
  2. Update your applications and software.
  3. Prioritize a good protection of your endpoint.

You can follow our advice mentioned in our article: How to protect yourself from mobile cyber threats?

Our Mobile Threat Defense solution, TEHTRIS MTD is able to identify malicious applications, analyze and detect the presence of spyware thanks to its constantly evolving knowledge base.

During the 2021 Pegasus case, the hackers had used numerous domain names to mask their attacks and place malicious operations. Whenever a TEHTRIS MTD protected enterprise phone looks for a domain, the action is traced. When domains are unknown or suspicious or malicious, DNS protection is activated and will cut off the request, protecting the phone upstream.

Each program installation is also logged. When a program is installed that is not authorized by Apple, for example, a security alert is raised. The TEHTRIS XDR Platform‘s console screen can then be used to find all the phones that have been compromised.

Our solution provides monitoring of elements that other solution usually miss.