Experts Uncover Spyware Attacks Against Catalan Politicians and Activists

A previously unknown zero-click exploit in Apple’s iMessage was used to install mercenary spyware from NSO Group and Candiru against at least 65 individuals as part of a “multi-year clandestine operation.”

“Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organizations,” the University of Toronto’s Citizen Lab said in a new report. “Family members were also infected in some cases.”

Of the 65 individuals, 63 were targeted with Pegasus, and four others were infected with Candiru, with iPhones belonging to at least two compromised with both. The incidents are said to have mostly occurred between 2017 and 2020.

The attacks involved the weaponization of an iOS exploits dubbed HOMAGE that made it possible to penetrate the devices running versions prior to iOS 13.2, which was released on October 28, 2019. It’s worth noting that the latest version of iOS is iOS 15.4.1.

Although the intrusions have not been attributed to a specific government or entity, the Citizen Lab implied a connection to the Spanish authorities based on a “range of circumstantial evidence,” citing ongoing tensions between the country and the autonomous community of Catalonia amid calls for Catalan’s independence.

The findings build on a prior report from The Guardian and El País in July 2020 that revealed a case of domestic political espionage aimed at Catalan pro-independence supporters using a vulnerability in WhatsApp to deliver the Pegasus surveillanceware.

Besides relying on the now-patched WhatsApp vulnerability (CVE-2019-3568), the attacks made use of multiple zero-click iMessage exploits and malicious SMS messages to hack Catalan targets’ iPhones with Pegasus over a three year period.

“The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the process, following a lookup for a Pegasus email address,” the researchers said.

The issue is likely believed to have been closed by Apple in version iOS 13.2, as the exploit was observed as being fired only against devices running iOS versions 13.1.3 and lower. Also put to use is another exploit chain called KISMET that was present in iOS 13.5.1. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *