Mobile phones belonging to Spain's prime minister and defence minister were infected by Pegasus spyware last year, a government spokesperson said on Monday.
Prime Minister Pedro Sánchez’s mobile phone was breached twice in May 2021, and Defence Minister Margarita Robles’ device was targeted once the following month, Presidency Minister Félix Bolaños told reporters at a morning press conference.
"We have no doubt that this is an illicit, unauthorised intervention," Bolaños said. "It comes from outside state organisations and it didn’t have judicial authorisation".
The Pegasus spyware behind the attack is produced by Israeli security firm NSO, which says it only sells the software to government agencies.
Bolaños said that technical reports by Spain's National Cryptologic Centre had evaluated the volume of data extracted from the two devices.
In all, 2.6 gigabytes of information was obtained from the Spanish prime minister's phone during the first attack and 130 megabytes during the second, while 9 gigabytes were stolen from the defence minister.
"There is no evidence of any intrusion after these dates," Bolaños said.
Last year, French President Emmanuel Macron was among 14 current or former heads of state on a list of potential Pegasus targets leaked to human rights organisation Amnesty International.
Catalan spying allegations
Spain’s Socialist-led government is under pressure to explain why devices belonging to dozens of people connected to the separatist movement in the northeastern Catalonia region were infected with Pegasus between 2017 and 2020, according to an analysis by Citizen Lab, a cybersecurity group of experts affiliated with the University of Toronto.
The revelations involve at least 65 people, including elected officials, lawyers and activists, targeted with the software of two Israeli companies, Candiru and NSO Group, the developer of Pegasus.
The spyware silently infiltrates phones or other devices to harvest data and potentially spy on their owners.
The regional Catalan government has accused Spain’s National Intelligence Centre, or CNI, of spying on separatists, and declared that relations with national authorities were "on hold" until full explanations are offered and those responsible are punished.
The conservative Popular Party, or PP, was in office in 2017, when Catalan separatists declared independence following an unauthorized referendum, although no further action was taken to execute the declaration. The PP remained in power until mid-2018, when it was ousted by Sánchez in a parliamentary vote.
What is Pegasus spyware?
Unlike most spyware, Pegasus doesn't require its victims to unwittingly download it, for example by opening an infected attachment or clicking a link.
It can infect iOS, Android or BlackBerry phones without alerting their owners. Once installed, it allows NSO's clients to take control of a device, to activate the camera and the microphone, see geolocation data and read the content of messages – even those sent via encrypted platforms like Telegram and WhatsApp.
Pegasus' maker NSO says the software is not designed for mass surveillance, but for counterterrorism purposes.
The company, formed in 2011, says it only sells to genuine government agencies and that it vets clients for their human rights records.
However, it has been accused of helping facilitate authoritarianism. The Pegasus software has been used by countries including Azerbaijan, Saudi Arabia and Azerbaijan.