Catalan parliamentary speaker’s cellphone was targeted with a spy program only available to governments

The cellphone used by the speaker in the Catalan regional parliament, Roger Torrent, was targeted with Pegasus, a spy program developed by an Israeli company named NSO, and which can only be purchased by governments and security forces and used to target crime and terrorism.

Torrent’s phone was attacked using Pegasus in 2019, according to a joint investigation by EL PAÍS and The Guardian.

The intrusion into the handset of the pro-Catalan independence politician, who belongs to the Catalan Republican Left (ERC) party, was possible due to a security fault in the WhatsApp messaging service that, between April and May 2019, could be used to install the NSO spy program in at least 1,400 cellphones across the world. The method for the attack was a missed video call, according to WhatsApp.

When you find a Pegasus target, you find the fingerprints of a government

Citizen Lab researcher John Scott-Railton

Pegasus took advantage of this weakness to attack Torrent’s phone, according to Citizen Lab, a cybersecurity group from the Munk School of Global Affairs and Public Policy at the University of Toronto, which exclusively investigated the fault in the messaging application in 2019. WhatsApp supplied Citizen Lab with the numbers that had been targeted by the Israeli cyberespionage program, among which was that of Torrent, according to these researchers, who publicly revealed the existence of Pegasus.

EL PAÍS and The Guardian have had access to a certificate emitted by Citizen Lab that validates the fact that the speaker’s phone was attacked with the NSO spyware. “The investigation identified that the number belongs to Mr Roger Torrent,” the analysis states.

The document explains that the attackers resorted to a missed WhatsApp call “that did not require a response” to target the politician’s phone, and it contains “ample evidence that could establish that Torrent was monitored.”

Torrent’s phone figures on a list of a hundred or so cases across the world that were compiled by Citizen Lab of “representatives of civil society” who were indiscriminately attacked via the WhatsApp vulnerability, according to the Canadian institution. Citizen Lab states that 130 activists have been unjustified victims of the NSO program since 2016.

Pegasus permits conversations to be listened to, messages read, access to the phone’s memory, screenshots to be taken, browsing history to be tracked and for remote access of the device’s microphone and camera. This opens the door for the program to listen to the ambient sound in a room if a phone has been infected. The system even allows for encrypted messages and voice calls to be recorded, according to the Canadian experts.

In 2018, Pegasus was being used in 45 countries, targeting activists in Bahrain, Kazakhstan, Saudi Arabia, the United Arab Emirates and Mexico

The researchers connected the mysterious disappearance of WhatsApp messages from Torrent’s cellphone in 2019 with an indication that the phone “could have been manipulated by a third party and infected.” And while they cannot identify who ordered the attack, they point out that the Israeli firm that created Pegasus “exclusively sells its products to governments.” This fact is confirmed by NSO on its website, where it presents its services as solutions for the armed forces and the police to combat crime.

While Torrent’s cellphone was targeted by Pegasus, in 2019, the parliamentary speaker took part in dozens of political meetings and also appeared as a witness in Spain’s Supreme Court during the trial of the politicians and civil leaders who were involved in the 2017 independence drive in the Catalonia region, which saw an illegal referendum on secession from Spain held in October of that year. Among the sentences handed down by the court, Carme Forcadell, Torrent’s predecessor as speaker in the regional parliament, was given 11-and-a-half years in jail for the offense of sedition.

In May 2019, when he was being targeted with Pegasus, Torrent took part in a meeting in Strasbourg with the Council of Europe Commissioner for Human Rights, Dunja Mijatvic.

“I noticed strange things,” Torrent explains. “WhatsApp messages and chat histories would be deleted. It didn’t happen to the people around me.” The politician also says that he received “strange” SMS messages in 2019. Torrent says that he sees the hand of the “Spanish state” behind the Pegasus attack.

“The government has no evidence that the speaker of the Catalan parliament, Roger Torrent [...] [has] been the targets of hacking via their mobiles,” says a spokesperson from the Spanish government, who points out that any monitoring of communications requires a court order.

A spokesperson from the CNI, Spain’s intelligence services, says that the organization acts “in full accordance with the legal system, and with absolute respect for the applicable laws.” The same spokesperson adds that the actions of the secret service are supervised by a magistrate from the Supreme Court.

EL PAÍS and The Guardian have unsuccessfully tried to obtain the versions of the Civil Guard, the National Police and the Interior Ministry as to what happened.

Citizen Lab recognizes the difficulty of proving the reach of the cyber attack on Torrent’s cellphone, given that, as it indicates, the NSO programs “have an erasing system on the devices.” “When you find a Pegasus target, you find the fingerprints of a government,” says the researcher from this group, John Scott-Railton.

We can confirm that Torrent’s telephone was targeted. However, additional investigation would be necessary to confirm that the phone was hacked

Citizen Lab researcher John Scott-Railton

According to the expert, “we can confirm that [Torrent’s] telephone was targeted. However, additional investigation would be necessary to confirm that the phone was hacked. At this time we have no reason to believe that it wasn’t.”

After being informed about the issue by this newspaper, Torrent’s team got in touch last Thursday with Scott-Railton. “They gave us the cellphone of the parliamentary speaker without us having asked for it and they said that it was among those attacked by Pegasus,” a spokesperson for the politician explains. “Was the infection successful? [Citizen Lab researcher John] Scott-Railton believes so because Torrent’s WhatsApp messages in 2019 were erased, which is one of the effects of Pegasus.”

Controlled by the London-based fund Novalpina Capital, NSO says that it has a policy for the investigation of the improper use of its systems.

NSO has refused to clarify if Spain is among its clients. “Due to confidentiality agreements, we cannot confirm which authorities use our technology,” the company replied via email. The firm has said that it will begin an investigation “if it is proved” that its products were used improperly in Spain.

The Israeli company has distanced itself in the United States’ courts from the improper use of its spy program. The firm attributes this responsibility to its clients, the governments who acquire its products. “If anyone installed Pegasus on any alleged ‘target devices’ it was not [the] defendants [NSO Group]. It would have been an agency of a sovereign government,” the company stated as a defense in a lawsuit that it is involved in with WhatsApp. The messaging application reported NSO in October of last year for using its platform to infect the cellphones of activists and diplomats around the world with Pegasus.

There is no evidence that Spain’s security forces are clients of NSO. The National Police and the CNI did hire their main competitor, Hacking Team from Italy, until at least 2015. This emerged after 400 gigabytes of internal emails from this company were stolen from its servers after they themselves were hacked.

In 2018, Pegasus was being used in 45 countries, according to Citizen Lab, targeting activists in Bahrain, Kazakhstan, Saudi Arabia, the United Arab Emirates and Mexico.

The cellphones of 25 Mexican politicians, activists and reporters, including the journalists Carmen de Arístegui (Arístegui Noticias), Andrés Villareal and Ismael Bojórquez (Río Doce) and Carlos Loret de Mola (Televisa) were targeted in 2019. As were three members of the organization Mexicans Against Corruption and Impunity, while the leaders of the National Action Party (PAN) Ricardo Anaya and Fernando Rodríguez Noval were also monitored. Omar Radi, a 33-year-old Moroccan journalist, also saw his phone infected by Pegasus after he criticized a judge.

English version by Simon Hunter.