WhatsApp confirms 2019 attack on Catalan politician’s cellphone

Roger Torrent, the speaker of the regional parliament and a supporter of independence, was targeted with a program used by government clients worldwide

Catalan parliament speaker Roger Torrent on July 21.
Catalan parliament speaker Roger Torrent on July 21.Marta Perez / EFE

WhatsApp, the messaging application company owned by Facebook, has confirmed that the speaker of the Catalan parliament, Roger Torrent, was the target of a 2019 spyware attack.

The mobile phone of the leading pro-independence politician was targeted through a WhatsApp security flaw discovered last year that allowed attackers to install spyware simply by placing a call that did not need to be answered.

Torrent was one of several users targeted in an attack that used spyware developed by the Israeli company NSO Group, which says it only sells to government clients. The Catalan politician has pointed at the “Spanish state” as being behind the hacking attempt, a claim that Spain’s executive has denied.

By ‘targeted’ we are referring to the fact that the attackers attempted to inject malicious code into Mr Torrent’s WhatsApp application
Niamh Sweeney, WhatsApp’s director of public policy for Europe, the Middle East and Asia

In a message to Torrent seen by EL PAÍS and The Guardian, which broke the story in mid-July, Niamh Sweeney, WhatsApp’s director of public policy for Europe, the Middle East and Asia, said that Torrent’s phone was “targeted in an attempt to gain unauthorized access to data and communications on the device.”

“By ‘targeted’ we are referring to the fact that the attackers attempted to inject malicious code into Mr Torrent’s WhatsApp application,” wrote Sweeney, adding that the company could not confirm whether the attack was successful, “as this could only be achieved through an exhaustive forensic analysis of the device.”

A joint investigation by EL PAÍS and The Guardian recently revealed that a spyware program called Pegasus and made by NSO Group was used between April and May 2019 to try to hack into the cellphones of Catalan pro-independence politicians. These included Torrent as well as Ernest Maragall, a regional lawmaker for the Catalan Republican Left (ERC), and Anna Gabriel, a former lawmaker for the far-left CUP party who fled to Switzerland following the failed attempt at unilateral secession from Spain in 2017.

The Pegasus program took advantage of WhatsApp’s security flaw to target the phones, according to Citizen Lab, a cybersecurity group from the Munk School of Global Affairs and Public Policy at the University of Toronto that collaborated with WhatsApp to investigate the messaging service’s vulnerability.

Last week, Torrent and Maragall announced that they were taking legal action against Félix Sanz Roldán, the former head of Spain’s National Intelligence Center (CNI). Both Catalan leaders claim the cyberattack was part of a strategy by the “Spanish state” against the independence movement in the northeastern region.

Interior Minister Fernando Grande-Marlaska last week stated in Congress that neither the Spanish executive nor the CNI carried out the attack. And the CNI – which has access to Pegasus and was a client of NSO Group’s rival company Hacking Team until 2015 – has stated that it always abides by the law and reports its actions to the Supreme Court for oversight.

EL PAÍS was unable to reach NSO Group for comment. The company says it only sells its products to government agencies including police forces, the army and intelligence services, and that it is the clients who decide what to do with the programs they purchase.

The Pegasus program can take control of handsets, listen to conversations, read messages, access files, take screenshots and activate the camera and microphone via remote control.

Citizen Lab, the Toronto University group that investigated the security flaw, estimated that around 100 of the 1,400 WhatsApp users targeted by Pegasus in 2019 were diplomats, journalists, lawyers and politicians from all over the world.

“As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America,” said the group in an October 2019 release.

English version by Susana Urra.

More information