Over 200 Spanish cellphones were possible targets of Pegasus spyware, says ‘The Guardian’

More than 200 Spanish cellphones were selected as possible surveillance targets by a client of NSO Group, an Israeli firm that markets a spyware program named Pegasus, the British newspaper The Guardian reported on Tuesday. This media outlet added that this client is believed to be Morocco, according to a data leak that led to a collaborative investigation known as the Pegasus Project.

“The mobile number selections believed to have been made by Morocco occurred in 2019, according to time stamps in the data, which includes more than 50,000 numbers of individuals selected as possible surveillance targets by NSO clients around the world,” said the British newspaper citing the leaked database.

One of the numbers belongs to Aminatou Haidar, a prominent human rights activist from Western Sahara, who had been targeted by Pegasus since 2018, according to an Amnesty International analysis. Traces of the Pegasus spy program were found on a second phone belonging to Haidar in November 2021. A number belonging to the Spanish journalist Ignacio Cembrero, whose work focuses on the Maghreb region of Africa, was also found.

The fact that these phone numbers were selected by a client believed to be Morocco does not mean that all the numbers were attacked or hacked, according to the British outlet. But it does indicate that the client seemed to be actively seeking possible targets for surveillance within Spain.

The maker of the spyware, NSO Group, maintains that the fact that a number appears on the leaked list does not indicate whether it has been subject to surveillance with Pegasus. The company defends that its product is intended to fight crime and terrorism, and says that each time it learns about a possible misuse of Pegasus, it tries to find out whether its client bought it for legal purposes or to snoop around in the phones of political opponents, activists, journalists and dissidents. An NSO spokesperson told EL PAÍS that this kind of activity violates the desirable use of these tools.

We do not know who it could have been, and when we do know, we will make it public

Félix Bolaños, Spain's Minister for Prime Ministerial Affairs

Following claims of political espionage in several European countries in recent years, a EU investigative committee has been appointed to look into Pegasus, which in theory is only available to government agencies. The program can take control of a cellphone without its owner noticing and, in addition to accessing all its contents, it can also turn it into a listening and image capture terminal.

Morocco has previously denied spying on any foreign leader using Pegasus, and has maintained that reporters investigating NSO have been “incapable of proving [the country had] any relationship” with NSO, The Guardian reported.

The Pegasus case took an unexpected turn in Spain on Monday when the government announced that Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had also been targeted by the spyware program. The alleged intrusions occurred in May and June 2021, and Spain’s High Court, the Audiencia Nacional, has launched an investigation into the case.

These revelations come on top of claims of alleged espionage against more than 60 Basque and Catalan separatists, as reported by Citizen Lab, a group of cybersecurity experts from the University of Toronto. Legal proceedings to investigate those claims are underway in the courts of Barcelona.

The judge in charge of investigating the Sánchez and Robles case specified that the hacking took place on May 19 and 31, 2021, a time when Spain was caught up in a diplomatic row with Morocco. But Félix Bolaños, Spain’s Minister for Prime Ministerial Affairs, has refused to link the attack with Morocco, saying instead that the attack was “external.” “We do not know who it could have been, and when we do know, we will make it public. We are going to wait,” Bolaños stressed in an interview on the Cadena SER radio network.