Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Citizen Lab Documents Israeli Surveillance Spyware Infections in Spain

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

According to a new report from Citizen Lab, malware tools sold by Israeli firms NSO Group and Candiru were found on the devices of at least 65 Catalan individuals, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations.

The controversial NSO Group, which is being sued by U.S. tech companies, publicly claims its surveillance software is used for law enforcement and anti-terrorism activities but there have been numerous discoveries linking the high-end hacking tool to attacks on members of civil society.

“Every Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term, before, or after their retirement,” the report noted.

[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The latest Citizen Lab report stopped short of conclusive attribution but said there’s “strong circumstantial evidence” suggesting a nexus with authorities in Spain.

The report said the malware was distributed via zero-click exploits and malicious SMS messages, noting that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with NSO Group’s Pegasus between 2017 and 2020.

Citizen Lab said it worked closely with Amnesty International and Microsoft on the investigations that led to the discovery of a zero-click exploit that has not been previously described.

The group said the exploit, called HOMAGE, appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the process, following a lookup for a Pegasus email address. 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

The report noted that the HOMAGE exploit targeted older versions of Apple iOS operating system and says there’s no evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.

The report also shed new light on the operations of Candiru, a secretive Israeli hacking company caught  in the past supplying Windows zero-days to government customers. Last July, Microsoft patched a pair of Windows kernel vulnerabilities exploited by Candiru and Citizen Lab said it found a “live Candiru infection on an institutional network backbone used by a consortium of Catalan universities.”

According to data from Microsoft’s Threat Intelligence Center (MSTIC), the Candiru malware was found on more than 100 victim devices across 10 countries.  The victims included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.