Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.
According to a new report from Citizen Lab, malware tools sold by Israeli firms NSO Group and Candiru were found on the devices of at least 65 Catalan individuals, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations.
The controversial NSO Group, which is being sued by U.S. tech companies, publicly claims its surveillance software is used for law enforcement and anti-terrorism activities but there have been numerous discoveries linking the high-end hacking tool to attacks on members of civil society.
“Every Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term, before, or after their retirement,” the report noted.
The latest Citizen Lab report stopped short of conclusive attribution but said there’s “strong circumstantial evidence” suggesting a nexus with authorities in Spain.
The report said the malware was distributed via zero-click exploits and malicious SMS messages, noting that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with NSO Group’s Pegasus between 2017 and 2020.
Citizen Lab said it worked closely with Amnesty International and Microsoft on the investigations that led to the discovery of a zero-click exploit that has not been previously described.
The group said the exploit, called HOMAGE, appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
The report noted that the HOMAGE exploit targeted older versions of Apple iOS operating system and says there’s no evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.
The report also shed new light on the operations of Candiru, a secretive Israeli hacking company caught in the past supplying Windows zero-days to government customers. Last July, Microsoft patched a pair of Windows kernel vulnerabilities exploited by Candiru and Citizen Lab said it found a “live Candiru infection on an institutional network backbone used by a consortium of Catalan universities.”
According to data from Microsoft’s Threat Intelligence Center (MSTIC), the Candiru malware was found on more than 100 victim devices across 10 countries. The victims included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.