Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Citizen Lab Documents Israeli Surveillance Spyware Infections in Spain

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

According to a new report from Citizen Lab, malware tools sold by Israeli firms NSO Group and Candiru were found on the devices of at least 65 Catalan individuals, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations.

The controversial NSO Group, which is being sued by U.S. tech companies, publicly claims its surveillance software is used for law enforcement and anti-terrorism activities but there have been numerous discoveries linking the high-end hacking tool to attacks on members of civil society.

“Every Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term, before, or after their retirement,” the report noted.

[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The latest Citizen Lab report stopped short of conclusive attribution but said there’s “strong circumstantial evidence” suggesting a nexus with authorities in Spain.

The report said the malware was distributed via zero-click exploits and malicious SMS messages, noting that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with NSO Group’s Pegasus between 2017 and 2020.

Citizen Lab said it worked closely with Amnesty International and Microsoft on the investigations that led to the discovery of a zero-click exploit that has not been previously described.

Advertisement. Scroll to continue reading.

The group said the exploit, called HOMAGE, appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

The report noted that the HOMAGE exploit targeted older versions of Apple iOS operating system and says there’s no evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.

The report also shed new light on the operations of Candiru, a secretive Israeli hacking company caught  in the past supplying Windows zero-days to government customers. Last July, Microsoft patched a pair of Windows kernel vulnerabilities exploited by Candiru and Citizen Lab said it found a “live Candiru infection on an institutional network backbone used by a consortium of Catalan universities.”

According to data from Microsoft’s Threat Intelligence Center (MSTIC), the Candiru malware was found on more than 100 victim devices across 10 countries.  The victims included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.