Connect with us

Hi, what are you looking for?


Application Security

Citizen Lab Documents Israeli Surveillance Spyware Infections in Spain

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

Security researchers have found fresh evidence linking a pair of mercenary Israeli hacking companies to mobile malware attacks on members of Catalan civil society.

According to a new report from Citizen Lab, malware tools sold by Israeli firms NSO Group and Candiru were found on the devices of at least 65 Catalan individuals, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations.

The controversial NSO Group, which is being sued by U.S. tech companies, publicly claims its surveillance software is used for law enforcement and anti-terrorism activities but there have been numerous discoveries linking the high-end hacking tool to attacks on members of civil society.

“Every Catalan president since 2010 has been targeted or infected with Pegasus, either while serving their term, before, or after their retirement,” the report noted.

[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The latest Citizen Lab report stopped short of conclusive attribution but said there’s “strong circumstantial evidence” suggesting a nexus with authorities in Spain.

The report said the malware was distributed via zero-click exploits and malicious SMS messages, noting that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with NSO Group’s Pegasus between 2017 and 2020.

Advertisement. Scroll to continue reading.

Citizen Lab said it worked closely with Amnesty International and Microsoft on the investigations that led to the discovery of a zero-click exploit that has not been previously described.

The group said the exploit, called HOMAGE, appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the process, following a lookup for a Pegasus email address. 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

The report noted that the HOMAGE exploit targeted older versions of Apple iOS operating system and says there’s no evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.

The report also shed new light on the operations of Candiru, a secretive Israeli hacking company caught  in the past supplying Windows zero-days to government customers. Last July, Microsoft patched a pair of Windows kernel vulnerabilities exploited by Candiru and Citizen Lab said it found a “live Candiru infection on an institutional network backbone used by a consortium of Catalan universities.”

According to data from Microsoft’s Threat Intelligence Center (MSTIC), the Candiru malware was found on more than 100 victim devices across 10 countries.  The victims included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...