Catalangate: solid evidence points to perpetrators within Spanish government, says Citizen Lab

Pro-independence movement announces legal action in response to ‘world’s biggest cyberattack’

ERC's Oriol Junqueras with Carles Puigdemont and Laura Borràs of Junts in Brussels on April 19, 2022 (by Natàlia Segura)
ERC's Oriol Junqueras with Carles Puigdemont and Laura Borràs of Junts in Brussels on April 19, 2022 (by Natàlia Segura) / ACN

ACN | Brussels

April 19, 2022 02:02 PM

There is “solid circumstantial evidence” to suggest that the perpetrators of the attacks on over 60 Catalan pro-independence politicians and activists with Pegasus and Candiru spyware are “one or more entities in the Spanish government,” John Scott-Railton, a senior investigator at the University of Toronto's Citizen Lab high-tech human rights abuses research group, said on Tuesday, a day after The New Yorker reported on the organization's findings

Although the attack, called Catalangate, “cannot be attributed to a concrete state,” he explained during a joint press conference in Brussels with high-ranking officials from Catalan coalition partners Esquerra Republicana and Junts per Catalunya, as well as civil society groups Òmnium Cultural and Assemblea Nacional Catalana, the targets were of “obvious interest” to the Spanish government for their pro-independence leanings. 

The victims were also baited with SMSes that contained personal information, such as Spanish governmental ID numbers, while the CNI, Spain’s intelligence agency, is reported to be a customer of NSO Group, the Israeli company that developed Pegasus spyware. It is unclear whether Spain’s interior ministry uses the program, but it is reported to have “an unnamed but similar capability.”

One of the victims, for example, had booked a SwissAir flight and was sent an SMS with the flight number and a malicious link with which their phone became infected, although others were targeted through zero-click software. 

Legal action against "illegal espionage of dissent"

The pro-independence movement has announced it will seek legal action against NSO Group as well as the Spanish government for what former Catalan president Carles Puigdemont has described as the “illegal espionage of dissent.”

Lawsuits will be filed in the six European countries - Spain, France, Belgium, Switzerland, Germany, and Luxembourg - as well as before the EU and the United Nations.

Evidence gathered by Citizen Lab suggests that the victims of the sophisticated spyware attacks were not only targeted while in Spain, but also in other European countries too in what could be illegal according to local legislation.

"This illegal espionage has also been done abroad as they have pursued Catalan pro-independence activists abroad in Belgium, Germany, and France," former vice president and pardoned leader Oriol Junqueras, from Esquerra Republicana de Catalunya (ERC), said on Tuesday.

The different parliamentary groups in Catalonia, but also in the Spanish Congress and Senate "will announce necessary measures, and we’ll take this scandal to the European Parliament," Junqueras added.

Victims of the espionage case say they will urge the European chamber to call for an urgent debate on the matter.

ERC is currently one of the major backers of the Spanish government in Spain's Congress. Asked about their political support, Junqueras announced that "fundamental rights have been attacked, and we’ll ask for explanations from the Spanish government."

What’s Catalangate?

All Catalan presidents since 2010 have been victims of cyberespionage using Israeli NSO Group’s spyware technology, Pegasus, according to Citizen Lab. 

Up to 65 Catalan pro-independence leaders had their phones infected between 2017 and 2020. The software allows full access to messages and hard drives and can activate the cameras and microphones remotely.

Among the direct victims are former presidents Artur Mas and Quim Torra, who was hacked while he was in office. Current president Pere Aragonès, meanwhile, fell victim to the spyware while serving as Torra's vice president. 

Former president Carles Puigdemont, in Belgium since late 2017 to evade prosecution in Spain, has been a relational target, as up to 11 of his close associates, including his spouse and his lawyer, Gonzalo Boye, were hacked. 

Other victims include Catalan civil society organization leaders such as former president of the Catalan National Assembly (ANC) and jailed and pardoned leader Jordi Sànchez, current ANC president Elisenda Paluzie, and Marcel Mauri, vice president of Òmnium Cultural.