Q&A: What is Catalangate and what consequences will it have?

Over 60 pro-independence figures’ phones were hacked using spyware between 2017 and 2020

Pegasus - NSO Group's website on a mobile device on April 20, 2022 (by Gerard Escaich Folch)
Pegasus - NSO Group's website on a mobile device on April 20, 2022 (by Gerard Escaich Folch) / Gerard Escaich Folch

Gerard Escaich Folch | Barcelona

April 20, 2022 05:26 PM

Phones of at least 65 Catalan politicians and civil society members were infected with spyware between 2017 and 2020 on several occasions as an investigation from The New Yorker magazine and Citizen Lab research group shows.

The espionage case known as Catalangate has already had political and judicial consequences. 

What is Catalangate?

Catalangate is the name that Citizen Lab, a University of Toronto-based research group that reports on high-tech human rights abuses gave its investigation into the espionage of several Catalan pro-independence politicians, activists, and their close associates. 

It is "the largest forensically documented cluster of such attacks and infections on record," the New Yorker published on Monday

Phones were infected using spyware programs Pegasus and Candiru. Pegasus, from Israeli company NSO Group, is known internationally for its previous infections of renowned people, such as murdered Saudi Arabian journalist Jamal Khashoggi, or members of Rwanda’s opposition party.

Candiru, founded by former NSO Group employees, is not as well known but is similar to Pegasus. 

Who are the main victims?

Although most infection attempts took place between 2017 and 2020, Citizen Lab did detect one in 2015. The victim of this early cyberattack was Jordi Sánchez, the former Catalan National Assembly (ANC) president and one of the jailed and then pardoned leaders of the October 1, 2017 referendum.

Other targets include all of the Catalan presidents who have been in office since 2010. Artur Mas (in power from 2010 to 2015) was hacked after leaving office, while Quim Torra (2018 - 2020) had his phone infected while still serving as president. The phone of Pere Aragonès, the leader since 2021, was infected while he was serving as vice president under Torra.

Carles Puigdemont (2016 - 2017) was not attacked directly but was a relational target as up to 11 of his close associates, including his spouse and his lawyer, Gonzalo Boye, had their phones hacked.

Other political figures whose phones were infected are the former parliament speaker and current business minister, Roger Torrent, of senior coalition partner Esquerra Republicana, who was targeted while at the helm of the Catalan chamber bureau, and Laura Borràs, the current parliament speaker, whose phone was hacked while she was serving as a member of the Spanish Congress for Junts, the junior partner in the Catalan government.

What is Pegasus?

Pegasus is a kind of spyware that "takes remote control of someone's device," Bruno Pérez Juncà, a cybersecurity expert, said to Catalan News. The software "can activate the video and photo camera, the microphone, as well as see all your communications and take screenshots at any time," he added. 

Those who use it can also "access files and add new ones to the phone," Pérez Juncà said. The difference between this spyware and other ones is the ‘zero-click’ option. 

Normally, "someone will send a link for the victim to download the file that will hack their phone, that’s ‘one-click’, but Pegasus can also use vulnerabilities that are ‘zero-click’ such as in WhatsApp where you could receive a video call, and the spyware would be installed automatically without doing anything, not even picking up the call," Pérez Juncà explained. 

How does Pegasus work?

Pegasus has another characteristic that allows the clients that use it to be trackless as the connections are between the victims’ devices and an NSO Group server located in a "technological paradise where justice cannot get the information," the cybersecurity expert explained. 

Pegasus location tracking screen (from Pegasus Product Description)

To access this server, the client has a username and password to enter their dashboard with the information on the infected devices. 

How did Aragonès’ phone get infected?

One of the hacking victims is the current Catalan president, Pere Aragonès. During an interview with RAC1 radio broadcaster, the president explained how he had received three SMSes that seemed to be part of a subscription list. 

All of these messages appeared to contain media articles with a headline and a link to read them. One of the messages talked about the keys to the negotiations between the Esquerra Republicana de Catalunya party, led by Aragonès himself, and the Spanish Socialist party (PSOE). 

Screenshot of Pere Aragonès' phone with the message that infected the devide with Pegasus (by CCMA)

At the time, both forces were in the midst of talks concerning support for Spanish PM Pedro Sánchez's presidential bid. Other examples included articles about a "new Puigdemont way," in reference to the political method of former Catalan president Carles Puigdemont

"It seemed like text list subscriptions, and I thought someone might have added me to one," Pere Aragonès said in his interview with RAC1. "You would click and go to the newspaper’s website," he added.

How much does Pegasus cost?

The NSO Group software is sold to "government agencies to prevent and investigate terrorism and crime to save thousands of lives around the globe," the company website reads. 

The Israeli group has different prices depending on how many devices the user needs to infect, as they offer bulk options. The cheapest option is a $500,000 installation fee. From there, the client can choose either to infect iOS, Android, BlackBerry, or Symbian devices. 

For example, to attack 10 iPhones, the client would need to pay $650,000, and $250,000 more if they want to add 20 additional iPhone users to be hacked. To infect 10 Android devices costs $650,000

The company charges an additional 17% of the customer’s annual fees for system maintenance, according to The New York Times newspaper

How can the infected phones get rid of Pegasus?

Once someone’s device is infected with Pegasus, there are several ways for them to remove the spyware. An easy one is "updating the phone’s software," cybersecurity expert Bruno Pérez Juncà said to Catalan News.

"In that case, NSO’s client would have to infect the phone again," he added.  

The problem with Pegasus is that "it quietly enters the device, but it also quietly disappears," leaving no trace for professional technological forensics specialists. 

Pegasus call log and call interception screen (from Pegasus Product Description)

Another issue people face is that if they "keep using the same passwords that they used while being infected, NSO’s client will still have them" despite restoring the device, Pérez Juncà explained. 

The device "must be properly cleaned, and discovering if you have been infected with Pegasus is difficult," he added. 

Political consequences in Catalonia

The Catalan government has frozen its negotiation process over the independence issue with Spain after Catalangate revelations. Both the independence camp, as well as Citizen Lab researchers, believe the perpetrators of this espionage are within the Spanish government. 

Catalan president Pere Aragonès, said on Tuesday evening, accompanied by all of his ministers, that "normal political relations" with Madrid could not resume until Catalangate is clarified, that is, until an internal investigation within the Spanish government is launched and accountability for those responsible is ensured.

In fact, the National Intelligence Center (CNI), Spain’s intelligence agency, acquired Pegasus in the early 2010s for an initial cost of €6 million, according to El País. The Spanish news outlet cites sources close to the Spanish intelligence services. 

Political consequences in the EU

Aragonès emphasized that Catalangate is not an internal affair. "We urge the European Parliament and other European institutions to reinforce the calls for a thorough investigation into the mass surveillance that has been certified," he expressed.

The pro-independence movement has announced it will seek legal action against NSO Group for what former Catalan president Carles Puigdemont has described as the “illegal espionage of dissent.”

Lawsuits will be filed in the six European countries - Spain, France, Belgium, Switzerland, Germany, and Luxembourg - as well as before the EU and the United Nations.

Some members of the European Parliament have condemned the alleged espionage. On Tuesday, the chamber set up a committee to investigate member states’ use of Pegasus. 

According to The New Yorker, so far Hungary, Poland, and Germany have acknowledged that authorities in their country do use Pegasus. 

What does the Spanish government say?

The Spanish government has denied any connection to Catalangate. The cabinet "has nothing to hide," its spokesperson, Isabel Rodríguez, said on Tuesday.

"The cabinet will not tolerate Spain’s democratic integrity being questioned as this country is democratic and is a state where individuals’ rights are respected," she added.