Spanish PM and defense minister's phones were also targeted with Pegasus spyware

"External and illicit" hackings made public in wake of Catalangate revelations

Spanish PM Pedro Sánchez on the phone with US President Joe Biden on August 21, 2021 (by La Moncloa via ACN)
Spanish PM Pedro Sánchez on the phone with US President Joe Biden on August 21, 2021 (by La Moncloa via ACN) / ACN

ACN | Madrid

May 2, 2022 09:44 AM

The Spanish government announced on Monday morning that both Spanish PM Pedro Sánchez and defense minister Margarita Robles' phones had been targeted with Pegasus spyware.

These hackings, which have been described as "external and illicit" by the Spanish government, were made public in the wake of the Catalangate revelations. 

These hackings lacked "judicial authorization" and are "not related to [Spanish] state administrations," Félix Bolaños, the Spanish presidency minister, said in a last-minute press conference. NSO Group only sells the software to government agencies. 

"We want the judiciary to investigate, so we can find out the truth which is why we have made all of this information available," Bolaños added. 

Pedro Sánchez and Margarita Robles’ phones were infected in 2021, but the executive did not explain why they decided to check for traces of Pegasus until now, two weeks after the Catalangate espionage was made public. While the PM was attacked on two different occasions, both in May 2021, the defense minister was targeted a month later.

"I don't think it's time to guess as to the objectives. We inform you that these are two unequivocal facts. Now is not the time to determine or interpret what the aim of these was," the presidency minister said on Monday morning.

So far, the government only knows that during the first infection, hackers retrieved 2.6 GB of information from Sánchez’s phone, and 130 MBs the second time. Hackers took 9 MBs from Margarita Robles’ device.

Sources from the executive have not revealed what kind of information the hackers had access to.

Pegasus is spyware developed by Israel’s NSO Group and can be used to control devices remotely. The software "can activate the video and photo camera, the microphone, as well as see all your communications and take screenshots at any time," Bruno Pérez Juncà, a cybersecurity expert, said to Catalan News recently.

The difference between this spyware and other ones is the 'zero-click' option.

Normally, "someone will send a link for the victim to download the file that will hack their phone, that’s ‘one-click’, but Pegasus can also use vulnerabilities that are ‘zero-click’ such as in WhatsApp where you could receive a video call, and the spyware would be installed automatically without doing anything, not even picking up the call," Pérez Juncà explained.

Cabinet investigation

The government, with the tools from the National Cryptologic Center (CCN), the cybercrime section of the Spanish intelligence agency (CNI), started checking the PM and the defense minister's devices ahead of controlling all other cabinet members' phones. 

"The investigation will look into all government members. We know that pegasus software has been used illicitly in 20 countries and that governments are among the victims," Félix Bolaños said. 

To avoid further infections, the executive promised to strengthen communications security, not only for the Spanish government but also for all regional executives and parliaments. "We will offer all knowledge and the capacity of the state to avoid more illicit and external intrusions to any of this country’s leaders," the presidency minister explained. 


The announcement from the Spanish executive came in the midst of the Catalangate scandal, the name given by the Citizen Lab, a University of Toronto-based research group that reports on high-tech human rights abuses, to its investigation into the espionage of several Catalan pro-independence politicians, activists, and their close associates. 

It is "the largest forensically documented cluster of such attacks and infections on record," the New Yorker magazine published on April 18

Although most infection attempts took place between 2017 and 2020, Citizen Lab did detect one in 2015. The victim of this early cyberattack was Jordi Sánchez, the former Catalan National Assembly (ANC) president and one of the jailed and then pardoned leaders of the October 1, 2017 referendum.

Other targets include all of the Catalan presidents who have been in office since 2010. Artur Mas (in power from 2010 to 2015) was hacked after leaving office, while Quim Torra (2018 - 2020) had his phone infected while still serving as president. The phone of Pere Aragonès, the leader since 2021, was infected while he was serving as vice president under Torra.

Carles Puigdemont (2016 - 2017) was not attacked directly but was a relational target as up to 11 of his close associates, including his spouse and his lawyer, Gonzalo Boye, had their phones hacked.