Skip to content

NSO clients found snooping on Catalan and British governments

  • by
  • 3 min read

NSO Labs, the now-infamous Pegasus Spyware creator, is again under international scrutiny after reports emerged of a mercenary spyware operation running against Catalans using Pegasus and Candiru.

Instances of the Pegasus spyware were also found within official UK networks, including the Prime Minister’s and Foreign and Commonwealth Office. Citizen Labs, which found evidence for both the attacks, published reports on April 18, stating that UK government officials were targeted in 2020 and 2021. 

Catalonia’s regional leader accused the Spanish government of the newly-discovered campaign. NSO, on the other hand, has denied any association with the attacks, stating their tools weren’t used and claiming Citizen Labs’ reports to be lies. 

In the News: OnePlus 10R and Nord CE 2 Lite will be unveiled on April 28

Catalan fight for independence

In collaboration with Catalan Civil Society groups, Citizen Labs identified at least 65 individuals being targeted or infected with NSO made spyware. Out of this, at least 63 were targeted with Pegasus, four others with Candiru and at least two were targeted or infected with both. 

Out of the total Pegasus targets, 51 individuals’ infections were forensically confirmed. 12 others were targeted via SMS or WhatsApp with Pegasus infection attempts without forensic confirmation of a successful infection. 

Evidence of a previously undisclosed iOS zero-click exploits HOMAGE was also found. Victims include Members of the European Parliament, Catalan Presidents, jurists, legislators and members of civil society organisations and, in some cases, their family members as well. 

While Citizen Labs hasn’t attributed the attack to a particular entity, “strong circumstantial evidence” suggests that Spanish authorities might be behind the attacks.

The report also states that since their tools for detecting Pegasus on iOS are much more developed than the ones for Android, Citizen Labs’ report is believed to heavily undercount the number of individuals with Android devices being targeted or infected.

10 Downing Street under spyware seige

Citizen Labs believes that the Prime Minister’s office was targeted by NSO clients in the United Arab Emirates, while the FCO was targeted by clients based in Cyprus, Jordan and India. Evidence of the compromised UK devices was found by monitoring network traffic and other digital signals sent back to NSO clients from the compromised devices. 

The FCO and its successor office, the Foreign Commonwealth and Development office( FCDO), have personnel in multiple countries. The FCO infections could be related to FCO devices operating abroad using foreign SIM cards. 

As per a Reuters report, an NSO spokesperson has denied the allegation stating that they’re false and cannot be related to NSO products for technological and contractual reasons. 

Cyprus authorities also categorically denied the allegations, while spokespersons for the UAE, India and Jordan didn’t respond to requests for comment. 

In the News: Cisco’s broken WiFi admin software lets anyone log in

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: