High-ranking EU officials attacked with spyware

The attacks are said to have been carried out via an iOS security vulnerability that has since been patched, and which was also exploited by the controversial Pegasus spyware. (Source: Unsplash)

High-ranking officials of the EU Commission were attacked with spyware last year. This was reported by the Reuters news agency on Monday. So far, it is not known who is responsible for the attacks.

According to the report, one of the spy targets was Didier Reynders’ smartphone. The Belgian politician has been EU Commissioner for Justice and the Rule of Law since 2019. The phones of at least four other unnamed EU Commission employees are also said to have been attacked. Reuters cites testimony from EU officials familiar with the matter, as well as internal EU documents on the incidents.

The EU Commission had become aware of the attacks through warnings from Apple. The company has been informing users since the end of last year (in German) when it discovers evidence of “state-sponsored espionage attacks”. The Commission had then warned its employees that they too could be the target of an attack with spyware.

Zero-click attacks

According to Reuters, some of the affected smartphones were examined by security researchers. They were able to determine that the attacks took place between February and September 2021. The experts were also able to trace the attack route: A security hole in the iPhone operating system iOS was exploited, which enabled so-called zero-click attacks. The spyware is installed remotely without the victims having to become active or being aware of the attacks. However, it remained unclear whether the smartphones were actually spied on afterwards.

Security researchers from the Citizen Lab at the University of Toronto discovered the corresponding vulnerability in September 2021 and proved that the controversial Pegasus spyware from the Israeli developer NSO is installed in this way. Apple had closed this security gap with an update in September.

What is Pegasus?

Pegasus is a spyware from the Israeli company NSO Group. The spyware can completely take over an infiltrated device and, for example, switch on the camera and microphone unnoticed as well as copy all data. Location data can also be accessed and passwords retrieved. The surveillance programme has been criticized for years in connection with human rights violations.

In February, Reuters also reported that the Reign spyware from the Israeli company Quadream had infected smartphones via this attack route. Similar to Pegasus, the software is said to be able to take over smartphones completely.

As early as June 2021, the Israeli newspaper Haaretz reported that Quadream, like NSO, was selling its own spyware to governments. The company’s customers are said to include Saudi Arabia.

Committee wants to investigate incidents

Exactly what spyware was used against the EU staff is still unclear. NSO told Reuters it was not responsible for the attacks. Quadream did not respond to journalists’ enquiries. It is also unknown who is behind the attacks.

Reuters also writes that the EU Commission has not responded as to whether the cases are currently still being investigated. Even in a press conference on Monday, an EU spokesperson did not want to comment on the current cases.

Dutch MEP Sophie in ’t Veld described the revelations to Reuters as “dynamite”. On Twitter, she demanded that the EU Commission carry out an internal investigation and inform the EU Parliament, as the attacks touched on “the integrity of EU democracy”.

She also announced that the EU Parliament’s committee of enquiry into the abuse of Pegasus would look into the attacks. The EU Parliament voted in March to set up the committee. It is to investigate whether Pegasus was used against journalists and politicians in the EU, for example. The illegal use of “similar surveillance and spying software” is also the subject of the investigation.

Pegasus use in the EU

MEPs had called for the committee to be set up because EU governments were also alleged to have used Pegasus illegally. For example, journalists were spied on in Hungary and opposition members were spied on (in German) in Poland. Both governments had admitted to buying the spyware, but denied illegal use.

Last summer, the organisations Forbidden Stories and Amnesty International as well as several international media uncovered how media workers, human rights activists and opposition activists worldwide were being monitored with Pegasus. They had analysed a dataset of more than 50,000 phone numbers apparently selected by Pegasus users as potential spying targets. The list also included high-ranking politicians (in German) such as the President of the European Council, Charles Michel, and the French President Emmanuel Macron.

Amnesty International said the current cases showed how far the spread of spyware had already advanced. Governments have not done enough to investigate and prevent human rights violations caused by the spyware industry. Amnesty International, together with other organisations, is calling for a worldwide moratorium on the sale and transfer of surveillance technologies.

In mid-February, the European Data Protection Supervisor, Wojciech Wiewiórowski, also called for a ban on spyware with the capabilities of Pegasus in the EU. Such programmes endanger people’s fundamental rights and freedoms, but also democracy and the rule of law. Their use was therefore incompatible with the democratic values of the EU. (js)