The Mossos d'Esquadra police have confirmed, for the first time, that the mobile phones of several pro-independence leaders were attacked with Pegasus spyware. The Catalan police force has certified this before the courts that are investigating the espionage of three leading politicians for the Catalan Republican Left (ERC): MEP Diana Riba; Catalan MP Josep Maria Jové; and current Catalan government official and former MP Sergi Sabrià. The IT experts of the Mossos concluded that the terminals were infected "by a malicious program that leaves the same traces as the one known as Pegasus", as eldiario.es reported. As a result of the magnitude of the attack, the Mossos specialists do not rule out that the spy program "was active in the days after" the infections, produced in 2019 and 2020.
The results of the investigation support the assertions of the pro-independence activists who suffered the espionage. The three have routinely encountered the refusal of the courts to investigate the espionage and its connection with Spain's National Intelligence Centre (CNI). In addition, the police certification also refutes the conclusions of the Spanish government, which asserted that Jové and Riba has not been not spied on, a claim that the Spanish government used to refuse to declassify the documents that the judge demanded.
Analysis of mobile phones
Josep Maria Jové, Diana Riba and Sergi Sabrià, are the first pro-independence leaders to hand over their phones to the scientific branch of the Catalan police force; the rest have opted for private experts, or have resisted turning over their devices to the court out of mistrust, while some disposed of their phones after the infections. In addition to confirming the Citizen Lab laboratory's diagnosis that the phones has been infected, the Mossos also revealed new details.
In Jové's case, Citizen Lab was unable to pinpoint the specific dates on which he was infected with the software. However, the Mossos' physical possession of the devices enabled them to certify at least four dates on which the ERC leader's terminal was attacked. The attacks took place between March and October 2019, and in July and November 2020, periods when Jové was negotiating with the Spanish Socialists (PSOE) over support for key projects of the Pedro Sánchez government. With regard to Riba's terminal, the Catalan police determine that it was infected on October 28th, 2019, as a minimum. Precisely, around this date, one of her parliamentary assistants testified before the judge that he was talking on the phone with Riba, when the call was cut off. Later, the phone played back the conversation he had had with Riba, an event which raised the alarms for the MEP and her staff, and which Riba's defence lawyer argues is a clear indication of the hacking.
In order to detect espionage in the terminals, the Mossos d'Esquadra analyzed the so-called Indicators Of Compromise (IOCs). These are data patterns that are recorded on the terminals and can be linked to the attack through a 'malware' program like Pegasus.
Up to three "malicious processes"
The Mossos d'Esquadra detected up to "three malicious processes" which could have infected the mobile phones, and which for the police specialists are "clear and documented indications of malicious software". The laboratory's report states that the attacks managed to "record the activity" of the phone and also download data from the devices and later upload them to the internet, although they cannot determine where the stolen files were sent to. One of the infection techniques detected by the Catalan police is the sending of SMSs through malicious links. If recipients entered the link they received, they were directed to a server, responsible for distributing the malicious program "without the user noticing." However, they also note that in some cases, the attacks were carried out without the user even clicking on the link, a so-called "zero-click" infection.
Despite the fact that they have detected a possible infection, they have not located any information on the devices "that allows us to establish the destination used by the Pegasus malicious program". Therefore, forensic analysis cannot determine whether the CNI is responsible for the attacks.