Skip to content
Citizen Lab has uncovered a multi-year campaign targeting autonomous region of Spain, Catalonia.
An unknown zero-click exploit in Apple’s iMessage was used by Israeli-based NSO Group to plant either Pegasus or Candiru malware on iPhones owned by politicians, journalists & activists.
Citizen Lab, in collaboration with Catalan-based researchers, released the finding in a report on Mon. that claims 65 people were targeted or infected with malware via an iPhone vulnerability called HOMAGE. It claims the controversial Israeli firm the NSO Group & a 2nd firm Candiru were behind the campaigns that happened between 2017 & 2020.
‘Devils Tongue’
Candiru, aka Sourgum, is a commercial firm that supposedly sells the ‘Devils Tongue’ surveillance malware to govts. around the world. The Apple iMessage HOMAGE bug is a so-called zero-click vulnerability, meaning no interaction by the victims is needed to secretly install malware on targets.
Since 2019, versions of Apple’s iOS software are no longer vulnerable to HOMAGE attacks.
Catalan Politicians & Activists Targeted
“The hacking covers a spectrum of civil society in Catalonia, from academics & activists to non-governmental organisations (NGOs). Catalonia’s Govt. & elected officials were also extensively targeted,” wrote authors of the Citizen Lab report that included John Scott-Railton, Elies Campo, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, Gözde Böcü, Salvatore Solimano & Ron Deibert.
They wrote “the highest levels of Catalan Govt. to members of the European Parliament, legislators, & their staff & family members” were also targeted.
Regarding whom directed the attacks? Researchers stated it was “not conclusively attributing the operations to a specific entity,” however evidence suggests Spanish authorities were likely behind the operation. It suggested Spain’s National Intelligence Centre (CNI) as the likely mastermind, quoting their history of surveillance & espionage scandals.
Catalan Gate: Malware
The Catalan attackers infected victims through at least 2 exploits: zero-click exploits & malicious SMS messages. Zero-click exploits are challenging to defend against, given that they do not require victims to engage in any activity.
Citizen Lab alleges, victims were targeted with the Pegasus malware using the zero-click iOS exploit (HOMAGE) & a known malicious SMS message vulnerability, circa 2015, used by the NSO Group to spread its Pegasus malware.
HOMAGE
Researchers wrote: “The HOMAGE exploit appears to have been in use during the last months of 2019 & involved an iMessage zero-click component that launched a Web Kit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.”
HOMAGE was also believed to have been used 6 times in 2019 & 2020. Citizen Lab suggested Apple devices running a version of its mobile operating system greater than 13.1.3 (released Sept. 2019) are not vulnerable to attacks.
Other Malware/Exploits
Researchers explained that the KISMET zero-click exploit was also used in the attacks. In Dec. 2020, Citizen Lab said phones of 36 journalists were infected with KISMET by 4 separate APTs, possibly linked to Saudi Arabia or the UAE.
The WhatsApp buffer overflow bug (CVE-2019-3568), exploited by the NSO Group in the Catalan Gate attacks, had previously been reported by Citizen Lab in 2019 & was patched in May of 2019. At the time, the Financial Times reported a “private company” believed to be the NSO Group created the zero-day attack to sell to its customers.
Candiru Spyware
As part of the Catalan attacks, researchers say 4 people were targeted or infected using the Candiru spyware firm’s spyware, also called Candiru.
These attacks attempted to take advantage of 2 now patched zero-day bugs (CVE-2021-31979, CVE-2021-33771) – both Windows Kernel Elevation of Privilege Vulnerabilities – were used by Candiru. Both were discovered by Microsoft & patched in July 2021.
“We identified a total of 7 emails containing the Candiru spyware, via links to the domain name stat[.]email,” researchers outlined. “Candiru’s spyware showed that Candiru was designed for extensive access to the victim device, such as extracting files & browser content, but also stealing messages saved in the encrypted Signal Messenger Desktop app.”
In Aug. 2021, Citizen Lab reported a never-before-seen, zero-click iMessaging exploit had been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware.
Unrestrained Abuses
Citizen Lab described the campaigns as “high volume” & examples of “unrestrained abuses” of privacy that point to a “serious absence of regulatory constraints” over the sale of spyware to govt. clients & others.
“It is now well established that NSO Group, Candiru, other companies like them, as well as their various ownership groups, have utterly failed to put in place even the most basic safeguards against abuse of their spyware. What we find in Spain is yet another indictment of this industry,” it concluded.
