Prime Minister Pedro Sánchez’s mobile phone was breached twice in May 2021, and Defence Minister Margarita Robles’ device was targeted once the following month, Presidency Minister Félix Bolaños told reporters at a morning press conference.
“We have no doubt that this is an illicit, unauthorised intervention,” Bolaños said, adding, “It comes from outside state organisations and it didn’t have judicial authorisation”.
The Pegasus spyware behind the attack is produced by Israeli security firm NSO, which says it only sells the software to government agencies.
Bolaños noted that technical reports by Spain’s National Cryptologic Centre had evaluated the volume of data extracted from the two devices.
In all, 2.6 gigabytes of information was obtained from the Spanish prime minister’s phone during the first attack and 130 megabytes during the second, while 9 gigabytes were stolen from the defence minister. “There is no evidence of any intrusion after these dates,” Bolaños continued.
Last year, French President Emmanuel Macron was among 14 current or former heads of state on a list of potential Pegasus targets leaked to human rights organisation Amnesty International.
Unlike most spyware, Pegasus doesn’t require its victims to unwittingly download it, for example by opening an infected attachment or clicking a link. It can infect iOS, Android or BlackBerry phones without alerting their owners. Once installed, it allows NSO’s clients to take control of a device, to activate the camera and the microphone, see geolocation data and read the content of messages – even those sent via encrypted platforms like Telegram and WhatsApp.
Pegasus’ maker NSO claims the software is not designed for mass surveillance, but for counterterrorism purposes.
However, it has been accused of helping facilitate authoritarianism. The Pegasus software has been used by countries including Saudi Arabia.