The use of intrusive spyware by members of the European Union is set to come under further scrutiny following revelations that the mobile phones of two other Polish citizens closely linked to an opposition senator have been targeted by an NSO Group client, according to security experts.
Amnesty International’s forensic analysis revealed that Magdalena Łośko, the former aide to Polish Senator Krzysztof Brejza, and Brejza’s father, Ryszard Brejza, received text messages in 2019 that researchers say were technically compatible with spyware attacks by NSO Group customers using Pegasus.
In both cases, the timing of the targeting matched the appearance of Łośko and Ryszard Brejza’s mobile phone numbers in a leaked database at the heart of Project Pegasus, an investigation into the NSO Group by a media consortium including the Guardian. , Wyborcza and Die Zeit, coordinated by the French association Forbidden Stories.
The leaked data is a list of more than 50,000 phone numbers which, since 2016, have allegedly been selected as persons of interest by NSO Group’s government clients. The consortium believes the data points to potential targets that NSO government clients have identified prior to possible surveillance. The presence of an individual’s phone number in the database does not mean that the mobile phone has been hacked. NSO strongly denied the data had any connection to the Israeli company and said the phone numbers on the list are not targeted by NSO customers.
When successfully deployed against a target, Pegasus can infiltrate a mobile phone, giving the spyware user full access to phone calls, text messages, encrypted messages, and photographs. It can track a mobile phone user’s location and turn the phone into a remote listening device.
The use of Pegasus by Polish authorities was first revealed in December 2021, after The Associated Press, in association with researchers from the Citizen Lab at the University of Toronto, reported that Pegasus – the spyware of the NSO group – had been used against at least three people. , including Krzysztof Brejza. In his case, forensic analysis of his mobile phone showed that it had been compromised on several occasions in 2019 while leading the election campaign of the opposition Civil Platform party. The attacks ceased a few days after the vote.
The new Project Pegasus revelations indicate that an NSO Group client also sought to hack at least two individuals close to Brejza. Amnesty International’s Security Lab discovered that four suspicious text messages were sent to Łośko in April 2019, when she was leading Brejza’s campaign for the European Parliament. Amnesty found 10 suspicious text messages on Ryszard Brejza’s cell phone between July and August 2019.
Amnesty said that in both cases the SMS messages directed the recipient to websites that were created before the 2019 attacks and are no longer active. Available forensic evidence did not allow security researchers to confirm whether Łośko’s or Ryszard Brejza’s hacking attempts were successful.
Poland’s Central Anti-Corruption Bureau, the CBA, bought Pegasus in 2017 with Justice Ministry funds, according to documents presented at a hearing in the Polish Senate by the former head of the National Audit Office.
The ABC previously declined to confirm whether it used Pegasus against individuals, but said any use of the surveillance tool would have obtained legally required consents.
A spokesperson for Poland’s special services said, in response to a request for comment from Project Pegasus, that it could not comment on reports on the methods of its “operational work” and would not comment on whether specific individuals had been subjected to “operational work” methods. The spokesperson said all allegations that surveillance methods were used against individuals for “political purposes” were false.
NSO Group said in a statement: “Without referring to any specific government client, misuse of cyber intelligence tools is serious business and all credible allegations are immediately investigated. Unfortunately, a number of organizations with clear policy objectives continue to publish biased, inaccurate and incomplete reports based on little or no evidence. As repeatedly stated, NSO does not exploit the technology, and [is] unaware of the data collected. The company does not and cannot know who the target customers are.
The company has previously said that its customers are only allowed to use its spyware to target criminals and terrorists.
The company is facing intense pressure in the European Parliament, where the bloc’s data watchdog has advised to ban the use of Pegasus because of its power to intrude into the lives of its targets.
In interviews with Project Pegasus, Ryszard Brejza described being shaken by the news that his cell phone was being targeted by the intrusive spyware, especially since the suspicious text messages he received were intended to appeal to his personal interests. In one instance, he received messages related to the alleged Pegasus-related estate advertising a vacation home on the Baltic Sea, at a time when he was about to go on vacation to the Baltic coast.
Łośko, who is now a member of the Polish parliament, received suspicious text messages in 2019 regarding bullying, which researchers believe are now linked to Pegasus. Although she never researched bullying reports, Łośko recalls having conversations about bullying at the time.
In a statement, Amnesty said: “These new findings raise concerns, not just for politicians, but for all of Polish civil society in general, particularly given the government’s record of persistent human rights abuses. human rights and the rule of law”.