A complex spyware attack hit nearly half a dozen of the European Union’s top legal officials last year.
Reuters reports that the phones of at least five EU officials were hacked with invasive malware between February and September of 2021. One of the targeted officials was Belgian politician Didier Reynders, the EU’s European Justice Commissioner since 2019, equivalent to the Attorney General in the United States. At least four other members of the Justice and Consumers commission were also spied on, the outlet says.
It’s not totally clear why these officials were targeted or who used the malware against them. Reuters reports that the affected parties were initially notified by Apple, which sent out a series of unprecedented emergency alerts to iPhone users last year warning of government targeting of user devices. Previously published security research has found that the recipients of these alerts had fallen prey to FORCEDENTRY, a sophisticated exploit created by the NSO Group.
The Israeli spyware maker is widely known for selling its spyware, Pegasus, to shady governments all over the world, as well as for hawking technically sophisticated exploits like FORCEDENTRY.
NSO has denied that it had any involvement in this case—telling Reuters that the hacking of the EU officials “could not have happened with NSO’s tools.” In general, the company has long maintained that its products are only used for legitimate law enforcement and terrorism investigations and are not used for domestic spying. Reuters also reached out to QuaDream, another, more secretive Israeli surveillance firm, but did not get any sort of comment or response.
Pegasus is a powerful commercial malware that has allegedly been used to hack a broad array of people, including other European politicians, political activists, human rights attorneys, and U.S. State Department officials.
NSO Group said in a statement that it was not responsible for the alleged hacking attempts described in the report, and added that it was in favor of an investigation into the matter.
The report comes after the European Parliament last week created a “committee of inquiry” to probe accusations over the use of the NSO Group’s Pegasus spyware by governments in the bloc, notably in Hungary and Poland.
Lawmakers voted overwhelmingly to “investigate alleged breaches of EU law in the use of the surveillance software by, among others, Hungary and Poland,” a statement said.
The 38-member committee “is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians, and lawyers,” it said.
The Pegasus malware, created by the NSO Group, was engulfed in controversy last July after a collaborative investigation by several media outlets reported that a string of governments around the world had used it to spy on critics and opponents.
Hungary was listed by the investigative journalism consortium as a potential user of Pegasus, with targets including journalists, lawyers, and other public figures. Pegasus can turn smartphones into pocket spying devices, allowing the user to read the target’s messages, track their location, and even turn on their camera and microphone without their knowledge.