The use of intrusive spyware by members of the European Union is expected to face new scrutiny following revelations that the mobile phones of two more Polish citizens with close links to an opposition senator were targeted by a client of NSO Group, according to security experts.
Forensic analysis by Amnesty International found that both Magdalena Łośko, the former assistant to Polish senator Krzysztof Brejza, and Brejza’s father, Ryszard Brejza, received text messages in 2019 that researchers said were technically consistent with spyware attacks by clients of NSO Group using Pegasus.
In both cases, the timing of the targeting matched the appearance of Łośko’s and Ryszard Brejza’s mobile phone numbers in a leaked database at the heart of the Pegasus Project, an investigation into NSO Group by a media consortium including the Guardian, Wyborcza and Die Zeit, coordinated by the French non-profit group Forbidden Stories.
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as people of interest by government clients of NSO Group. The consortium believes the data indicates the potential targets that NSO’s government clients identified in advance of possible surveillance. The presence of an individual’s phone number in the database does not mean the mobile phone was hacked. NSO has strongly denied that the data has any connection to the Israeli firm and said the phone numbers on the list are not targets of NSO customers.
When successfully deployed against a target, Pegasus can infiltrate a mobile phone, giving the user of the spyware full access to phone calls, text messages, encrypted messages and photographs. It can track a mobile phone user’s location and turn the phone into a remote listening device.
Polish authorities’ use of Pegasus first came to light in December 2021, after the Associated Press, in association with researchers at the Citizen Lab at the University of Toronto, reported that Pegasus – the NSO Group spyware – had been used against at least three people, including Krzysztof Brejza. In his case, forensic analysis of his mobile phone showed it had been compromised numerous times in 2019 while he was running the electoral campaign of the opposition Civil Platform party. The attacks stopped a few days after the vote.
The new revelations by the Pegasus Project indicate that a client of NSO Group also sought to hack at least two individuals close to Brejza. Amnesty International’s security lab found four suspicious text messages were sent to Łośko in April 2019, when she was running Brejza’s campaign for the European parliament. Amnesty found 10 suspicious text messages on Ryszard Brejza’s mobile between July and August 2019.
Amnesty said that, in both cases, the SMS messages directed the recipient to websites that were created before the attacks in 2019 and are no longer active. The available forensic evidence did not allow security researchers to confirm whether attempts to hack either Łośko or Ryszard Brejza were successful.
Poland’s Central Anticorruption Bureau, the CBA, bought Pegasus in 2017 using funds from the Ministry of Justice, according to documents presented at a Polish senate hearing by the former head of the National Audit Office.
The CBA has previously declined to confirm whether it used Pegasus against any individuals, but it has said that any use of the surveillance tool would have obtained legally required consents.
A spokesperson for Poland’s special services said, in response to a request for comment by the Pegasus Project, that it cannot comment on reports of methods of its “operational work” and would not comment on whether any specific individuals had been subjected to methods of “operational work”. The spokesperson said that any allegations that surveillance methods had been used against individuals for “political purposes” were false.
NSO Group said in a statement: “Without referring to any specific governmental customer, a misuse of cyberintelligence tools is a serious matter and all credible allegations are immediately investigated. Unfortunately, a number of organisations with clear political agendas continue to release biased, inaccurate and incomplete reports based on scant, if any, evidence. As repeatedly stated, NSO does not operate the technology, and [is] not privy to the collected data. The company does not and cannot know who the targets of the customers are.”
The company has previously said that its clients are only allowed to use its spyware to target criminals and terrorists.
The company is facing intense pressure in the European parliament, where the bloc’s data watchdog has advised the use of Pegasus should be banned because of its power to intrude into the lives of its targets.
In interviews with the Pegasus Project, Ryszard Brejza described being shaken up by the news that his mobile phone was targeted with the intrusive spyware, particularly since the suspicious text messages he was sent were catered to appeal to his personal interests. In one case, he received messages laced with the suspected Pegasus-linked domain advertising a holiday home on the Baltic Sea, at a time when he was about to go on holiday on the Baltic coast.
Łośko, who is now a member of the Polish parliament, received suspicious SMS messages in 2019 about bullying, which researchers now say are linked to Pegasus. While she never sought out reports on bullying, Łośko recalled having conversations about bullying at the time.
In a statement, Amnesty said: “These new findings increase concerns, not only for politicians, but for the whole of Poland’s civil society in general, particularly given the context of the government’s record of persistently subverting human rights and the rule of law.”