No 10 subjected to UAE-linked spyware attack, says report, but Israeli firm suggests allegations are false
Boris Johnson has been told his Downing Street office has been targeted with “multiple” suspected infections using Pegasus, the sophisticated hacking software that can turn a phone into a remote listening device, it was claimed on Monday.
A report released by Citizen Lab at the University of Toronto said the United Arab Emirates was suspected of orchestrating spyware attacks on No 10 in 2020 and 2021.
Pegasus is the hacking software — or spyware — developed, marketed and licensed to governments around the world by the Israeli firm NSO Group. It has the capability to infect phones running either iOS or Android operating systems.
Citizen Lab added there had also been suspected attacks on the Foreign Office over the same two years that were also associated with Pegasus operators linked to the UAE — as well as India, Cyprus and Jordan.
The researchers, considered among the world’s leading experts in detecting digital attacks, announced they had taken the rare step of notifying Whitehall of the attack as it “believes that our actions can reduce harm”.
However, they were not able to identify the specific individuals within No 10 and the Foreign Office who are suspected of having been hacked.
In a statement, Citizen Lab said: “We confirm that in 2020 and 2021 we observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks. These included: the prime minister’s office (10 Downing Street) [and] the Foreign and Commonwealth Office …
“The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus and Jordan. The suspected infection at the UK prime minister’s office was associated with a Pegasus operator we link to the UAE.”
The Biden administration took the extraordinary step of placing NSO on a US blacklist last November, saying it had evidence the company had sold surveillance spyware to foreign governments that had used it for “transnational repression”. At the time, an NSO spokesperson said it was ‘“dismayed by the decision”.
The allegations will raise significant questions about a possible national security breach at the highest levels of the British government.
The governments of the UAE, India, Cyprus and Jordan have been approached for comment.
A UK government spokesperson said: “We do not routinely comment on security matters.”
An NSO spokesperson said: “NSO continues to be targeted by a number of politically motivated advocacy organisations like Citizen Lab and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information.
“We have repeatedly cooperated with governmental investigations, where credible allegations merit. However, information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”
The Pegasus project, a collaborative investigation into NSO that included the Guardian, the Wire, Le Monde and the Washington Post, revealed dozens of cases last year in which NSO’s Pegasus was used by government clients, from Saudi Arabia to Mexico, to target dissidents and journalists. The work was among the recipients of the prestigious 2021 George Polk awards in journalism.
NSO is regulated by the Israeli defence ministry and sells Pegasus spyware to governments around the world. When it is successfully deployed against a target, Pegasus can infect any phone. It can intercept phone calls, view photographs, track an individual’s location and turn a phone into a remote listening device.
Comments