MADRID, SPAIN – APRIL 25: The President of the Government, Pedro Sanchez, closes the VIII Edition of the Cepyme Awards at the Auditorium of Banco Santander, on 25 April, 2022 in Madrid, Spain. The purpose of these awards is to promote social recognition of the figure of the entrepreneur and disseminate their work at the service of society, within the framework of a productive fabric made up mainly of SMEs and the self-employed. (Photo By Carlos Lujan/Europa Press via Getty Images)

Spanish Prime Minister Pedro Sánchez and the country’s defence minister Margarita Robles have been hacked with Pegasus spyware from the Israeli software company NSO Group. In the first confirmed use of cyber espionage software directly against a head of government, Sánchez’s phone was hacked twice and a combined 2.73GB data were lifted from the device. The perpetrator of the breach is unknown.

Spanish Prime Minister Pedro Sanchez has had his phone hacked using spyware. (Photo By Carlos Lujan/Europa Press via Getty Images)

Three attacks, two on Sánchez‘s phone in May last year and one on the phone of Robles in June, saw a total of 2.73 gigabytes of data stolen. The breach was announced at a press conference yesterday. “We are absolutely certain that it was an external attack, because in Spain, in a democracy like ours, all such interventions are carried out by official bodies and with judicial authorisation,” cabinet minister Félix Bolaños told reporters. “In this case, neither of the two circumstances prevailed, which is why we have no doubt that it was an external intervention. We want the judiciary to investigate. There is no evidence that there was other tapping after those dates.”

The Spanish State Atorney’s office is investigating the incident.

Spanish prime minister hacked: spyware breaches on the rise

Spyware such as Pegasus can circumnavigate encryption to monitor messages and pictures, and allows a device’s camera and microphone to be activated to enable remote surveillance. Pegasus came to prominence last year when an international investigation revealed it was being used by authoritarian regimes to spy on opposition politicians, activists and journalists.

In July 2021, French President Emmanuel Macron, along with 14 other French ministers, were informed that Pegasus had been detected on their phones, and last month European Commission officials were targeted using the software, while UK Prime Minister Boris Johnson’s office was also victim of an attack, though it is not known if Johnson’s devices were targeted.

These repeated attacks on the highest offices of European governments shows a need for tighter international regulation around surveillance software, Etay Maor, senior director of security strategy at Cato Networks, told Tech Monitor last month.

“What governments should be doing is making treaties with one another on what you’re allowed or not allowed to do between different countries [when it comes to spying],” Maor said. “This already is happening in the physical world, but I don’t think there is anything that is regulated in the cyber realm.”

Such treaties are unlikely to be drawn up, however, as governments are loath to regulate a tool they also use, explained Emily Taylor, CEO of Oxford Information Labs. “Any government is going to be really wary about drawing bright lines around activities that might well trip them up in the future,” she said. “It is clear that these are dual-use technologies; even countries that do not have the greatest human rights records have genuine needs to combat things like cybercrime and terrorism.”

Is NSO Group responsible for how Pegasus spyware is deployed?

NSO Group argues that, as a software provider, the company does not operate the technology nor is privy to the collected data. The company says it does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorised uses.

Maor says this defence is questionable. “NSO will claim, just like an F-15 or a missile, ‘We sell it to somebody and the way they use it is up to them, we’re not in charge of hurting civilians or officials or reporters’,” he says. But the level of guidance needed to deploy the spyware suggest NSO Group may be more involved with its customers than as a mere vendor, Maor argues.

He adds: “I think that position can be challenged because you’re not really buying a tool from NSO Group, you’re actually buying a service. You don’t know how to operate this whole thing by yourself. So it’s more like selling a missile as well as somebody who will operate it for you, which is not just a tool. You’re buying a service as well.”

Read more: European Commission officials targeted by spyware