Digital threat researchers at Citizen Lab have discovered a new zero-click iMessage exploit used to install NSO Group spyware on iPhones belonging to Catalan politicians, journalists, and activists.
The previously unknown iOS zero-click security flaw dubbed HOMAGE affects some versions before iOS 13.2 (the latest stable iOS version is 15.4).
It was used in a campaign targeting at least 65 people with NSO’s Pegasus spyware between 2017 and 2020, together with the Kismet iMessage exploit and a WhatsApp flaw.
Among the victims of these attacks, Citizen Lab mentioned Catalan Members of the European Parliament (MEPs), every Catalan president since 2010, as well as Catalan legislators, jurists, journalists, and members of civil society organizations and their families.
“Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3. It is possible that the exploit was fixed in iOS 13.2,” Citizen Lab said.
“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”
The academic research lab has reported and provided Apple with the forensic artifacts needed to investigate the exploit and says there is no evidence that Apple customers using the latest versions of iOS are exposed to HOMAGE attacks.
“At this time the Citizen Lab is not conclusively attributing these hacking operations to a particular government, however a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government,” Citizen Lab added.
EU Commission, UK govt, Finnish diplomats, US State Dept also targeted
As Reuters reported, NSO spyware was also used in attacks targeting senior European Commission officials last year, including the European Justice Commissioner.
According to Citizen Lab Director Ron Deibert, multiple suspected infections with Pegasus spyware within official UK networks were also reported by Citizen Lab to the government of the United Kingdom.
A suspected infection on a device belonging to an official at the Prime Minister’s Office was associated with Pegasus operators linked to the UAE, while attacks relating to UK’s Foreign and Commonwealth Office linked to the UAE, India, Cyprus, and Jordan.
Finland’s Ministry for Foreign Affairs said in January that devices of Finnish diplomats had been infected with NSO Group’s Pegasus spyware after US Department of State employees also found that their iPhones had been hacked to install the same spyware.
The European Parliament is setting up a committee of inquiry (which will hold its first meeting on April 19) to investigate breaches of EU law stemming from the use of NSO Pegasus and equivalent spyware.
Pegasus, a spyware tool developed by Israeli surveillance firm NSO Group, is marketed as surveillance software licensed to governments worldwide for “investigating crime and terror.”
“The spyware covertly penetrates mobile phones (and other devices) and is capable of reading texts, listening to calls, collecting passwords, tracking locations, accessing the target device’s microphone and camera, and harvesting information from apps,” Citizen Labs explains.
“Encrypted calls and chats can also be monitored. The technology can even maintain access to victims’ cloud accounts after the infection has ended.”
