Two days before Boris Johnson’s first visit as prime minister to India, it has been revealed that ‘operators’ in India, the United Arab Emirates (UAE), Cyprus and Jordan used the Israeli spyware Pegasus to target phones of United Kingdom (UK) government officials between July 2020 and June 2021.
According to an analysis by Toronto-based Internet watchdog Citizen Lab—which has exposed the use of the NSO Group’s Pegasus by various governments, including India, several times—and reported by The New Yorker for the first time, the malware was also found on a device connected to 10 Downing Street.
A UK official confirmed to The New Yorker that the network was compromised. UK’s National Cyber Security Centre, a branch of British intelligence, tested several phones at Downing Street, including Johnson’s. “It’s a bloody hard job,” the official said adding that the agency was unable to locate the infected device. Therefore, the quality and quantity of data that could have been compromised were never determined.
“When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab told the American weekly magazine. Another senior researcher Bill Marczak said, “We suspect this included the exfiltration of data.”
Based on the servers to which the data were transmitted, Citizen Lab suspects that the UAE was behind the hack. “We confirm that in 2020 and 2021, we observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks. These included the Prime Minister’s Office and the Foreign and Commonwealth Office (Now, the Foreign Commonwealth and Development office, or FCDO),” Ron Deibert, director, Citizen Lab, said in a statement.
A Citizen Lab analysis shows FCDO phones were hacked on, at least, five occasions—from July 2020 to June 2021. “The suspected infections relating to the FCO (FCDO) were associated with Pegasus operators that we link to the UAE, India, Cyprus, and Jordan. Because the UK Foreign and Commonwealth Office and its successor office, the Foreign Commonwealth and Development office, have personnel in many countries, the suspected FCO infections we observed could have been related to FCO devices located abroad and using foreign SIM cards,” Deibert said.
“Given that a UK-based lawyer involved in a lawsuit against the NSO Group was hacked with Pegasus in 2019, we felt compelled to ensure that the UK government was aware of the ongoing spyware threat, and took appropriate action to mitigate it,” Deibert added.
Scott-Railton, who had thought that the “US, UK and other top-tier cyber powers were moving slowly on Pegasus because it wasn’t a direct threat to their national security” said that he was mistaken. “Even the UK was underestimating the threat from Pegasus, and had just been spectacularly burned.”
The UAE refused to comment on the revelations despite multiple requests for comment. One NSO employee told The New Yorker the company was unaware of the hack and termed the report “false”. “When we hear about every phone call that is being hacked over the globe, we get a report immediately. Information raised in the inquiry indicates that these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”
An NSO Group spokesperson told MailOnline. “NSO continues to be targeted by a number of politically motivated advocacy organisations, like Citizens Labs and Amnesty, to produce inaccurate and unsubstantiated reports based on vague and incomplete information. We have repeatedly cooperated with governmental investigations where credible allegations merit.”
