Spain's National Intelligence Centre (CNI) has now been identified as the perpetrator of massive and illegal espionage against the Catalan independence movement, through the use of Pegasus spyware. In 2022, the CatalanGate investigation revealed, in 2022, that at least sixty politicians and others linked to the Catalan independence movement had been spied on through their mobile phones, but now a new expert report, to which ElNacional.cat has had access, has clarified what everyone suspected: the CNI did it. The key was the mobile phone of current Catalan president Pere Aragonès, which the Spanish government admitted to having infected and spied on, through the CNI, from 2019 to March 2020 with judicial authorization. However, an expert report presented to the court months ago assesses the timing of the espionage as earlier, in the summer of 2018, as the ERC politician's lawyer, Andreu Van den Eynde, has insisted. Now, this new report concludes - after analyzing several mobile phones with the same espionage pattern as that of Aragonès - that a single IT infrastructure was used to attack all the victims of the CatalanGate case, and therefore the perpetrator responsible for all of them is the same: the Spanish government.
In this new expert report, commissioned by those affected and included in the Aragonès case, it is detailed that the company NSO, owner of Pegasus, creates a spyware program tailored to each client, most of which are government agencies. In the case of Spain's CNI, it has been found that it used this spyware from 2015 until at least 2020. The original system used was to send an SMS with links to news stories so that people clicked on them and their mobiles became infected; then, the information extracted was directed to internet domains. In the case of the CNI, it was identified that it used five internet domains, not overlapping with each other in time.
The CNI's five domains
The report states that Pegasus is a completely opaque product, which has evolved (it is no longer necessary to click on an SMS for a mobile phone or computer to be infected) and that it was the experts from Citizen Lab and Amnesty International who uncovered its operation, in 2016, indicating the so-called Indicators of Compromise (IoC) linked to the use of Pegasus spyware. It should be noted that in 2018 Pegasus changed these indicators after the discovery by Amnesty researchers.
The malware is tailor-made - for example, in the preparation of the SMS, so that those spied on will be tempted to click on it - and in the case of the Catalan politicians, one of these text messages employed made reference to the Catalan leaders trial in the Supreme Court, and several victims received the same SMS a few hours apart. Now, with the new report, the experts conclude, after analyzing hundreds of links, that the CNI used five internet domains from which it took custody of the information extracted from the terminals attacked. They are nnews.co, statads.co, adsmetrics.co, redirstats.com and statsupplier.com. The use of these domains never overlapped between 2015 and 2020; rather, a process of renewal was carried out. In addition, the report specifies that the malicious domains linked to the CatalanGate case were not used anywhere else in the world, so they are domains used by a single NSO client to attack victims in pro-independence political circles.
For example, it was discovered that at the end of 2019, the CNI was using the internet domain www.statsupplier.com, the one used with president Pere Aragonès, but also with the CUP deputy Carles Riera, as has recently been detailed in an expert report made by Catalonia's Mossos d'Esquadra police on behalf of the Barcelona court investigating the complaint. In other words, the perpetrator of the espionage in both cases is the CNI, as well as in the other cases where the domains attributed to the Spanish spy agency appear. In addition, it is detailed that at the beginning of 2019, there was a return to the use of SMS infections with the domain www.redirstats.com, with which Carles Riera was also infected, according to the Catalan police's report.
Spied on without judicial permission
The investigation confirms that president Aragonès was spied on without legal approval being given and that there were three infections: in July 2018, April 2019 and July 2019. From July 24th, 2019, the judge responsible for authorising CNI use of the spyware gave permission for the action against Aragonès, through the infection of his cell phone, and extended that permission three times, in 2020. In fact, the judge of Barcelona court No. 29 now wants to check this espionage through an official expert report commissioned from the Mossos, as other courts have done. The 2019-2020 period was of key political importance, since it was when ERC negotiated its support for the formation of a new Pedro Sánchez government.
More accusations against the CNI
The conclusion of the expert report is that the same infrastructure was used for all the espionage related to people in Catalan independence movement circles. Thus, this report which confirms the authorship of the CNI is likely to be key for the different judges in Barcelona who are investigating the complaints presented by ERC, the CUP, Òmnium Cultural and the ANC, in order to reactivate them and admit the accusations against the CNI leadership, which up till now has only been done by the judge of Barcelona court No. 29 in the Aragonès case, through the inclusion in the case as a person under investigation of former intelligence service director Paz Esteban. All the defendants reiterate that the espionage they have suffered is illegal, because it is of a political nature.