Spanish judge José Luis Calama has reopened the investigation into the alleged espionage with the Pegasus spyware program which infected the mobile phones of Spanish prime minister Pedro Sánchez and several ministers. The move to reopen the case follows the arrival of new information from France arising from a case carried out in that country. The National Audience judge had previously spent almost a year investigating the five infections of Pedro Sánchez's cell phone through Pegasus, as well as mobile devices belonging to defence minister Margarita Robles, interior minister Fernando Gran-Marlaska, and agriculture portfolio holder, Luis Planas, between 2020 and 2021. But subsequently, the judge ended up closing the case due to the "absolute" lack of legal cooperation from Israel, the country where the Pegasus developer and marketer, NSO group, has its registered office.
A European Investigation Order arrives
Despite the earlier problems, the judge has now received a European Investigation Order (EIO) from France that incorporates a case heard in 2021 relating to multiple Pegasus infections of phones belonging to journalists, lawyers, public figures and governmental and non-governmental associations, as well as members of the French government, ministers and deputies. Information that, according to the judge, if compared with the results of the analyses which Spain's National Cryptologic Centre made of the infected devices of the Spanish government members, may allow progress to be made in the two countries' attempts to determine authorship. "Thus, it is possible to establish comparisons between the traces found on the different infected telephones to identify a single source of infestation", says the judge in resolving to reopen the case.
Information provided by NSO
In the resolution, judge Calama specifies that the NSO managers were summonsed to court and did not appear, but did give "certain information to the French authorities about their operations and the internal control process of the Pegasus software", although the company denied being responsible for the infection of the phones and said that, if more information was to be requested, that should be done through international cooperation tools.
He adds that the document that was sent lists the so-called indicators of compromise (IOCs), data series that may indicate whether a system has been compromised by an attacker. The judge explains that these indicators can include IP addresses, domain names, malicious files, network traffic patterns, and anomalous user behaviour, among others. IOCs are used in detection of and response to computer security incidents. Security teams look for them in information systems and networks to identify potential threats and vulnerabilities. They can also be shared between organizations and the security community to prevent future attacks and improve defence measures. In addition, the judge details that the document sent also contains the system files, the dates of the activities directed or observed, the domain names and the owners of the domain names that appeared in the context of the expertise of the devices infected by Pegasus software in France.
Thus, the judge is reopening the case in order to compare the data provided by the French authorities and that obtained by the Spanish government's own cryptological efforts after analyzing the cell phones of the PM and the three ministers. "Thus", he says, they hope to "advance the investigations in both countries to clarify the authorship of these infections. Everything points to a third country which is suspected of ordering the espionage against the Spanish government figures.
By contrast with this intergovernmental cooperation, the Catalan independence movement has only been helped by independent bodies such as the Citizen Lab research centre and the Amnesty International human rights organization in the quest to find out who was spying en masse on politicians and activists with Pegasus from 2015 to at least 2020. In this Catalan case, everything points to the body responsible being the National Intelligence Centre (CNI); that is, it was the Spanish government that decided to make use of a tool created to pursue terrorists and criminal gangs.
"Good news" for the Spanish government
The Spanish government's first assessment of this news has come precisely from one of those allegedly spied on: defence minister Margarita Robles. On her arrival at this Tuesday's question session in the Senate, she described the reopening of the case as "good news", as the executive chaired by Pedro Sánchez is the most interested in "getting the facts straight".
Robles noted that the Spanish government brought the alleged "infection" of the mobile phones of Margarita Robles, Fernando Grande-Marlaska, Luis Planas and Pedro Sánchez to the attention of the National Audience, as soon as they became aware of it. It should be noted, however, that the Spanish government's decision to denounce the case took place just two weeks after the existence of over 60 espionage cases against the independence movement - using the same spyware - was revealed. The defence minister also celebrated that the case had been put in the hands of the Spanish Cryptological Centre, an institution in which she assures there are great professionals who will be able to "get to the bottom" of the matter.