Boris Johnson has been told his Downing Street office has been targeted with “multiple” suspected infections using Pegasus, the sophisticated hacking software that can turn a phone into a remote listening device, it was claimed on Monday.
A report released by Citizen Lab at the University of Toronto said the United Arab Emirates was suspected of orchestrating spyware attacks on No 10 in 2020 and 2021.
Pegasus is the hacking software – or spyware – developed, marketed and licensed to governments around the world by the Israeli firm NSO Group. It has the capability to infect phones running either iOS or Android operating systems.
Citizen Lab added there had also been suspected attacks on the Foreign Office over the same two years that were also associated with Pegasus operators linked to the UAE – as well as India, Cyprus and Jordan.
The researchers, considered among the world’s leading experts in detecting digital attacks, announced they had taken the rare step of notifying Whitehall of the attack as it “believes that our actions can reduce harm”.
However, they were not able to identify the specific individuals within No 10 and the Foreign Office who are suspected of having been hacked.
In a statement, Citizen Lab said: “We confirm that in 2020 and 2021 we observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks. These included: the prime minister’s office (10 Downing Street) [and] the Foreign and Commonwealth Office …
“The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus and Jordan. The suspected infection at the UK prime minister’s office was associated with a Pegasus operator we link to the UAE.”
The Biden administration took the extraordinary step of placing NSO on a US blacklist last November, saying it had evidence the company had sold surveillance spyware to foreign governments that had used it for “transnational repression”. At the time, an NSO spokesperson said it was ‘“dismayed by the decision”.
The allegations will raise significant questions about a possible national security breach at the highest levels of the British government.
The governments of the UAE, India, Cyprus and Jordan have been approached for comment.
A UK government spokesperson said: “We do not routinely comment on security matters.”
An NSO spokesperson said: “NSO continues to be targeted by a number of politically motivated advocacy organisations like Citizen Lab and Amnesty to produce inaccurate and unsubstantiated reports based on vague and incomplete information.
“We have repeatedly cooperated with governmental investigations, where credible allegations merit. However, information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.”
The Pegasus project, a collaborative investigation into NSO that included the Guardian, the Wire, Le Monde and the Washington Post, revealed dozens of cases last year in which NSO’s Pegasus was used by government clients, from Saudi Arabia to Mexico, to target dissidents and journalists. The work was among the recipients of the prestigious 2021 George Polk awards in journalism.
NSO is regulated by the Israeli defence ministry and sells Pegasus spyware to governments around the world. When it is successfully deployed against a target, Pegasus can infect any phone. It can intercept phone calls, view photographs, track an individual’s location and turn a phone into a remote listening device.
The Citizen Lab director, Ron Deibert, said he believed the infections could have been related to FCO devices located abroad. Explaining his reasoning for alerting Johnson, he explained that the UK “is currently in the midst of several ongoing legislative and judicial efforts relating to regulatory questions surrounding cyber policy”. Therefore, he added “we believe that it is critically important that such efforts are allowed to unfold free from the undue influence of spyware”.
The UK development comes months after an investigation into NSO found that the mobile phone of a serving French minister, François de Rugy, showed digital traces of activity associated with Pegasus spyware. His details appeared on a leaked database, which also included mobile numbers for the French president, Emmanuel Macron, and most of his 20-strong cabinet, along with the then prime minister, Édouard Philippe.
In response, an NSO Group spokesperson said Macron and other French officials on the list “are not and never have been Pegasus targets”. They added: “It is not a list of targets or potential targets of NSO’s customers.”
In October last year, a UK court found that Sheikh Mohammed bin Rashid al-Maktoum of Dubai used Pegasus to hack the phone of his ex-wife Princess Haya and five of her associates.
The court found that the hacking of Haya and her associates, including Fiona Shackleton, who sits in the House of Lords, occurred while the former couple were locked in court proceedings in connection to the welfare of their two children.
Johnson’s government was accused by some MPs last November of prioritising trade agreements over national security in its handling of surveillance abuses on British soil by governments using Pegasus.
In November, a letter to the prime minister signed by 10 MPs and peers called on the government to end its cybersecurity programmes with countries that are known to have used NSO spyware to target dissidents, journalists and lawyers – and impose sanctions on NSO.
It also called for the suspension of all UK spyware licences and cybersecurity contracts with Gulf nations implicated in cyber-attacks in the UK.
