Introduction:
The investigation into sophisticated spyware, such as Pegasus, demands rigorous forensic methodology and scrutiny to ensure the reliability of findings. Recent analyses, including the "Catalangate" report, highlight critical shortcomings in the investigative approaches employed by NGOs like Amnesty International. Techniques such as reliance on iCloud backups without corroborating physical device extractions, inadequate use of cryptographic hashing to verify data integrity, and over-reliance on string matching without logical reasoning or consideration of Tactics, Techniques, and Procedures (TTPs) leave significant gaps in accuracy and credibility.
Such oversights can lead to inaccuracies, false positives, and potential manipulation of evidence, as demonstrated by critics of the Mobile Verification Toolkit (MVT-Tool). These flaws underscore the importance of exhaustively ruling out alternative explanations and employing robust forensic practices. Failure to do so not only undermines the integrity of the findings but also the trustworthiness of NGOs leading such investigations. This article explores the critical need for comprehensive and transparent methodologies in combating spyware investigations to uphold the credibility of such vital research.
A Detailed Review
Overview: This briefing doc analyzes multiple sources concerning "CatalanGate," the alleged use of spyware against individuals linked to the Catalan independence movement. It examines key themes, important facts, and potential implications of this complex case.
Key Themes:
Widespread Spyware Targeting: Evidence suggests the use of both Pegasus and Candiru spyware against dozens of individuals connected to the Catalan independence movement, including politicians, lawyers, activists, and even family members.
"According to the Citizen Lab, at least 63 individuals linked to the Catalan independence movement were targeted with Pegasus... and they confirmed 51 actual infections." (CatalanGate_ Mercenary Spyware in Catalonia.wav)
"The Catalangate report claims that Jordi Domingo, Anna Gabriel, Ernest Maragall, Sergi Miquel, and Roger Torrent were under surveillance through WhatsApp..." (Catalangate Vectors: An Analysis of WhatsApp's Impact on Citizen Privacy & Amnesty International's MVT-Tool)
Sophisticated Tactics and Personalized Lures: The attackers employed sophisticated techniques, including zero-click exploits, SMS-based targeting, and personalized phishing messages designed to trick targets into clicking malicious links.
"Many of these attacks used SMS messages carefully crafted to lure people in... basically fishing attacks, but on steroids." (CatalanGate_ Mercenary Spyware in Catalonia.wav)
"Baylina received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he had purchased... the Pegasus operator may have had access to Baylina’s Passenger Name Record (PNR)." (Report_155--catalangate_012023_.pdf)
Attribution and Potential Spanish Government Involvement: While conclusive attribution remains challenging, circumstantial evidence points to a strong nexus between the spyware attacks and the Spanish government.
"The Citizen Lab argues, look, it's highly improbable that a foreign entity would risk an operation like this, this sensitive, on Spanish soil, without at least the Spanish government being in the loop." (CatalanGate_ Mercenary Spyware in Catalonia.wav)
"Spain maintains a robust security and intelligence apparatus... The CNI has also been at the centre of a series of surveillance and espionage scandals." (Report_155--catalangate_012023_.pdf)
Important Facts and Findings:
Timeline: Spyware targeting dates back to at least 2017, coinciding with the Catalan independence referendum. (CatalanGate: A Timeline of Spyware Surveillance)
Targets: A comprehensive list of 65 confirmed and suspected targets is documented, including prominent figures like Jordi Sànchez, Jordi Cuixart, and Roger Torrent. (Report_155--catalangate_012023_.pdf)
Infection Vectors: Analysis reveals multiple infection vectors, including WhatsApp vulnerabilities and malicious SMS messages. (CatalanGate Vectors: An Analysis of WhatsApp's Impact on Citizen Privacy & Amnesty International's MVT-Tool)
Forensic Methodology: Amnesty International's Mobile Verification Toolkit (MVT) played a crucial role in identifying traces of Pegasus infections. (Forensic Methodology Report: How to catch NSO Group’s Pegasus - Amnesty International)
Domain Analysis: Investigation uncovered a vast network of domains linked to Pegasus and Candiru infrastructure. (Forensic Methodology Report: How to catch NSO Group’s Pegasus - Amnesty International)
Potential Implications:
Violation of Fundamental Rights: The use of spyware against civilians raises serious concerns about the violation of privacy, freedom of expression, and other fundamental rights.
Erosion of Trust in Democratic Processes: The potential involvement of the Spanish government in these activities undermines trust in democratic institutions and processes.
Need for Robust Oversight and Regulation: CatalanGate highlights the urgent need for stricter regulations and robust oversight mechanisms to prevent the abuse of spyware technologies.
Recommendations:
Independent Investigation: An independent and transparent investigation is necessary to determine the full extent of the spying operation and hold those responsible accountable.
Strengthen Legal Frameworks: National and international legal frameworks must be strengthened to protect individuals from unlawful surveillance and ensure accountability for abuses.
Promote Transparency and Public Awareness: Increased transparency and public awareness about the risks and implications of spyware are crucial to protect individuals and safeguard democratic values.
Criticisms and Limitations:
Potential for False Positives: Concerns have been raised about the potential for false positives in Amnesty International's MVT tool. (Catalangate Vectors: An Analysis of WhatsApp's Impact on Citizen Privacy & Amnesty International's MVT-Tool)
Oversimplification of Attribution: The narrative surrounding CatalanGate risks oversimplifying the attribution issue and neglecting the possibility of alternative scenarios. (FAQ: Logical Fallacies)
Conclusion:
CatalanGate represents a significant case study in the increasing use of spyware against individuals perceived as threats by governments. It underscores the urgent need for global action to address the proliferation and misuse of these powerful surveillance technologies. By promoting greater transparency, accountability, and robust legal frameworks, we can better protect individuals from unlawful surveillance and safeguard the integrity of democratic societies.
The sources describe methodological flaws in the Mobile Verification Toolkit (MVT), a software developed by Amnesty International to detect traces of Pegasus in phone backups. The MVT is criticized for its over-reliance on string-matching algorithms without incorporating contextual analysis of Tactics, Techniques, and Procedures (TTPs). This approach can result in false positives, as the tool may trigger even if a malicious domain is manually entered into the browser, regardless of whether the device is infected. Additionally, the MVT’s functionality is influenced by the device’s internet connectivity status, further increasing the risk of false positives.
Controlled experiments revealed that the MVT flagged false positives in 15%-20% of tested cases. The MVT also has a limited capacity to differentiate between malicious activity and legitimate applications. In cases where internet connectivity was isolated, false-positive detection rates exceeded 25% in some domains. Data injection into SQLite databases also demonstrated forgery vulnerabilities in backup analysis.
Experts recommend that to ensure accurate identification of infections, it is imperative to consider logical reasoning, TTPs, and other factors alongside string matching. It's also crucial to physically access the device and verify the integrity of suspected databases and files containing Indicators of Compromise (IOCs) using cryptographic hashing methods during forensic analysis. Without these measures, there’s a risk of data alteration or manipulation, which could lead to inaccurate and potentially false results. Cryptographic hashing techniques like SHA-256, SHA-512, or MD5 can help maintain data integrity and prevent tampering. Moreover, physically examining the device allows for gathering additional data, such as hardware information, which further confirms the authenticity of data and improves analysis accuracy.
Relying solely on iCloud backups for forensic analysis has limitations, as it excludes a significant amount of data. If iTunes sync is not disabled before connecting the device to a computer, the device’s content may be altered. The sources also note that the MVT lacks cryptographic safeguards, raising doubts about infection certainties.
The Citizen Lab, which used the MVT to analyze the CatalanGate incident, acknowledges the limitations of relying solely on iCloud backups. They maintain that they corroborated their findings with other evidence, including SMS messages and network traffic analysis. They also state that they shared a selection of their findings with Amnesty International's Security Lab, which independently validated the Citizen Lab's forensic methodology.
However, Amnesty International’s role as both a validator and tool provider raises concerns about potential biases. The fact that they also share funding sources with the Citizen Lab further complicates the matter.
Experts recommend that the Citizen Lab combine backup-based methods with direct device inspections, incorporate TTP-based detection methods, and encourage updates to MVT or use additional forensic tools that address known limitations to mitigate these methodological flaws.
The sources provide some Indicators of Compromise (IOCs) specifically relevant to Apple devices, suggesting a potential security breach or ongoing cyberattack. These IOCs are categorized as Network-based, Host-based, Behavioral, and those specific to an attack campaign known as "Operation Triangulation."
Network-Based IOCs:
Unusual outbound network traffic or spikes in data usage could indicate data exfiltration or malware communication.
Connections to known malicious IP addresses or domains suggest communication with command-and-control servers or other malicious infrastructure.
Communication between internal hosts and recipients outside the company's operating country might indicate unauthorized data transfer or remote access attempts.
Connections to non-standard ports can signify attempts to bypass security measures or establish hidden communication channels.
Host-Based IOCs:
The presence of the process named "BackupAgent" in data usage logs is suspicious (Note: "BackupAgent2" is not an indicator). This might indicate unauthorized backup activity or attempts to access sensitive data.
Modification of system files, particularly in Library/SMS/Attachments, could signal malware installation or data tampering.
Inability to install iOS updates may be caused by malware interfering with system processes or modifications to system settings.
Changes to system configuration settings without user consent can indicate compromise and unauthorized access.
Behavioral IOCs:
Multiple failed login attempts on a single account suggest brute-force attacks or attempts to gain unauthorized access.
Account logins from unexpected geographical locations indicate potential account compromise or unauthorized access from unusual regions.
Sudden DNS requests without notice could point to malware communicating with external servers or attempting to resolve malicious domains.
Unauthorized changes to registry or system files suggest system manipulation by malicious actors.
Multiple requests for access to a single file might indicate attempts to read, modify, or exfiltrate sensitive data.
Specific to Operation Triangulation:
Presence of malicious iMessage attachments suggests exploitation of vulnerabilities in the iMessage platform to deliver malware.
Network connections to *.ess.apple.com followed by .icloud-content.com or content.icloud.com indicate potential data access or manipulation within the iCloud ecosystem.
Subsequent connections to multiple C&C domains with significant outgoing traffic point to established communication with malicious infrastructure for command execution and data exfiltration.
It's crucial to remember that these IOCs are potential indicators and do not definitively confirm a compromise. They provide clues that warrant further investigation using forensic tools and techniques to determine if a security breach has occurred.
As discussed in our previous conversation, forensic techniques like physical device extraction and cryptographic hashing play a critical role in verifying IOCs and ensuring data integrity during investigations.
When discussing iCloud backups as a forensic technique, it's important to be aware of the types of data that are commonly excluded. This can be significant in investigations, especially when relying solely on iCloud data without physical device extraction. The sources mention several categories of excluded data:
Photos and Videos: If iCloud Photos is enabled, photos and videos are stored separately in iCloud and are not included in the backup.
Messages: With Messages in iCloud enabled, iMessages and SMS messages are not part of the iCloud backup.
Health Data: This sensitive information is not included in standard iCloud backups. It's only included if the user specifically chooses an encrypted backup through Finder or iTunes.
App Store Content: Purchased apps, music, books, and other App Store content are not backed up. These can be re-downloaded using the user's Apple ID.
Data Already Synced to iCloud: Data that is already stored and synced with iCloud, like Contacts, Calendars, Notes, and Reminders, is not duplicated in the backup.
Certain Device Settings: Configurations such as Face ID or Touch ID settings are not included in iCloud backups.
Large Files: Files larger than 50 GB cannot be uploaded to iCloud Drive, regardless of the available storage space. This limitation might impact the backup's completeness if large files are present on the device.
Some Third-Party App Data: Many third-party apps store data locally on the device or in their own separate cloud services. This data might not be captured in an iCloud backup.
The exclusion of these data types highlights a key limitation of relying solely on iCloud backups for forensic investigations. Physical device extraction is generally recommended for a more complete picture, as it captures all files present on the device.
CatalanGate Timeline
2010 - 2016: The Spanish National Intelligence Center (CNI) reportedly signs a €3.4 million contract with Hacking Team, a Milan-based surveillance software company, for the use of their spyware.
2017:
October 1st: Catalonia holds an independence referendum, deemed illegal by the Spanish government, resulting in 90% voting for independence with a 42% voter turnout. Violence erupts as Spanish police clash with peaceful demonstrators.
October 13th: Jordi Sànchez, a prominent figure in the independence movement, is infected with Pegasus spyware just days before his arrest.
October 14th: Jordi Cuixart, President of Òmnium Cultural, a Catalan cultural organization, is sentenced to prison for his role in the referendum.
April 2018 – March 2019: Maati Monjib’s phone shows records of the “bh” process execution, potentially linked to Pegasus.
May 2018: Candiru customer seemingly begins employing customized “Tor behavior” on their servers.
October 2018 – September 2019: 417 resolutions for the domain urlredirect.net are recorded, indicating potential Pegasus infection attempts.
November 2017 – December 2018: Maati Monjib is targeted with multiple Pegasus SMS messages containing malicious links.
February 2019 – September 2019: Omar Radi’s phone records show the execution of the “bh” process, potentially linked to Pegasus.
February 2019: Omar Radi's phone shows traces of Pegasus infection, including a suspicious "bh" process and a Webkit IndexedDB file for a known Pegasus installation domain.
May 13th, 2019: The Financial Times reports a critical flaw in WhatsApp, later identified as CVE-2019-3568, which could be exploited by Pegasus spyware to target phone numbers.
July 2019: Hungarian journalists András Szabó and Szabolcs Panyi's iPhones show evidence of potential Pegasus infection, including suspicious iMessage account lookups and processes like "roleaccountd" and "stagingd."
August 2019: Forensic analysis of an iPhone reveals the execution of processes ("roleaccountd," "stagingd," "aggregatenotd") associated with Pegasus infections.
July 23rd, 2020 – October 15th, 2020: 410 resolutions for the domain mailappzone.com are recorded, potentially indicating Pegasus infection attempts.
2020: El País confirms that the Spanish government is an NSO Group customer and that the CNI actively uses Pegasus spyware.
July 2021: Microsoft patches two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) exploited by Candiru to infect Windows systems. Citizen Lab publishes a report detailing the use of Candiru spyware against Catalan targets.
January 2023: The Citizen Lab publishes an updated report on CatalanGate, revealing the extent of the surveillance operation and providing evidence linking it to the Spanish government.
May-June 2024: Gregorio Martín Quetglas and Jonathan Boyd Scott publish a paper analyzing the impact of WhatsApp's CVE-2019-3568 vulnerability and Amnesty International's Mobile Verification Toolkit (MVT) on citizen privacy in the context of CatalanGate.
Cast of Characters
Individuals targeted with Spyware:
Jordi Sànchez: Prominent figure in the Catalan independence movement, former president of the Assemblea Nacional Catalana (ANC). Targeted with Pegasus spyware and arrested in 2017.
Jordi Cuixart: President of Òmnium Cultural, a Catalan cultural organization. Sentenced to prison in 2017 for his role in the Catalan independence referendum.
Roger Torrent: Former President of the Catalan Parliament. Targeted with Pegasus spyware via the 2019 WhatsApp vulnerability.
Ernest Maragall: Leader of the pro-independence, Barcelona-based Republican Left of Catalonia party. Targeted with Pegasus spyware via the 2019 WhatsApp vulnerability.
Anna Gabriel: Former regional Member of Parliament for the far-left party, the Popular Unity Candidacy (CUP). Targeted with Pegasus spyware while living in Switzerland.
Jordi Domingo: Activist and member of the Assemblea Nacional Catalana. Targeted with Pegasus spyware.
Sergi Miquel Gutiérrez: Staffer for Carles Puigdemont. Targeted with Pegasus spyware.
Maati Monjib: Moroccan journalist and human rights defender. Targeted with Pegasus spyware between 2017 and 2019.
Omar Radi: Moroccan journalist and human rights defender. Targeted with Pegasus spyware between 2019 and 2020.
András Szabó: Hungarian investigative journalist. Targeted with Pegasus spyware.
Szabolcs Panyi: Hungarian investigative journalist. Targeted with Pegasus spyware.
Jordi Baylina: Technology lead at Polygon, an Ethereum scaling platform. Extensively targeted with Pegasus, receiving at least 26 infection attempts.
Marta Rovira: Catalan politician in exile in Switzerland. Targeted with Pegasus spyware on her Swiss phone number.
Joan Matamala: Catalan businessman. Targeted with both Pegasus and Candiru spyware.
Organizations:
Spanish National Intelligence Center (CNI): Spain's primary intelligence agency, responsible for both domestic and international intelligence gathering. Reportedly a customer of NSO Group and user of Pegasus spyware.
Guardia Civil: Spain's national law enforcement agency with military origins. Reportedly used spyware like SITEL and Hacking Team to track suspects.
Assemblea Nacional Catalana (ANC): A prominent Catalan civil society organization advocating for Catalan independence. Several of its members, including Jordi Sànchez and Elisenda Paluzie, were targeted with spyware.
Òmnium Cultural: A major Catalan cultural organization promoting Catalan language and culture. Its president, Jordi Cuixart, was imprisoned for his role in the Catalan independence referendum.
Citizen Lab: A research group based at the University of Toronto that investigates digital threats to civil society, including the use of spyware like Pegasus and Candiru. Played a key role in exposing and analyzing CatalanGate.
Amnesty International: An international human rights organization. Developed the Mobile Verification Toolkit (MVT) to detect traces of spyware infections on mobile devices.
Companies:
NSO Group: An Israeli cyber-intelligence company that develops and sells Pegasus spyware to governments worldwide. Confirmed to have the Spanish government as a customer.
Candiru: An Israeli cyber-intelligence company that develops and sells spyware tools, reportedly used against Catalan targets.
Hacking Team: An Italian company that developed and sold spyware to governments. CNI reportedly had a contract with Hacking Team from 2010 to 2016.
Researchers:
Gregorio Martín Quetglas: Professor of Computer Science at Valencia University, co-author of the paper "Catalangate Vectors: An Analysis of WhatsApp's Impact on Citizen Privacy & Amnesty International's MVT-Tool."
Jonathan Boyd Scott: Executive Director of Milad Group LLC, co-author of the paper "Catalangate Vectors: An Analysis of WhatsApp's Impact on Citizen Privacy & Amnesty International's MVT-Tool."
Share this post