Share this page!

John Scott-Railton Profile picture
Twitter logo
May 2 11 tweets 7 min read
NEW: 🇪🇸 Spain says Prime Minister & Defense Minister were infected with #Pegasus.

Remarkable timing.

Just days ago Defense Minister Robles gave a speech appearing to defend use of Pegasus following our @citizenlab report on hacking of Catalans. 1/

reuters.com/world/europe/s…
2/ Two weeks ago we published an investigation showing a large-scale hacking operation using #Pegasus & Candiru spyware against Catalan political figures & civil society.
catalonia.citizenlab.ca
3/ The Spanish government's response to our investigation was interesting.

After denials, smears & trolling it had just arrived at the rationalization / justification stage.👇

Then today's bombshell dropped.
4/ Just last week, Defense Minister Robles was denying knowledge of the New Yorker after @RonanFarrow's reporting on the case.
5/ Now, 🇪🇸 Spain says: 2.6gb were exfiltrated from PM's phone in 1st intrusion, 130mb in second.

9mb from Minister Robles.

What was taken? Gov says they don't know.

By @mgonzalezelpais
elpais.com/espana/2022-05…
6/ Language from Spain* is interesting. They say #Pegasus hacking wasn't judicially authorized & was "external" / not officially done by state agencies.

OK, so who did this?

*pic: machine translation
7/ So many questions about 🇪🇸 Spain's #Pegasus revelations, like:

- Why announce today?
- What technical analysis backs their finds?
- When did they discover infections?
- What led to investigation?
- Are there other victims?
- Who else will be checked?
8/ 2.6gb, 130mb, 9mb. What could this data exfiltration contain?

Who knows. Ask Spain.

Some valuable things can be small (e.g. SMS databases & call logs).

Others, much larger.

Remember: #Pegasus can also steal cloud tokens. I wonder if Spain has checked account access logs?
9/ Investigating mercenary spyware like #Pegasus is hard.

Sometimes technical data & historic logs are incomplete.

A *comprehensive* investigation is needed to get a full picture.

Must include audits of all present/past Pegasus deployments in Spain & questioning all w/access.
10/ Spain has many questions to answer about today's revelations, *and* the Catalan case.

It's quite possible for a government to be both a victim in one #Pegasus incident, and the perpetrator in another.

The former doesn't justify the latter & shouldn't distract from it.
11/ UPDATE: a #Pegasus commission in Spain's congress was just vetoed.

Spain's #PegasusProblem is obviously serious. Clear answers are needed.

It sounds like🇪🇺 EU scrutiny is required.

*pic machine translated
By @javiercasqueiro
elpais.com/espana/2022-05…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
May 2
The EU has a #PegasusProblem, and it's getting worse.

The cause? An out-of-control mercenary spyware industry.

The solution isn't technical. Vulnerabilities get patched. And then the industry just finds new ones.

The only way to break the cycle? Smart regulation. 1/
2/ It's hard to regulate specific cybersecurity technologies w/out side effects.

Like harming innovation, or punishing researchers.

The good news? The mercenary spyware industry isn't just a technology, it's a constellation of services designed to help governments hack.
3/ Think of NSO et. al. as providing a service. They build, disguise, & maintain infrastructures, & load them w/up-to-date exploits, ready to hack.

They also forward-deploy trainers & even engineers.

The intent is clear... Making this a target-rich environment for regulation.
Read 7 tweets
John Scott-Railton Profile picture
Apr 20
BREAKING: Aviram Azari pleads guilty in hacker-for-hire scheme!

Big one for us @citizenlab.

Case origin: our investigation into Indian hackers targeting US advocacy groups working on climate change & net neutrality.

Quick THREAD 1/

by @Bing_Chris
reuters.com/world/middle-e… Federal prosecutors say the...Image
2/ In 2020 ,we published results of a multi-year investigation into BellTrox, an Indian hack-for-hire operation.

They'd gone after a host of US nonprofits. One big cluster had all worked on #ExxonKnew campaign.

At targets request, we shared info w/DOJ.
citizenlab.ca/2020/06/dark-b… ImageImageImageImage
3/ Climate advocacy groups weren't the only targets!

Net neutrality advocacy was also in the crosshairs.

We connected BellTrox to a phishing operation reported on by @EFF that targeted @freepress & @fightfortheftr.

Report by @evacide & @cooperq.
eff.org/deeplinks/2017… Image
Read 6 tweets
John Scott-Railton Profile picture
Apr 18
BREAKING: we @citizenlab found signs of a #Pegasus spyware infection at the 🇬🇧Prime Minister's office, 10 Downing St.

We notified 🇬🇧.

We'd found other infections within the Gov.. THREAD 1/

Must-read by @RonanFarrow: newyorker.com/magazine/2022/…
2/ Meanwhile, we also found signs that multiple 🇬🇧 officials at the @FCDOGovUK had been infected with #Pegasus spyware.
3/ Many assumed that 🇬🇧's vaunted security apparatus could protect the government from the scourge of mercenary spyware like #Pegasus.

Wrong.

🇬🇧 got spectacularly burned.

So, which foreign governments might have hacked @10DowningStreet & @FCDOGovUK?
Read 5 tweets
John Scott-Railton Profile picture
Apr 18
🚨MAJOR NEW INVESTIGATION: #CatalanGate state-run hacking operation.

Stunning range of #Pegasus & #Candiru infections in the EU.

Many political & civil society targets got infected. Multiple 🇪🇺 MEPs.

THREAD 1/
catalonia.citizenlab.ca
2/ A jaw dropping list of people were targeted in #CatalanGate

Let's take the 🇪🇺 European Parliament.

*Every pro-independence MEP* was targeted directly or w/relational targeting:

-@toni_comin
-@DianaRibaGiner
-@jordisolef
-@ClaraPonsati
-@KRLS
3/ Catalan civil society was extensively targeted.

From the leadership of major civic organizations like @omnium & @assemblea_int...to open source developers working on digital voting.

Mostly #Pegasus, but #Candiru spyware, too.

Link: citizenlab.ca/2022/04/catala…
Read 16 tweets
John Scott-Railton Profile picture
Apr 5
Selection goes into what gets filmed & posted from #Ukraine. Somebody is always making choices.

This selection effect that biases what we see. But that's only the beginning. 1/
2/ Social media shows us more of what we like.

If we & people we follow prefer seeing destroyed Russian tanks & Ukrainian successes, we'll be shown more of them.

Like it or not, the algorithm designed to *not* give us a balanced, representative sample of material.
3/ The OSINT ecosystem is an inspiring force for truth & accountability.

But it doesn’t mean that we come away from our feeds with a balanced, realistic assessment of the direction of the whole war.

Analysis & analytical biases are hard.
Read 4 tweets
John Scott-Railton Profile picture
Apr 4
BREAKING: bodies in Bucha were visible in satellite imagery for weeks.

Directly rebuts Russia's claim that bodies only appeared after they left.

By @malachybrowne @bottidavid @heytherehaley
nytimes.com/2022/04/04/wor…
2/ Gaps in information during war are fertile soil for Russian dezinformatsia.

Part of what's so powerful about visual investigations & OSINT is that they accelerate truth & reduce the space Kremlin propagandists have to work with.
3/ Many OSINT techniques have genesis in past wars & crises. Some groups & visual investigations teams, too.

Yet there's a ton of exciting progress & maturing going on right now.

One key driver? Rapid hires satellite imagery like
@maxar's daily releases.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(