[capableweb]

Seems random developers were targeted as well as European Parliament members (and more):

> Jordi Baylina is the technology lead at Polygon, a popular decentralised Ethereum scaling platform. He is also an advisor on projects related to digital voting and decentralisation, and has built a widely-used privacy toolkit. He was extensively targeted with Pegasus, receiving at least 26 infection attempts. Ultimately, he was infected at least eight times between October 2019 and July 2020.

> Baylina received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he had purchased. Targeting in this case indicates that the Pegasus operator may have had access to Baylina’s Passenger Name Record (PNR) or other information collected from the carrier.

Scare stuff that not just random text messages can infect you (we knew this) but combined with harvesting other data (like PNR), they can time to exploit messages with other actions you do (like buying an flight ticket) and get you that way.

I was scared of receiving random text messages already, but easy to just ignore them as they have nothing to do with me. But if I buy a flight ticket and receive a text message that looks relevant to me, I'm not sure I'd be able to guess it was actually malicious. Scary stuff.

Edit: The more I read, the worse it gets:

> Another common mode of targeting was to masquerade as official notifications from Spanish government entities, including the Tax and Social Security authorities.The messages also used SMS Sender IDs to masquerade as official agency accounts.

> Notably, fake official messages were sometimes highly personalized. For example, a message sent to Jordi Baylina included a portion of his actual official tax identification number, suggesting that the Pegasus operator had access to this information.

Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked (together with various delivery companies). Both are bad, but that signs are pointing to the earlier makes it even worse.

It seems that the Spanish government can't help itself to give more fuel to the fire that is the fight for Catalan independence. Who'd want to belong to a state that constantly suppresses and surveillance you?

[sneak]

Yet another data point supporting the fact that the phone number people have for you should never be that of the sim card actually inside your phone.

[wswope]

Not sure how relevant that is against a nation state actor that’s willing to pull from airline passenger records.

All they’d have have to do is get a few timed hits for your location and then look for a common IMEI at nearby towers.

[smilespray]

And if you have a burner phone, they can just track which IMEIs tend to travel together.

[Symbiote]

> a nation state actor

I am a bit of a broken record on this point, but it's a state actor.

Spain comprises multiple nations, Catalonia being one of them.

[greggsy]

‘Nation state’ is the appropriate term of art in the context of cyber security. The fact that a domestic service appears to be attacking an area that is seeking autonomy makes it more relevant.

[nudpiedo]

Nowhere in its constitution is defined like that, it’s not a confederation of nations but a parliamentarian monarchy that respects regional cultural differences.

[ikurei]

No official document, not even the Constitution, can be a final authority on what a nation is. That's just the official definition.

Many scholars, politicians, and citizens, even excluding people outside of the Overton window, describe Spain as containing several nations. At the very least Catalonia, the Basque Country / Euskal Herria, and Galicia are widely (but not unanimously) considered to have the historic, cultural, social characteristics that would make them nations. The spanish constitution is a document of compromise, born of a very special time in history; whatever it says about what Spain is, we don't have to accept it.

(Biases disclaimer: I'm Spanish, specifically castilian; I don't support Catalonian independence, and I dislike all nationalisms; all nations are more like big balls of wibbly wobbly... nation-y wimey... stuff)

This piece of news doesn't yet show up on the spanish newspapers I trust; I'm really curious to see if it makes the news. I'll be extremely concern if, as I fear, if doesn't.

[pvaldes]

"Many people are saying that or this"

We are very misunderstood, for sure.

[novok]

Getting upset about people confusing the difference between nation and state is like getting upset about people using hacker to mean computer criminal. That ship has sailed long time ago.

Also when you dive into what 'nation' really means, it starts hitting people's racism and 'X supremacy' instincts fairly quickly, so people use the word ethnicity or culture instead nowadays.

[permalac]

Only one of them control the state, and that is and has always been Castilla.

This may be a technical forum, people can Google it up and do some deep research.

[pvaldes]

> Only one of them control the state, and that is and has always been Castilla.

More BS. Are you saying that the Catalonian politicians in the government are spies from Castilla? Maybe disguised under evil twisted castillian moustaches?.

Please, lets be serious. I can see politicians from each coin of Spain in the government.

[eklitzke]

I'm not sure I understand. Let's say your SIM card has number X but you also use Google Voice number Y. If you buy flight tickets, you're probably going to give them number Y when you purchase your tickets. If a malicious state actor has access to the passenger flight manifests for the airline it's pretty likely that they also access to the other information you've given the airline, including the phone number and email you supplied the airline, so they'll also know that you gave them number Y in the checkout flow. What am I missing here?

[lcnPylGDnU4H9OF]

> What am I missing here?

To my knowledge NSO software (and similar) target exploits in OS-specific applications (think default Messages app on iOS) rather than, e.g., Google Voice. That being said, I personally don't know if Google Voice and similar are special enough not to have their own exploits (spoiler: they probably aren't, and Google Voice in particular would be a very enticing target).

I'd expect there's more to it than that, though. I'm really not familiar with these exploits.

[ta988]

How do you do that?

[dron57]

Look into the Google Voice app. You can get a free US number that works with both SMS and calls. It routes calls through Google's VOIP I believe.

I use it as a burner for any website that requires a phone number. I figure it will be easy enough to change my burner phone number if it gets leaked to some shady DB.

[novok]

And then you run into many services that right out refuse VOIP numbers, some of them fairly essential or near essential.

[sneak]

I don't use those services. I change the SIM card in my phone (and its direct number) several times per year, it would make use of those services impossible.

[heavyset_go]

Last time I looked, you can't sign up and use Google and Google Voice without verifying that you're a real person via SMS.

[hungryforcodes]

But pretty much no where else in the world -- including Spain. So this is practical how for anyone outside if the US?

[ThePowerOfFuet]

Substitute DIDww for Google Voice, then.

[dgut]

> Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked (together with various delivery companies). Both are bad, but that signs are pointing to the earlier makes it even worse.

Not arguing again't your claim either way, but SMS sender can be set to anything, it's a feature of the system for it to work. The "DNI" (Spanish identification number) can't be considered private information and isn't difficult to find.

[capableweb]

The mix of having access to Pegasus, PNR database, records from delivery services and more makes it clear that it's not a solo/individual hacker/group doing all of this, it would require extensive compromise of multiple organizations to get access to those kind of things.

[im3w1l]

> Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked

There is a third alternative. An insider leaked it.

[LeifCarrotson]

That's similar to the Spanish government being behind the attacks... Effectively, a member of the Spanish government used (misused) their official capacity to take action against Catalan officials.

Perhaps that's not the official stance of the government, but an organization is only a monolith with a single public position to the extent that they're able to enforce proper actions. The official Spanish government being publicly neutral but actually unable to ensure that their own members act in accord with this position and instead instigating extensive attacks is not that different from the official Spanish government being behind the attacks. Will the insider be punished sufficiently to deter others from following in their footsteps?

[azernik]

"Insiders" are a very broad set of people, including low-level bureaucrats and motivations can include profit.

To pick one of the more likely scenarios: if a government worker sold a database on the open (criminal) market, there's no meaningful sense in which "the Spanish government is behind this".

[permalac]

They could be using such database, in that case they would be involved.

[pvaldes]

Update: After a few days, is clear now that it was the intelligence agency (CNI) of the Spanish Government.

[FerociousTimes]

You mean a whistleblower?