More than 200 Spanish mobile numbers were selected as possible targets for surveillance by an NSO Group client believed to be Morocco, according to the data leak at the heart of the Pegasus project.
Details of the scale of the apparent targeting came as Spain’s highest criminal court opened an investigation into how the mobile phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, came to be infected with Pegasus spyware last year.
The Spanish government has refused to speculate on who may have been behind the “illicit” and “external” attacks, the existence of which it revealed on Monday at a hastily called press conference.
The targeting of the prime minister is alleged to have taken place in May and June last year – a particularly turbulent time in Spanish politics. Not only was the Sánchez administration preparing its controversial and deeply divisive pardons of nine Catalan independence leaders jailed over their parts in the failed secession attempt in 2017, Spain was also engaged in a tense diplomatic row with Morocco.
The mobile number selections believed to have been made by Morocco occurred in 2019, according to time stamps in the data, which includes more than 50,000 numbers of individuals selected as possible surveillance targets by NSO clients around the world.
A Spanish mobile number belonging to Aminatou Haidar, a prominent human rights activist from Western Sahara, was included in the leaked database and found to have been targeted by Pegasus dating back to 2018, according to an analysis by Amnesty International. Traces of the Pegasus spyware, which is sold by the Israeli company NSO Group, were also found on a second phone belonging to Haidar as recently as November 2021.
A Spanish mobile number for the journalist Ignacio Cembrero – whose work is focused on the Maghreb – was also listed on the Pegasus project database.
The inclusion of more than 200 Spanish mobile numbers selected by a client believed to be Morocco does not indicate that every number was targeted or hacked. But it signals the client was apparently active in seeking out possible targets for surveillance within Spain.
NSO said the fact a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. NSO has also said the database had “no relevance” to the company.
Morocco previously denied spying on any foreign leaders using Pegasus, and has said reporters investigating NSO were “incapable of proving [the country had] any relationship” with NSO.
But an analysis of the leaked records showed Morocco appeared to have listed dozens of French officials as candidates for possible surveillance, including President Emmanuel Macron.
NSO has said its spyware is only sold to government clients for the purposes of investigating serious crime and terrorism. It has said it investigates legitimate allegations of abuse and strongly denied Pegasus was ever used to target Macron.
The attacks came to light as the Spanish government continued to face questions over how Pegasus was allegedly used to monitor dozens of members of the Catalan independence movement, including the president of the north-eastern Spanish region, Pere Aragonès, and three of his predecessors.
The pro-independence Catalan regional government has pointed the finger at Spain’s national intelligence centre (CNI), which insists its operations are overseen by the supreme court and that it acts “in full accordance with the legal system, and with absolute respect for the applicable laws”.
On Tuesday, a judge at Spain’s Audiencia Nacional announced the beginning of an inquiry into “a possible offence of the discovery and revelation of secrets” relating to the use of Pegasus to infect Sanchez’s and Robles’s devices.
Recent media reports suggest the phone of a third politician – the then Spanish foreign minister, Arancha González Laya – was also targeted with some kind of spyware in May last year.
The row between Spain and Morocco occurred after the Madrid government allowed Brahim Ghali, a Western Sahara independence leader, to be treated for Covid-19 in Spain.
Over the following days, as more than 8,000 people crossed from Morocco to Spain’s north African enclave of Ceuta, Rabat’s ambassador in Madrid appeared to draw a line between Ghali’s treatment and the influx of migrants, warning that some actions had consequences that “need to be assumed”.
At a weekly press conference in Madrid on Tuesday, the Spanish government’s spokesperson refused to comment on whether Morocco may have been behind the Pegasus attack, and on what effect such action could have on diplomatic relations.
“It’s a bit hypothetical to talk about what the consequences could be – if we’re able to find out where the attack came from,” said Isabel Rodríguez.
“But what we’re clear about is that this attack was external and illicit. Those are the certainties we can use to make decisions on at the moment.”
The government has ruled out any internal spying, adding the targeting must have come from abroad as any such monitoring in Spain would have required judicial authorisation.
Rodríguez said the government had nothing to hide and promised full collaboration with any judicial investigation, “including declassifying relevant documents should it prove necessary”.
On Tuesday, Sánchez’s Spanish Socialist Workers’ party (PSOE) joined the three parties on the Spanish right in vetoing a parliamentary inquiry into the Pegasus scandal.
A PSOE spokesperson said the mooted congressional committee was not needed as an internal investigation by Spain’s national intelligence centre was already under way, as was an inquiry by the public ombudsman.
The decision did not go down well with the PSOE’s junior coalition partners in the far-left, anti-austerity Unidas Podemos alliance, nor with the pro-independence Catalan Republican Left party (ERC) on whose support the minority government relies in parliament.
Gabriel Rufián, the ERC’s spokesperson, described the use of Pegasus as “a major scandal” and said it needed to be investigated.
The Pegasus project is an investigative collaboration involving 16 media partners including the Guardian, the Wire, the Washington Post and Le Monde, and is coordinated by the French non-profit Forbidden Stories.
