The first incident was the hacking into the phone of a high-profile lawyer who represents top Polish opposition figures took place in the final weeks of the 2019 parliamentary elections in Poland. The second took place in 2021 when a prosecutor defying populist right-wing attempted to remove the judiciary had her smartphone hacked.

In both instances, Pegasus, the NSO military-grade spyware capable of remote zero-click surveillance of smartphones, was the perpetrator, according to investigators of the University of Toronto-based Citizen Lab internet watchdog.

“Once you start aggressively targeting with Pegasus, you’ll join a fraternity of dictators and autocrats who use it against their enemies and that certainly has no place in the EU,” said senior researcher John-Scott Railton of Citizen Lab.

Who ordered the hacks could not be identified and NSO claims it works only with legitimate government agencies. However, both victims held the Polish government responsible.

A Polish government spokesperson, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.

Lawyer Roman Giertych and prosecutor Ewa Wrzosek join the Pegasus victim list of government critics whose phones have been hacked using NSO’s spyware. 

What is Pegasus?

According to an investigation led by The Washington Post and 16 media partners that were published on July 18, Pegasus is military-grade spyware leased by NSO to governments who used it in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, and business executives.

Smartphones infected with Israeli spyware would become pocket-spying devices, allowing the user to read the target's messages, look through their photos, track their location, and even turn on their camera without their knowledge.

The investigation discovered that 37 targeted smartphones were found on a list of more than 50,000 numbers concentrated in countries known to engage in citizen surveillance and also known to have been clients of NSO Group.

Victims of Pegasus

Confirmed victims have included Mexican and Saudi [opposition] journalists, British attorneys, Palestinian human rights activists, heads of state, and Uganda-based US diplomats.

In a recently disclosed attack, a UN-backed investigator's mobile phone was hacked during his investigation into possible war crimes in Yemen, forensic analysis of the device has revealed.

The targeting seems to have taken place weeks before Jendoubi's panel released a report that concluded that the Saudi-led coalition in Yemen had committed “serious violations of international humanitarian law” that could lead to “criminal responsibility for war crimes."

The expert's number was on the leaked database of the Pegasus Project, which was an investigation into NSO by media outlets, which was coordinated by the French non-profit group Forbidden Stories.

Read More: Bin Salman’s “Cyberweapon”: Not Only Against Saudis

The hacking incidents in Poland come amid calls by rights groups for the EU to ban the spyware. The 27-nation European Union has tightened export restrictions on spyware, but critics complain that abuse of it by EU member states urgently needs to be addressed.

In this context, former EU parliament member Marietje Schaake of the Netherlands, now international cyber policy director at Stanford University, said: “The EU cannot credibly condemn human rights violations in the rest of the world while turning a blind eye to problems at home.”

An NSO spokesman said Monday that the company is a “software provider, the company does not operate the technology nor is the company privy to who the targets are and to the data collected by the customers.” However, Citizen Lab and Amnesty International researchers say that NSO appears to maintain the infection infrastructure.

Citizen Lab concluded that in the last four months of 2019, Giertych was hacked at least 18 times. At the time, he was representing former Prime Minister Donald Tusk of Civic Platform, now head of the largest opposition party, and former Foreign Minister Radek Sikorski, now a European Parliament member.

Citizen Lab was still investigating how Giertych’s phone was infected but said it expects a “zero-click” vulnerability, which wouldn’t involve user interaction. 

The investigative website believes Wrzosek was similarly hacked, having identified six intrusions on her phone from June 24-August 19.

Last year, Wrzosek ordered an investigation into whether presidential elections should be postponed over concerns they could threaten the health of voters and election workers. Almost immediately, she was stripped of the case and transferred to the distant provincial city of Srem with two days’ notice.

“I didn’t even know where the city was and I had nowhere to live there,” said Wrzosek, who was hacked shortly after returning to Warsaw and resuming media appearances critical of the government.

Wrzosek has filed an official complaint but doesn’t expect prompt accountability, believing “the same services that tried to break into my phone will now be conducting the proceedings, looking for perpetrators.”