Boris Johnson has been told his Downing Street office has been targeted with “multiple” suspected infections using Pegasus, the sophisticated hacking software that can turn a phone into a remote listening device, it was claimed on Monday.
A report released by Citizen Lab at the University of Toronto said the United Arab Emirates was suspected of orchestrating spyware attacks on No 10 in 2020 and 2021.
Pegasus is the hacking software – or spyware – developed, marketed and licensed to governments around the world by the Israeli firm NSO Group. It has the capability to infect phones running either iOS or Android operating systems.
Citizen Lab added there had also been suspected attacks on the Foreign Office over the same two years that were also associated with Pegasus operators linked to the UAE – as well as India, Cyprus and Jordan.
The researchers, considered among the world’s leading experts in detecting digital attacks, announced they had taken the rare step of notifying Whitehall of the attack as it “believes that our actions can reduce harm”.
However, they were not able to identify the specific individuals within No 10 and the Foreign Office who are suspected of having been hacked.
The allegations will raise significant questions about a possible national security breach at the highest levels of the British government.
The Pegasus project, a collaborative investigation into NSO that included the Guardian, the Wire, Le Monde and the Washington Post, revealed dozens of cases last year in which NSO’s Pegasus was used by government clients, from Saudi Arabia to Mexico, to target dissidents and journalists. The work was among the recipients of the prestigious 2021 George Polk awards in journalism.
NSO is regulated by the Israeli defence ministry and sells Pegasus spyware to governments around the world. When it is successfully deployed against a target, Pegasus can infect any phone. It can intercept phone calls, view photographs, track an individual’s location and turn a phone into a remote listening device.
Coincidentally:
No phone messages sent by Boris Johnson before April 2021 are available for scrutiny because of a previous security breach, the government has admitted.
It emerged as part of a court hearing during which campaign groups claimed there were “many instances” of government decisions made over phone messaging services being unlawfully deleted.
All the Citizens and the Good Law Project have alleged that ministers are breaching the law by failing to follow policies by deleting messages and using private accounts for government business.
On Tuesday, the High Court heard that Mr Johnson was among the ministers to have used personal WhatsApp accounts as a tool to communicate “critical decisions”.
But Sarah Harrison – chief operating officer for the Cabinet Office – said Mr Johnson’s historic messages were not recoverable because of a security breach last spring.
In a witness statement, Ms Harrison said: “In April 2021, in light of a well-publicised security breach, the prime minister implemented security advice relating to a mobile device. The effect was that historic messages were no longer available to search and the phone is not active.”
It marks the first time that the government has admitted that none of the messages sent prior to the change of phone are available to be looked at.
The prime minister was forced to change his mobile number in April last year after his longstanding number was found to have been in the public domain for 15 years.
In January, Mr Johnson blamed a new mobile phone number for his failure to provide his own ethics advisor with WhatsApp messages crucial to the investigation into his lavish Downing Street flat refurbishment.
BJ’s careless attitude extends to every aspect of his life … 