Mobile devices in Downing Street and the UK Foreign Office have been targeted with Pegasus spyware in a high-profile cyberattack.

Investigate group The Citizen Lab claims the United Arab Emirates (UAE) is behind the hack on Number 10. It says it informed officials that suspected Pegasus spyware was discovered in 2020 and 2021.

UK Prime Minister Boris Johnson’s mobile phone is among those tested for spyware. The National Cyber Security Centre (NCSC) was also reportedly searching for infected smart devices.

10 Downing Street

The Pegasus spyware is sold by NSO Group to governments to carry out surveillance through infecting phones with malicious software.

Now, three of the UK-based civil society leaders and human rights activists targeted by the spyware have started legal action.

London-based law firm Bindmans led a six-month investigation in partnership with the Global Legal Action Network (GLAN). The claimants are looking to sue both NSO Group and the states that allegedly used the Pegasus spyware against them.

Victims

Anas Altikriti is founder and CEO of The Cordoba Foundation, a prominent political advisor, commentator and hostage negotiator. It is alleged that he was hacked using the Pegasus spyware in 2020 by the UAE.

Mohammed Kozbar is the chairman of the Finsbury Park Mosque in London. He allegedly fell victim to the Pegasus spyware in 2018 by the UAE.

Meanwhile, Yahya Assiri is the former Secretary General of the National Assembly Party (NAAS), a pro-democracy opposition party in Saudi Arabia. He is also the founder of ALQST for Human Rights, an NGO that tackles human rights violations in Saudi Arabia. It is alleged he was hacked using the Pegasus spyware in 2020 by Saudi Arabia.

Siobhán Allen is legal officer with GLAN and consultant solicitor with Bindmans.

Bindmans’ Siobhan Allen

“The use of Pegasus spyware against these human rights defenders has made their work even more dangerous. It is important to pursue judicial recognition that this should not have happened,” said Allen.

Bindmans said NSO has formally responded to the pre-action letters, but there has been no response to date from either the UAE or Saudi Arabia.

‘Government Isn’t Safe from Attack’

SANS Institute’s John Davis

John Davis is director, UK & Ireland, SANS Institute, EMEA. He said that spyware like Pegasus has seemingly simple attack vectors, but the outcomes can cause serious damage.

“Downing Street falling foul of targeted hacking software reminds us that even the government isn’t safe from such cyber assaults,” he said.