Powerful spyware linked to a United Arab Emirates operator – which could have allowed 24-hour surveillance of messages, photos and calls – was found on a device connected to Number 10’s network, it has been claimed.
The alarming cyber security breach is said to have occurred on 7 July 2020, almost a year into Boris Johnson’s time as Prime Minister.
According to researchers, the Israeli-created spyware known as Pegasus was also suspected to have infected phones connected to the Foreign Office on at least five occasions between July 2020 and June last year.
These were linked to operators in the UAE, India, Cyprus, and Jordan.
The infection of a Number 10 device was revealed by an investigative journalist working for the New Yorker magazine.
They reported that several phones were tested at Downing Street, including the PM’s, but that officials from Britain’s National Cyber Security Center were unable to locate the infected device and the nature of any data that may have been stolen was never determined.
‘When we found the No10 case, my jaw dropped,’ John Scott-Railton, a senior researcher at the Citizen Lab center at the Univestity of Toronto, told the magazine.
He claimed the UK had been ‘underestimating the threat from Pegasus’ and had been left ‘spectacularly burned’.
Bill Marczak, another senior researcher, added: ‘We suspect this included the exfiltration of data.’
Powerful spyware known as Pegasus was used to infect a device connected to the network at 10 Downing Street, it has been claimed
Boris Johnson visited the UAE last month in an attempt to encourage Middle Eastern states to ramp up their production of oil – as Western nations look to wean themselves off Russian supplies
Pegasus was developed by the Israeli company NSO Group and is known to have the capability to infect billions of phones running either iOS or Android operating systems.
Once Pegasus is on a person’s device, it can copy messages that are sent or received, harvest photos, record phone calls, or even secretly film the user through the phone’s camera, or record conversations by activating the microphone.
Israeli bug that secretly takes over your phone
Pegasus spyware gives hackers a terrifying level of access to a mobile phone without the victim having the faintest idea it has been hacked.
A malicious user can extract data including passwords, contacts, browsing history and social media posts, tell where the phone is, where it has been and whether it is on the move.
The hacker can also see incoming or outgoing calls and, perhaps most chillingly, access the device’s camera and microphone to take pictures or listen in on conversations remotely.
The creators of Pegasus – Israeli cyber intelligence company NSO Group Technologies – have long boasted that the spyware worked like a ‘ghost’, tracking the movements of targets without leaving a trace.
To avoid being spotted through racking up data charges on phone networks, the software transmits files only when the device is using Wifi.
When unable to do this, it collects and stores data in an encrypted software program – but is designed to never use more than 5 per cent of space on an infected phone.
It can be installed on some Apple and Android devices and is believed to have exploited three security weaknesses in iPhones. One method involves sending a text message that provides a link to a website. If clicked on, malicious software is delivered to the phone.
NSO Group has claimed it keeps strict control over how its powerful software is used. Its staff can shut it down at any time or look at the information being collected.
But insiders told Israeli newspaper Haaretz that oversight was ‘non-existent’. The newspaper also said that if an infected phone entered Israel, Iran, Russia, China or the US, Pegasus wiped its software from the device.
It could also potentially be used to pinpoint where someone is, where they’ve been, or who they’ve met.
Citizen Lab also found the suspected Foreign Office infections.
Ron Deibert, its director, wrote in an article on the lab’s website that because the Foreign Office has many staff overseas, the suspected infections could have related to ‘devices located abroad and using foreign SIM cards’.
I added this was ‘similar to the hacking of foreign phone numbers used by US State Department employees in Uganda in 2021’.
A government spokesperson said they do not routinely comment on security matters.
In November, the US added NSO Group to a trade blacklist and accused them of selling spyware to foreign governments that used the equipment to target government officials, journalists and others
At the time, the Israeli company said it was ‘dismayed’ by the decision and insisted its technologies ‘support US national security interests’
Following today’s claim that Pegasus was used to infect a Number 10 device and phones at the Foreign Office, an NSO Group spokesperson told MailOnline: ‘The information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.
‘NSO continues to be targeted by a number of politically motivated advocacy organisations, like Citizens Labs and Amnesty, to produce inaccurate and unsubstantiated reports based on vague and incomplete information.
‘We have repeatedly cooperated with governmental investigations, where credible allegations merit.’
A month earlier, in October 2021, the High Court in London found that the ruler of Dubai, Sheikh Mohammed Al Maktoum, ordered the hacking of the phone of his ex-wife, Princess Haya of Jordan.
The court said that Pegasus software was used in a bid to infiltrate the phones of Princess Haya, some of her staff and two of her solicitors.
NSO Group was said to have ended its contract with the UAE following the disclosure.
The timing of the revelation about spyware on a No10 device – associated with an operator linked to the UAE – comes little more than a month after Mr Johnson visited the region.
The PM used the trip to try and encourage both the UAE and Saudi Arabia to ramp up their production of oil as Western nations look to wean themselves off Russian supplies.
Pegasus was also suspected to have infected phones connected to the Foreign Office, which at the time was run by then-Foreign Secretary Dominic Raab, on at least five occasions between July 2020 and June last year
A government source said: ‘We speak regularly with partners and work closely with allies to tackle threats, improve resilience and raise any concerns where they arise.’
In April last year, the PM was at the center of another security scare after it was revealed his personal mobile phone number had been freely available on the internet for the past 15 years.
At the time, former national security adviser Lord Peter Ricketts warned that hostile foreign states or criminal gangs could have accessed the PM’s personal number.
Earlier this year, Mr Johnson blamed getting a new phone for his failure to disclose WhatsApp messages with a Conservative peer, in which they discussed the controversial funding of his Downing Street flat refurbishment.
The PM offered a ‘humble and sincere apology’ for not sharing the messages – in which he described his Downing Street residence as ‘a bit of a tip’ – with an investigation into the flat refurbishment being headed by Lord Geidt, his independent adviser on ministers’ interests.
In a letter to Lord Geidt in January, Mr Johnson said: ‘You appreciate the security issues faced at the time meant that I did not have access to my previous device and did not recall the message exchange.’