Amnesty International has independently confirmed that a powerful spyware from the Israeli surveillance software maker NSO Group was used to hack a Polish senator multiple times in 2019 when he was running the opposition’s parliamentary election campaign.
The Associated Press (AP) reported last month that Citizen Lab, an internet watchdog group at the University of Toronto, found that the senator, Krzysztof Brejza, and two other Polish government critics were hacked with NSO’s Pegasus spyware.
Dozens of high-profile cases of Pegasus abuse have been uncovered since 2015, many by a global media consortium last year, with the NSO Group malware employed to eavesdrop on journalists, politicians, diplomats, lawyers and human rights activists from the Middle East to Mexico.
The Polish hacks are considered particularly shocking because they occurred not in a repressive autocracy but a European Union member state.
The revelations have rocked Poland, drawing comparisons to the 1970s Watergate scandal in the United States and eliciting calls for an investigation and accountability. Although neither Citizen Lab nor Amnesty International determined who was behind the hacks, the victims all blame Poland’s right-wing ruling party, Law and Justice.
Law and Justice leaders have denied knowledge of the hacks and at times mocked the reported findings while refusing to open an investigation.
NSO Group does not identify its customers but says it only sells Pegasus to governments to fight terrorism and other serious crimes. The spyware allows its operators to vacuum up everything from instant messages and contacts to photos and to turn microphones and cameras into real-time spy tools.
Polish Prime Minister Mateusz Morawiecki has called the Citizen Lab-AP findings “fake news” and suggested a foreign intelligence service could have done the spying – an idea dismissed by critics who say no other government would have any interest in the three Polish targets.
According to John-Scott Railton, a senior researcher at Citizen Lab, an investigation should occur.
"If (Polish government leaders) really believe this could be the action of a foreign service, it would be the height of irresponsibility not to investigate," Railton said.
The senator's mobile phone was hacked with Pegasus 33 times in 2019, mostly while Brejza ran the opposition’s campaign to unseat the Law and Justice-led government, Citizen Lab determined last month.
Text messages stolen from Brejza's phone were doctored and aired by state-controlled TV as part of a smear campaign in the heat of the race, which the populist ruling party went on to narrowly win. Brejza has compared the actions to the tactics used in Russia against Kremlin critic and opposition leader Alexei Navalny.
Donncha O' Cearbhaill, an expert with Amnesty International’s Security Lab, confirmed Citizen Lab’s finding after receiving raw backups of Brejza's phone from the Canadian researchers. Amnesty uses independently developed tools and methods for its forensic analysis.
Brejza told the AP he thinks the real victims of the hacking are Polish voters who were "deceived" by Law and Justice and "deprived of the right to fair elections".
The other two Polish targets confirmed by Citizen Lab were Roman Giertych, a lawyer who represents opposition politicians in a number of politically sensitive cases, and Ewa Wrzosek, an independent-minded prosecutor.
Wrzosek formally asked the District Prosecutor's Office in Warsaw last month to investigate the hacking of her phone. The office refused, justifying its decision by saying that Wrzosek refused to hand over her phone.
According to Wrzosek, she did not relinquish the phone because she doesn't trust the prosecutor's office and wanted to participate in the evaluation of the device.
"This is my right according to the law," Wrzosek told the AP.
In November, Israeli financial newspaper Calcalist reported that the country's Defense Ministry had significantly cut the list of countries to which Israeli-produced spyware could be exported. The newspaper did not say that Poland was one of the nations removed from the list, but it was not among the approved countries noted in the report.
Hungary, another European Union member where NSO Group’s Pegasus is confirmed to have been used against non-criminals, did not appear on the shortened list.
The Israeli Defense Ministry addressed the Calcalist report, calling it "inaccurate", without elaborating.