Cyber security

Pegasus Spyware Scandal Escalates, Raising Pressure On Polish Government

Analysis 19 January 2022
Pegasus Spyware Scandal Escalates, Raising Pressure On Polish Government

The Polish Central Anti-Corruption Bureau, CBA purchased the controversial Pegasus spyware in 2017 with money from a Ministry of Justice special fund, which is illegal in Poland, according to evidence presented on Tuesday during a Senate hearing into the use of the surveillance technology in the country.

Senator Krzysztof Kwiatkowski, the former head of Poland’s Supreme Audit Office presented a series of documents during the hearing which indicated that the Ministry of Justice paid 25 million zloty (about 5.5 million euros) from a victims’ support fund to the Central Anti-Corruption Bureau back in 2017, with the express purpose of purchasing technical equipment for combatting crime. Kwiatkowski said that the technology that was purchased as a result was the Pegasus software.

Kwiatkowski said that the Audit Office had already pointed out in 2018 that the expenditure was illegal according to Polish law, because such purchases by the CBA should come from the state budget and face proper parliamentary scrutiny.

Marcin Bosacki, the opposition senator heading Tuesday’s hearing, said the way the purchase was carried out indicates the governing Law and Justice, PiS party’s intention to keep the spyware secret.

“The CBA at the time functioned as the private secret services of PiS,” Bosacki said.

The evidence presented during the hearing indicated that high-level figures in the PiS government were coordinating the purchase of the spyware back in 2017.

Clients who buy the Pegasus software can use it to infect targets’ phones, access any information on the devices and even other devices linked to it, and turn the phone into a spying tool by controlling its camera and microphone.

What has been revealed so far about the identity of the targets in Poland has seemed to back up the allegation that the governing party used the spyware to serve its political goals.

In December 2021, Citizen Lab, a cybersecurity unit at the University of Toronto, Canada, named some of the targets of the Pegasus spyware in Poland. The names included prosecutor Ewa Wrzosek and high-profile lawyer Roman Giertych, both of whom have been critical of the PiS government, and opposition parliamentarian Krzysztof Brejza.

In the first part of the Senate hearing on Monday, Citizen Lab senior researcher John Scott-Railton said that the spyware targeting of Brejza, which took place in 2019, was “very complex” and “one of the most aggressive forms of attack” that Citizen Lab, which studies the use of Pegasus across the world, had seen.

Scott-Railton compared the use of Pegasus in Poland to surveillance methods deployed by the Russian state.

According to experts, Brejza’s phone was attacked 33 times in 2019, during a period when the politician was coordinating the electoral campaign of the biggest opposition force in Poland, the Civic Coalition.

Bosacki, the head of the Senate commission, said that one of the goals of the hearings was to determine whether the hacking of Brejza’s phone had an impact on the outcome of the 2019 parliamentary vote, adding that a country was no longer a democracy if secret services could determine the results of elections.

The Polish Senate, the upper house of parliament which is narrowly controlled by the opposition, established the commission after the PiS-controlled lower house, the Sejm, refused to investigate the matter earlier this month. A Sejm commission would have had more power, being able to force witnesses to appear and demand prosecutions.

Targets ‘include ruling party’s ex-spokesperson’

On Tuesday morning, Gazeta Wyborcza newspaper quoted an unnamed source involved in the purchase of Pegasus, who claimed that the first contract signed by the Polish authorities in 2017 for the purchase of spyware included 40 licences, which would allow 40 different people to be put under surveillance.

Gazeta Wyborcza’s source was formerly an employee of Matic Sp., the Polish firm which acted as an intermediary in the purchase of Pegasus by the CBA from the software’s Israeli producer, NSO Group.

According to Gazeta Wyborcza’s sources, the list of Pegasus targets includes several former PiS allies. The first to come under attack chronologically, said the sources, was Adam Hoffman, a former PiS parliamentarian and spokesman for the party, who later quit PiS, went into business and secured some contracts with state companies.

Other targets named by the newspaper are former influential PiS allies whose relationships with the governing party went sour over time.

In early January, following the Citizen Lab revelations and some initial ambiguity from PiS, party leader Jaroslaw Kaczynski admitted that the Polish government owned the spyware but denied using it to target the opposition.

“It would be unfortunate if Poland’s secret services were not equipped with such a surveillance tool,” Kaczynski told right-wing magazine Sieci.

“But I can only emphasise that the opposition’s stories that Pegasus was used for political purposes are nonsense,” he added.

“These findings are shocking but not surprising,” human rights groups Amnesty International, which confirmed the spying of Brejza using its own resources, said in a public statement January 7. “They raise serious concerns not only for politicians, but for the whole of Poland’s civil society in general, particularly given the context of the government’s record of persistently subverting human rights and the rule of law.”

“These revelations demonstrate yet again why there is an urgent need for a commitment from governments to stop any forms of surveillance that breaches human rights and the need for a global moratorium on the export, sale, transfer and use of surveillance equipment, until a robust human rights-compliant regulatory framework is in place,” Amnesty International urged.

Further hearings on the Pegasus issue are planned at the Senate, and a commission is expected to issue a report and recommendations, which could involve proposals for new legislative controls over the security services.

Balkan Insight