This is how the phones belonging to two prominent Catalan doctors were hacked with Pegasus spyware

  • Dr Elías Campo can't believe that Spain was both giving him the highest research award and spying on him as part of Catalangate

Josep Casulleras Nualart
30.04.2022 - 13:05
Actualització: 13.06.2022 - 10:12

On 17 May 2021, Spain’s King Felipe presented Dr Elías Campo Güerri, a professor of Pathology at the University of Barcelona, with ​​Spain’s National Research Award for medicine for his pioneering work on lymphoid neoplasms and the impact of his research into their diagnosis and treatment. Dr Campo is an international leading figure in his field. As he was handed the award, little did Dr Campo know that 18 months earlier his mobile phone had been hacked using the Pegasus spyware. Unbeknown to him, the same Spanish State that was presenting him with an award had also been snooping on him shortly before. And it was his work phone from Barcelona’s Hospital Clínic that had been bugged.

He wasn’t alone in being a victim of this attack. Dr Campo’s wife, Maria Cinta Cid Xutglà, also a physician at the Hospital Clínic, ​​a professor at the University of Barcelona and an acclaimed expert on autoimmune diseases, also had her privacy violated. Both of them had their phones hacked with the Pegasus spyware as a means to access the spooks’ real target: their son, Elies Campo Cid. Elies Campo is a young Catalan entrepreneur and a former WhatsApp and Telegram employee who currently works for the Citizen Lab, a research institute based at the University of Toronto. The Citizen Lab recently blew the lid off of Catalangate, the case of mass espionage against individuals associated with the Catalan independence movement. The case has come to light largely thanks to Elies Campo Cid, who is a pro-independence activist and, as such, a victim of Spanish espionage, as well as a leading investigator in this case.

According to the Citizen Lab, Elies Campo’s computer was hacked in December 2019, presumably as a result of his work as an advisor to the digital voting platform Vocdoni, which was used by Catalan grassroots group Òmnium Cultural for its in-house elections. Elies Campo’s case is unique since he works in the United States and, therefore, has an American mobile phone. Since the NSO Group —the creators of Pegasus— is banned from infecting such devices, the hackers decided to try an alternative route: infecting Campo’s phone with a malware called Devil’s Tongue, developed by Candiru, another Israeli company founded by former NSO employees, which does not have such a restriction.

On 5 December 2019, Elies Campo received an email claiming to be from the Barcelona Mercantile Registry, containing information about a company that Mr Campo managed. According to the email, another company with a similar name to Campo’s had been registered in Panama. The email, which revealed a detailed knowledge of Campo’s affairs, was in fact a ruse in order to infect his computer with Devil’s Tongue. However, it failed as Campo did not click on the link enclosed. Nevertheless, the would-be hackers did not give up, hatching an alternative plan that involved Campo’s parents, Dr Elías Campo Güerri and Dr Maria Cinta Cid Xutglà.

Confidential information about patients
 A few weeks after receiving the infected e-mail, Elies Campo Cid travelled from the US to Catalonia to spend the Christmas holidays with his parents. This was when the decision was made to infect his parents’ mobile phones with the Pegasus spyware. The Citizen Lab has documented numerous instances in which the devices of family members, friends, and associates of the person who is the target of the espionage have been infected as a means to gain access to information. Not only can Pegasus’ users access a phone’s content, apps and track the user’s movements when a device is infected, but they can also turn on the device’s camera and microphone at will, even when the phone isn’t in use, thereby recording the conversations of everyone in the vicinity.

This particular case is significant for a number of reasons. Aside from invading the doctors’ privacy and intercepting their private communications without a court order, the spies also had unlimited access to confidential, sensitive information about their patients. According to the Citizen Lab, Dr Elías Campo Güerri’s work phone was infected, something he was completely unaware until a little over a week ago. Having worked on the vast Catalangate investigation with the Citizen Lab for almost two years, Dr Campo’s son suspected they might have tried to infect his parents’ phones as an alternative means to spy on him, following their failed attempt earlier.

Acting on a hunch, Elies Campos decided to check his parents’ phones last week. He discovered that they had been infected during the 2019 Christmas holidays, which the family had spent together. John Scott-Railton, a senior researcher at the Citizen Lab, told Campo: “You won’t believe this, but your mother is patient zero of a previously unseen exploit.” Dr Cid told VilaWeb how she reacted when she found out: “I thought it was extremely serious, that no one should interfere with my privacy. In our case, as with the lawyers involved, it’s particularly serious. All cases are, but we handle confidential information about our patients.”

To give a sense of the seriousness of the hacking: “I use my personal phone to communicate with my colleagues on chats where we discuss our patients’ cases. And I have access to corporate email on my device. Since the server which hosts our corporate mail supposedly guarantees us confidentiality, we are able to refer to our patients by name, and not just with their medical record numbers. In addition, I also have photos, including photos of myself, on my phone. I underwent treatment for cancer, and I took pictures, as a lot of people do, when I didn’t have hair, when my hair fell out, of my breasts before and after the operation. These are photos are of an extremely private nature. Which is why I think this is incredibly serious.”

Zero-click vulnerability
Dr Cid’s phone was hacked eight times: on 17, 19, 23, 28 and 30 December 2019, and on 3, 5, and 9 January 2020. They chose extremely specific times to hack her device, presumably when the hackers thought they would be most likely to eavesdrop on conversations between Mr Campos and his parents. This is not all that the Citizen Lab researchers found on Dr Cid’s phone, however. For the first time ever, they detected a zero-click vulnerability, meaning that there is no need for the victim to tap on a link in order for malicious software to be installed on their device. On this occasion, Pegasus attacked the iMessage app and the iOS web browsing engine.

“It’s a violation of the private life and privacy of many of my associates. It is an intolerable invasion of privacy.” Dr Cid added that “my husband’s case is even more serious, as his phone is a business device belonging to Hospital Clínic, where he holds a management position”. According to the Citizen Lab’s investigation, Dr Elías Campo Güerri’s mobile phone was infected on or around 18 December 2019.

Cid says they currently have no plans to take legal action, since they simply do not have the necessary time and resources it would require. Nevertheless, they would back any legal proceedings brought by the University of Barcelona, the Board of Physicians or Hospital Clínic “because it’s something that goes beyond our personal situation, it’s a corporate case. If someone wished to file a complaint, we would support them.” So far none of the three institutions have issued a statement on the matter.

In an interview with The New Yorker, Elies Campo Cid, the target of espionage in December 2019, summed up his reaction on recently finding out that his parents had fallen victim to Pegasus spyware. “From that moment on, the idea that anyone could be at risk of Pegasus was no longer just an idea: my parents were sitting right in front of me.”


La premsa lliure no la paga el govern. La paguem els lectors.

Fes-te de VilaWeb, fem-nos lliures.

Fer-me'n subscriptor
des de 60€ l'any / 5€ el mes