Boris Johnson needs to “pay close attention” to basic cybersecurity rules, a former national security adviser said after it emerged that the United Arab Emirates had been accused of hacking a mobile phone on Downing Street.
Peter Ricketts, who held the post between 2010 and 2012, said the cyberattack showed that NSO Group’s “commercially made” Pegasus software allowed a “wide range of actors” to engage in complex espionage.
Anyone with access to classified information should be aware of the rapidly changing risk, added the colleague, including the prime minister, who was forced to change his mobile number last year after it turned out to be available online.
“It is vital that anyone who has access to sensitive materials before and including the prime minister pays close attention to basic cybersecurity rules, including their phone numbers,” Ricketts said.
Johnson was forced to change his cell phone abruptly last spring after his number turned out to be available online for 15 years. It was published in a press release of the think tank since 2006 and has never been deleted.
Pegasus is sophisticated software made by the Israeli company NSO Group that can secretly take control of a person’s mobile phone, take and copy data from it, and even turn it into a remote listening device without his permission. But to be effective, he must be given a phone number to target.
The NSO Group said the allegations were “false and misleading” and the company denied involvement. “For technological, contractual and legal reasons, the allegations described are impossible and have nothing to do with NSO products,” the company said.
On Monday, the Citizen Lab, a group of technology researchers based at the University of Toronto, said it had uncovered evidence of “numerous suspected cases of Pegasus spyware infections” on official UK networks, including Downing Street and the State Department. .
Using digital forensic techniques developed over several years, the researchers said they concluded that the Downing Street attack was “related to a Pegasus operator we are linking to the UAE” and took place on July 7, 2020.
There is no conclusive evidence as to why the UAE may have wanted to head to Downing Street on that date. However, a day earlier, the British government announced a set of economic sanctions against 20 Saudi nationals accused of involvement in the murder of journalist Jamal Hashoghi, plus people from Russia, Myanmar and North Korea. The neighboring UAE is a close ally of Saudi Arabia.
UAE Ambassador to London Mansour Abulhul has denied reports that the UAE may have used spyware to hack into either Downing Street or the Foreign Office.
He said: “These reports are completely unfounded and we reject them. The United Kingdom is one of the UAE’s closest and dearest allies, and we would never do such a thing to them.
He added that he was shocked that allegations had even been made, citing recent improvements in relations between the two countries, including a growing economic partnership.
The denial reflects the importance the UAE attaches to the relationship and the potential damage the accusation of espionage could cause if given credence.
A Citizen Lab researcher told the New Yorker, which first reported the story, that it believed some data may have been stolen from Downing Street by hackers. But the research team said it could not identify whether Johnson’s own phone or that of another designated employee had been targeted.
The foreign ministry declined to discuss the story, saying: “We do not routinely comment on security issues.” But Citizen Lab said it had warned the United Kingdom that National Cybersecurity Center officials were believed to have tested several phones but failed to find out who had been compromised.
Pegasus is being sold to governments for counter-terrorism or national security purposes, but there have been repeated allegations that it was used to spy on opposition politicians, human rights defenders and journalists from at least 10 countries, including the UAE and Saudi Arabia.
Three civil society activists in the UK are in the process of suing the NSO Group, the UAE and Saudi Arabia, following an investigation by the Guardian and others, which showed that more than 400 phone numbers have been selected for potential targeting.
Last year, the Supreme Court and the Court of Appeals also ruled that Sheikh Mohammed bin Rashid al-Maktoum’s “servants or agents”, the vice president and prime minister of the United Arab Emirates, were involved in “monitoring the six phones” in Britain – including his former his sixth wife, Princess Haya, with whom he was embroiled in a bitter divorce case, and her lawyer, Fiona Shackleton.
After the episode opened in August 2020, the NSO Group is believed to have rewritten its software to prevent Pegasus from targeting the UK number.
Add Comment