Polish election questioned after Pegasus spyware used to smear opposition, investigation finds

Cyber weapon

The capabilities of Pegasus went beyond highly intrusive surveillance, also giving attackers the ability to modify, upload and change filesm and manipulate messages stored on victims phones, the committee concluded, following a year-and-a-half-long investigation.

Messages obtained from some victims’ phones were found to have been manipulated and leaked to the Polish media in a bid to discredit them.

The report described Pegasus as a cyber weapon that was used in Poland to an “extremely aggressive degree”.

The deputy speaker of the Senate of Poland, Michal Kamiński, said huge amounts of money allocated to national security and defence were used to investigate the lives and views of opposition politicians and to influence the political process in Poland.

“This monstrous weapon was used not to protect citizens, but as our committee proved, it was used to persecute people who did not like the authorities,” he said.

The investigation followed a report by Associated Press in December 2021 that revealed a Polish senator’s phone had been hacked multiple times when he was running the opposition election campaign in 2019 against the ruling right wing Law and Justice party.

The University of Toronto’s non-profit Citizen Lab concluded that the senator, along with other opposition politicians, had been targeted by Pegasus spyware from the Israeli hacking tools firm NSO Group.

The committee heard evidence from Citizen Lab’s senior analyst, John Scott-Railton, and researcher, Bill Marczak, that Pegasus gave attackers unlimited access to iPhones and Android mobile devices without users being aware.

Commenting on the report, Scott-Railton wrote on X, formerly Twitter, that the spyware industry was damaging democracy. “In this critical time for the future of democracy, the out-of-control mercenary spyware industry is directly undermining our core shared values, security & human rights,” he commented.

The committee found that Pegasus is able to access emails and instant messages, track phone location, and access social networks, phone calls, apps, browser history and all files stored on infected devices.

The software can also allow attackers to install their own files, modify existing files, make phone calls, send messages, take photographs, turn on the device’s microphone, and acquire files, including deleted files.

“The person infecting a device with Pegasus gains virtually complete control over the device – with the ability to continuously control the device and modify the content stored in the device,” the report found.

Poland’s Ministry of Justice unlawfully provided Poland’s Central Anti-Corruption Bureau (CBA) with funds in 2017 to buy specialist technology to detect and prevent crime – a cover for buying Pegasus software, the Senate committee found.

Manipulated text messages

In one case investigated by the committee, files downloaded from the phone of senator Krzysztof Brejza were later manipulated and made public on Polish state television, in an attempt to discredit the senator.

Manipulated versions of SMS text messages, which swapped the identities of senders and recipients, and an alleged email composed of 19 old text messages sent by the senator were among the material made public.

A total of 500 items defaming the senator and his family were published during the 2019 election, the report found.

The senator’s wife told the committee: “It was decided to simply destroy our family, at every level. We have three children, who are still small but mature enough to understand perfectly what is happening around us. I can’t count how many times I had to calm down my crying children when they heard something about us on TV.” 

The committee found that the CBA had extracted 80,000 messages, along with a keychain containing passwords for 90 online services and websites, photographs, videos and the phone’s location.

As a result of the intrusion, a large number of opposition politicians and journalists who contacted the victim were also placed under surveillance, and the victim’s legal professional privilege was breached.

Victims of Pegasus surveillance were prominent people who were critical of the PiS government’s policy, people involved in business activities, and political opponents of the ruling party, the committee found.

The report quotes Andrzej Zoll, former president of the Constitutional Tribunal and ombudsman for citizens’ rights. “In the example of Pegasus, we are dealing with a process that is heading towards a police state, towards a state that uses means that do not serve to protect the good of the state, but only serve to secure the political position of a given formation that exercises power and wants to maintain this power,” he said.

Any use of Pegasus is illegal under Polish law, the committee found. It called for major improvements to the oversight of Poland’s security services.

Senator Wadim Tyszkiewicz said he was in no doubt that criminal activity had taken place and had been protected under the umbrella of the Law and Justice party. “I have no doubt the that 2019 elections were conducted using illegal methods and tools and should be annulled,” he said.