In the last weeks before the crucial 2019 parliamentary elections, a high-profile lawyer representing prominent Polish opposition members had his cellphone broken into. A prosecutor who was fighting the populist right-wing government’s attempts to purge the judiciary had her phone hacked two years later.
According to digital sleuths at the University of Toronto’s Citizen Lab internet watchdog, the invaders were military-grade spyware from NSO Group, an Israeli hack-for-hire firm that the US government recently blacklisted.
Citizen Lab was unable to determine who authorized the breaches, and NSO does not reveal its clients other than to declare that it only works with genuine government agencies that have been verified by Israel’s Defense Ministry. Both victims, though, believe that Poland’s increasingly illiberal government is to blame.
Stanislaw Zaryn, a spokesman for Poland’s state security, would not confirm or deny if the government authorized the intrusions or is an NSO customer.
Roman Giertych, a lawyer, and prosecutor Ewa Wrzosek, a prosecutor, have joined a growing list of government critics whose phones have been hacked using the company’s Pegasus program. The spyware converts a phone into an eavesdropping device, allowing its controllers to access everything from texts to contacts from afar. Mexican and Saudi journalists, British solicitors, Palestinian human rights activists, heads of state, and US diplomats stationed in Uganda have all been confirmed as victims.
However, news of the hacking in Poland is particularly noteworthy because it comes at a time when human rights organizations are calling for an EU-wide ban on spyware. The European Union’s 27-nation bloc has tightened spyware export rules, but critics argue that exploitation by EU member states must be handled immediately.
Citizen Lab has already found several infections in Poland dating back to November 2017, but it was unable to identify specific victims at the time. Hungary, like Poland, has been accused of anti-democratic acts and has been linked to the Pegasus malware. NSO is said to have customers in Germany and Spain, with Catalan separatists accusing Madrid of targeting them with Pegasus.
“Once you start aggressively targeting with Pegasus, you’ll join a fraternity of dictators and autocrats who use it against their enemies,” Citizen Lab senior researcher John-Scott Railton warned.
“The EU cannot legitimately condemn human rights atrocities in the rest of the world while turning a blind eye to concerns at home,” said Marietje Schaake of the Netherlands, who is currently the international cyber policy director at Stanford University.
The hacking targets in Poland saw it as proof of a dangerous decline of democracy in the country where Soviet hegemony began to crumble four decades ago.
A provincial prosecutor filed a motion seeking the arrest of Giertych, the lawyer, in a financial crimes probe just hours before Zaryn responded to emailed inquiries about the hack from reporters.
Zaryn refused to say whether the two incidents were connected. According to him, Poland only conducts surveillance after receiving court warrants.
“It is unfair to suggest that Polish services employ operational means for political struggle,” Zaryn stated.
NSO is a “software provider,” according to a spokeswoman on Monday. “The company does not control the technology, nor is the firm privy to who the targets are or the data acquired by the clients.” However, according to Citizen Lab and Amnesty International researchers, NSO appears to sustain the infection infrastructure.
The charges of Polish misuse of Pegasus, according to the corporate spokeswoman, are also unclear: “Using tools to investigate a person suspected of committing a crime in a democratic society lawfully and according to due process would not be deemed a misuse of such tools by any means.”
Pegasus was used to hack at least 10 lawyers, an opposition politician, and numerous journalists in Hungary, according to a global media consortium study released in July. Last month, a member of Hungary’s ruling party admitted that the government had purchased Pegasus licenses.
The independent Polish broadcaster TVN discovered proof that the government’s anti-corruption agency spent over $8 million on phone spyware in 2019. The report was disputed by the agency, but Prime Minister Mateusz Morawiecki was more evasive, adding that all would “be confirmed in due time.”
Giertych was hacked at least 18 times in the final four months of 2019, according to Citizen Lab. He was representing former Prime Minister Donald Tusk of the Civic Platform, who is now the leader of the major opposition party, and former Foreign Minister Radek Sikorski, who is now a member of the European Parliament.
“A feverish desire to monitor his conversations,” Scott-Railton said, citing the “jaw-droppingly aggressive” tempo and intensity of the targeting — day by day, even hour by hour. It was so relentless that Giertych decided to give up on the iPhone.
“I had this phone with me in my bedroom and when I went to confession.” “They completely scanned my life,” he explained.
The majority of the hacking occurred immediately before a legislative election on Oct. 13, 2019, in which Jaroslaw Kaczynski’s Law and Justice Party won by a razor-thin margin, severely eroding judicial independence and press freedom.
At the time, Giertych was also representing an Austrian developer who alleged that Kaczynski, Poland’s most influential politician, had cheated him out of a deal to build twin corporate skyscrapers in Warsaw. Because Polish law prohibits political parties from profiting, and the towers were to be erected on land held by Kaczynski’s party, the news of the transaction gone badly sparked a scandal.
Giertych also defended Sikorski in an unlawful wiretapping case in which the former foreign minister’s talks were recorded and made public; Sikorski claims the administration failed to investigate probable Kaczynski allies’ involvement. Last year, anti-corruption officials searched Giertych’s home and office in an unconstitutional manner that a Polish court ruled was symbolic of Poland’s government’s treatment of opposition lawyers in politically sensitive cases, according to the EU.
The regional prosecutor in Lublin filed a court order seeking Giertych’s arrest on Monday, claiming that the lawyer had refused to appear for questioning and appeared to be “deliberately avoiding justice.”
Giertych denounced this as ludicrous, claiming that the financial impropriety probe was fabricated and that it had already been dismissed by a Poznan court due to a lack of evidence. Prosecutors said he is suspected of laundering money for legal expenses he got a decade ago in a Warsaw property dispute case.
Citizen Lab said it was still looking into how Giertych’s phone got infected, but that it expected a “zero-click” vulnerability that doesn’t require user engagement. Wrzosek, they believe, was also hacked. From June 24 to August 19, Citizen Lab discovered six breaches on her phone.
Wrzosek ordered a probe last year into whether presidential elections should be postponed due to worries that they could endanger voters and election workers’ health. She was stripped of the case almost immediately and sent to the far-flung provincial city of Srem with only two days’ notice.
Wrzosek, who was hacked shortly after returning to Warsaw and began critical media appearances, said, “I didn’t even know where the city was and I had nowhere to reside there.”
When Apple sent out alerts last month to scores of iPhone users around the world targeted by NSO’s Pegasus, including 11 US State Department employees in Uganda, Wrzosek learned she’d been hacked — and tweeted about it. Apple referred to NSO as “amoral 21st-century mercenaries” in a lawsuit filed the same day. In 2019, Facebook filed a lawsuit against the Israeli company for allegedly hacking its widely used WhatsApp communication service.
Wrzosek has filed an official complaint but believes “the same services that tried to break into my phone will now be administering the proceedings, hunting for perpetrators,” and does not expect swift retribution.
