Cyber Incident Victim: Spains Prime Minister Pedro Sanchez and Defense Minister Margarita Robles
Date:
May 2021
Location:
Spain
Summary
Spyware developed by NSO Group infected mobile devices used by Spain's Prime Minister and Defense Minister, resulting in unauthorized data extraction from their phones. The breach, described as illegal and external, prompted government investigations amid broader concerns over Pegasus spyware's misuse against politicians, journalists, and activists. NSO Group stated it had no knowledge of the incident but emphasized cooperation with investigations, while international scrutiny highlighted the tool's role in enabling transnational repression and surveillance abuses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May and June 2021, mobile phones belonging to Spanish Prime Minister Pedro Sánchez and Defense Minister Margarita Robles were infected with Pegasus spyware developed by Israel’s NSO Group. The intrusion into Sánchez’s device occurred in May 2021, while Robles’ phone was compromised the following month. Félix Bolaños, Spain’s minister for the presidency, disclosed these incidents during a press conference on May 2, 2022, confirming that attackers successfully extracted data from both devices. Bolaños characterized the breaches as “illegal and external” operations conducted without governmental authorization, emphasizing their origin as “alien” to Spain’s institutions. Pegasus spyware grants comprehensive access to a device’s communications, media, cameras, and microphones, enabling extensive surveillance of targets. NSO Group responded that it was unfamiliar with the case but stated monitoring politicians would constitute misuse of its technology, reiterating that it only supplies software to governments and does not operate surveillance systems or access collected data. The company noted it investigates misuse allegations and cooperates with official inquiries.
The incident triggered a national investigation led by Spain’s high court and occurred amid broader international scrutiny of Pegasus. The U.S. Department of Commerce had blacklisted NSO Group in November 2021 for enabling transnational repression by authoritarian regimes targeting dissidents and journalists beyond their borders. Earlier in April 2022, Citizen Lab reported 63 Pegasus infections among 65 cases targeting European Parliament members, Catalan officials, and civil society figures, including Catalan president Pere Aragonès, who condemned the surveillance as an attack on democratic rights. The European Parliament established a committee in March 2022 to investigate Pegasus use in EU member states like Poland and Hungary. Spanish authorities did not initially confirm whether additional government devices were compromised but committed to a judicial review of the breaches’ scope and perpetrators. The disclosure highlighted persistent risks of mercenary spyware targeting high-level government personnel despite vendor claims of lawful use.