Cyber Incident Victim: European Commission
Date:
Feb 2021
Location:
Belgium
Summary
Senior European Commission officials, including the Justice Commissioner, were targeted with Israeli-developed spyware such as NSO Group's ForcedEntry or a similar tool from QuaDream, following alerts from Apple about state-sponsored attacks on their iPhones. The Commission initiated internal investigations after the warnings, though forensic examinations yielded inconclusive results regarding device compromise. The incident prompted broader EU scrutiny, leading to the establishment of a parliamentary committee to investigate surveillance software misuse across member states, amid prior reports of spyware targeting opposition figures in Poland and critics in Hungary. NSO Group denied involvement, while experts emphasized the Commission's high-profile status as a potential espionage target.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In 2021, senior European Commission officials, including Justice Commissioner Didier Reynders and at least four other staff members, were targeted with advanced spyware developed by Israeli surveillance firms. The targeting occurred between February and September 2021 using ForcedEntry, a tool capable of remotely compromising iPhones without user interaction. This software was linked to NSO Group and QuaDream, both known suppliers of cyber-surveillance tools to government clients. The European Commission became aware of the incidents in November 2021 when Apple issued mass notifications to thousands of iPhone users worldwide, including Commission personnel, warning of "state-sponsored attacker" targeting. These alerts prompted immediate concern within the Commission's technical teams, with a senior staffer emailing colleagues on November 26 to provide background on Israeli hacking tools and urging vigilance for additional warnings. IT experts conducted forensic examinations on some affected devices but yielded inconclusive results regarding successful compromise. Reuters confirmed the targeting through documentation and two anonymous EU officials, though investigators could not determine the perpetrator, operational success, or potential data exfiltration.
The incident occurred amid growing scrutiny of commercial spyware vendors across the EU. In response to the revelations, the European Parliament announced plans to establish a committee of inquiry on April 19, 2022, to investigate surveillance software use in member states. This parliamentary action followed prior reports of spyware deployments against political opposition figures in Poland and critics in Hungary. NSO Group denied involvement in the Commission targeting, asserting its tools couldn't enable such attacks, while QuaDream did not respond to inquiries. The U.S. government had recently blacklisted NSO over alleged human rights abuses, and multiple lawsuits were pending against the company. EU lawmaker Sophie in 't Veld, who spearheaded the investigative committee, described the Commission targeting as "dynamite" and emphasized the need for thorough investigation. The European Commission declined official comment on the incident, and targeted officials including Reynders did not respond to requests for statements. Security analysts noted the EU's high-profile status makes it a frequent espionage target, with Brussels serving as a hub for intelligence operations.