WARSAW, Poland — Polish Sen. Krzysztof Brejza’s mobile phone was hacked with sophisticated spyware nearly three dozen times in 2019 when he was running the opposition’s campaign against the right-wing populist government in parliamentary elections, an internet watchdog found.
Text messages stolen from Brejza’s phone — then doctored in a smear campaign — were aired by state-controlled TV in the heat of that race, which the ruling party narrowly won. With the hacking revelation, Brejza now questions whether the election was fair.
It’s the third finding by the University of Toronto’s nonprofit Citizen Lab that a Polish opposition figure was hacked with Pegasus spyware from the Israeli hacking tools firm NSO Group. Brejza’s phone was digitally broken in to 33 times from April 26, 2019, to Oct. 23, 2019, said Citizen Lab researchers, who have been tracking government abuses of NSO malware for years.
The other two hacks were identified earlier this week after a joint Citizen Lab-Associated Press investigation. All three victims blame Poland’s government, which has refused to confirm or deny whether it ordered the hacks or is a client of NSO Group. State security services spokesman Stanislaw Zaryn insisted Thursday that the government does not wiretap illegally and obtains court orders in “justified cases.” He said any suggestions the Polish government surveils for political ends were false.
NSO, which was blacklisted by the U.S. government last month, says it only sells its spyware to legitimate government law enforcement and intelligence agencies vetted by Israel’s Defense Ministry for use against terrorists and criminals. It does not name its clients and would not say if Poland is among them.
Citizen Lab said it believes NSO keeps logs of intrusions so an investigation could determine who was behind the Polish hacks.
In response to the revelations, European Union lawmakers said they would hasten efforts to investigate allegations that member nations such as Poland have abused Pegasus spyware.
The other two Polish victims are Ewa Wrzosek, an outspoken prosecutor fighting the increasingly hardline government’s undermining of judicial independence, and Roman Giertych, a lawyer who has represented senior leaders of Brejza’s party, Civic Platform, in sensitive cases.
Prime Minister Mateusz Morawiecki on Wednesday dismissed revelations that Giertych and Wrzosek were hacked as “fake news.” Justice Minister Zbigniew Ziobro expressed no knowledge of “illegal actions aimed at the surveillance of citizens” but also said Poland was “not helpless” in taking action against people suspected of crimes.
Giertych was hacked 18 times, also in the run-up to 2019 parliamentary elections that the ruling Law and Justice party won by a razor-thin margin. That victory has continued a dangerous erosion of democracy in the nation where the popular 1980s protest movement Solidarity presaged the eventual collapse of the Soviet empire.
The intense tempo of the hacks of Brejza and Giertych “indicates an extreme level of monitoring” that raises pressing questions about abuses of power, Citizen Lab senior researcher John Scott-Railton said. Pegasus gives its operators complete access to a mobile device: They can extract passwords, photos, messages, contacts and browsing history and activate the microphone and camera for real-time eavesdropping.
“My heart sinks with each case we find,” Scott-Railton added. “This seems to be confirming our worst fear: Even when used in a democracy, this kind of spyware has an almost immutable abuse potential.”
Other confirmed victims have included Mexican and Saudi journalists, British attorneys,Palestinian human rights activists, heads of state and Uganda-based U.S. diplomats.
An NSO spokesperson said Thursday that “the company does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorized uses.” The spokesperson claimed zero tolerance for governments who abuse it the software; NSO says it has terminated multiple contracts of governments who have abused Pegasus, although it has not named any publicly.
Despite any measures NSO might be taking, Citizen Lab notes, the list of abuse cases continues to grow.
Brejza, a 38-year-old attorney, told the AP that he has no doubt data stolen from his phone while he was chief of staff of the opposition coalition’s parliamentary campaign provided critical strategy insights. Combined with the smear effort against him, he said, it prevented “a fair electoral process.”
Text messages stolen from Brejza’s phone were doctored to make it appear as if he created an online group that spread hateful anti-government propaganda; reports in state-controlled media cited the altered texts. But the group didn’t actually exist.
Brejza says he now understands where TVP state television got them.
“This operation wrecked the work of staff and destabilized my campaign,” he said. “I don’t know how many votes it took from me and the entire coalition.”
Brejza won his Senate seat in that October 2019 race. But since the ruling party held on to the more powerful lower house of parliament, it has steered Poland further away from EU standards of liberal democracy.
Election monitors from the Organization for Security and Cooperation in Europe said at the time that control of state media gave the ruling party an unfair advantage but called the elections essentially free. They were unaware of the hacking.
Brejza has kept the ruling Law and Justice party on its heels since it won power in 2015. For example, he has exposed large bonuses paid to senior government officials. In another case, he revealed that the postal service sent tens of thousands of dollars to a company tied to ruling party leader Jaroslaw Kaczynski. Brejza fears the hacking could have compromised whistleblowers who had reached out to him with evidence.
NSO Group is facing daunting financial and legal challenges — including the threat of default on more than $300 million in debt — after governments used Pegasus spyware to spy on dissidents, journalists, diplomats and human rights activists from countries including Saudi Arabia, the United Arab Emirates, Mexico and the United States. The U.S. blacklisting of NSO has effectively barred U.S. companies from supplying technology to the Israeli firm.
Apple sued NSO last month, bent on halting the violation of its operating systems with exploits including a so-called zero-click hack that can compromise a device with no user interaction. Apple alerted scores of users worldwide that they had been hacked. In 2019, Facebook sued the Israeli firm over allegations of hacking its globally popular WhatsApp messenger app.
Dutch EU parliamentarian Sophie in ‘t Veld told the AP on Wednesday that a committee has launched hearings on Pegasus and that the revelations from Poland “will only help intensify the process.”
“EU governments using spyware on political opponents and critics is unacceptable,” she tweeted, accusing the European Commission — the EU’s executive branch — of “ducking the issue.” She wants a ban on such practices in the 27-nation bloc.
That may be difficult, however, because national security matters are outside EU jurisdiction, said Lukasz Olejnik, a cybersecurity consultant who has worked with the International Red Cross. Some member states are apt to argue that the EU cannot prohibit their use of digital surveillance tools for that end, he said.
Bajak reported from Boston. Associated Press reporters Kelvin Chan contributed from London and Josef Federman from Jerusalem.