Debunking Runa Sandvik — CatalanGate Spyware
Some Background
In April 2022, the world was informed about 65 suspected instances of espionage in Catalonia. The revelation came through a report and data jointly released by The Citizen Lab, a public policy institution at The University of Toronto, and Amnesty Tech, a cybersecurity division of Amnesty International. Following their investigation, these special interest groups leveled direct accusations against the Spanish government, alleging the utilization of surveillance technology developed by Israeli cyber intelligence firms NSO Group and Candiru, LTD to target Catalan civil society.
When news of the alleged espionage emerged, media outlets worldwide were divided, adopting defensive and offensive stances. The revelation created a highly political and contentious situation, pitting Spanish citizens against Catalans. The case was referred to as CatalanGate by The Citizen Lab, and it stood as the largest single instance of alleged espionage through commercial surveillance technology ever documented.
The main opposition to the CatalanGate has been voiced by a group of prominent individuals, including Dr. José Javier Olivas Osuna, a political scientist and disinformation researcher, Dr. Gregorio Martín Quetglas, a computer scientist, Jordi CAÑAS, a Member of the European Parliament, Irina Tsukerman, an American Attorney, Foro de Profesores (Teachers Forum) founded by Alfonso Valero Aguado, former Law Professor at Nottingham Trent University, and myself computer scientist, Jonathan Scott.
In addition to the aforementioned individuals, another noteworthy figure is computer scientist Dr. Nadim Kobeissi. Although not directly opposing the CatalanGate matter itself, Dr. Kobeissi expresses disagreement with the methodology employed by The Citizen Lab and Amnesty International to detect NSO’s Pegasus spyware. However, he provides direct support for the efforts of Dr. José Javier Olivas Osuna and Irina Tsukerman in bringing attention to the Catalangate issue.
A number of researchers (@josejolivas, @irinatsukerman_ etc) have been pointing out the bankrupt scientific methodology that Citizen Lab have been applying to their forensic reports, only to be met with predictable Twitter ad-hominem etc.
Dr. Kobeissi further says this about The Citizen Lab:
It’s a classical “the ends justify the means” scenario. They exaggerate results, force themselves to provide attribution based on tortured pseudo-evidence, all in order to raise awareness but also to satisfy pre-existing political biases and agendas. I wish that would stop.
My research into the CatalanGate has been extensive, leading me to produce three comprehensive white papers on the topic. One of my papers involved a collaboration with Dr. Gregorio Martín Quetglas, which helped shed light on the significant lack of credibility, scientific rigor, and flawed methodology used by Citizen Lab and Amnesty International in their research. Aside from mere Twitter posts, my research has faced opposition from only two public figures: Łukasz Siewierski and Runa Sandvik. These individuals have sought to challenge the evidence presented in my spyware research reports through alleged fact-checking blogs and OPED posts.
Runa Sandvik has consistently opposed my research and findings, and this is not the first instance where I have had to write a debunking blog post. In the past, she attempted to fact-check one of my spyware reports concerning Morocco, and I provided a response that rendered her alleged fact-checking void. Now, this post serves as a rebuttal to her latest blog titled, “Fact Check: Jonathan Scott’s review of Citizen Lab’s CatalanGate report,” in which she tries to refute the conclusions drawn from my first CatalanGate report.
Fact Check #1
Summary
Runa attempts to undermine my credibility as a security researcher by challenging my earned ranking as the #1 Security Researcher in The United States and #4 Globally during Q3 of 2021. She claims that this is misleading due to my previous bans from bug bounty programs HackerOne and Bugcrowd before the end of Q3 2021.
Runa cites a letter I received from Bugcrowd, wherein they state that I was banned from their bug bounty program for intentionally leaking PII (Personally Identifiable Information) and other sensitive data publicly.
Response
- Despite being removed from a bug bounty platform, it does not change the fact that I held the ranking of #1 Security Researcher in The United States and #4 Globally July — September 3rd, 2021 which was in Q3 of 2021. Even after my removal from the HackerOne program, my #1 ranking as a hacker in the US remained consistent throughout the entirety of Q3, 2021 and can still be verified here.
- Runa’s reference to the Bugcrowd letter presents a contradiction to the grounds on which I was removed from the HackerOne program. At first, HackerOne recognized the severity of the vulnerability I reported, but after a month they dismissed it as a non-issue. In reaction to this decision, I took a public stance to raise awareness about the so-called “non-issue.” Regrettably, my efforts to shed light on the server misconfigurations that caused PHI and PII leaks, which were deemed as a non-issue, resulted in my subsequent banning from the platform.
- Despite initially dismissing the matter as a non-issue, Yahoo Media, HackerOne’s client, eventually responded to my complaints regarding server misconfigurations and the leaking of PII and PHI. Surprisingly, they acknowledged the situation by stating that they had informed their customers about the data leak. This raises a pertinent question: if the issue was genuinely a non-issue, why would Yahoo feel the need to notify their customers about it?
- Bugcrowd’s assertion that I leaked PII contradicts HackerOne’s view of the bug I discovered as a non-issue. If HackerOne considered it a non-issue, then the claim of PII leakage is unfounded. Moreover, I can confirm that all the information I released to the public was redacted, making Bugcrowd’s claims false. (see images with sources below)
Fact Check #1 Result: DEBUNKED
Fact Check #2
Summary
According to Runa, the 2016 Citizen Lab report discussing the alleged hacking of Ahmed Mansoor does not contain the quote that I referenced. Additionally, Runa acknowledges that Citizen Lab has been conducting research on digital threats for a significant period.
Response
- The quote Runa is speaking about is as follows and can be found in the Abstract of my report UNCOVERING THE CITIZEN LAB AN ANALYTICAL AND TECHNICAL REVIEW DISPROVING CATALANGATE:
Citizen Lab’s report on the hacking of human rights defender Ahmed Mansoor, concludes that they have been researching, and “confirming spyware infections” since 2011.
“confirming spyware infections” is not a quote from Citizen Lab this is me using scare quotes as recommended by the APA.
I enclosed “confirming spyware infections” in scare quotes because in my previous statement, I highlighted that Citizen Lab has never shared spyware samples with the public for examination, research, or verification of their assertions.
For years The Citizen Lab has been publishing research about high value individuals that have been infected with Pegasus spyware, but similarly for years they have never provided any samples for the general public to view, research, or challenge their claims.
Fact Check #2 Result: DEBUNKED
Fact Check #3
Summary
According to Runa, my assertion that “The entirety of the CatalanGate report is based on events that occurred April-May, 2019” is incorrect. Runa supports this claim by referring to a response letter addressed to Member of European Parliament Jordi CAÑAS, written by Ron Deibert, the Director of The Citizen Lab. In the letter, Ron Deibert states that their investigation into the CatalanGate matter took place in the fall of 2019.
Response
- The events that triggered The Citizen Lab to start their CatalanGate research are documented in The WhatsApp VS NSO Group Civil Complaint as quoted below:
Between April 29, 2019 and May 10, 2019, defendants caused their malicious code to be transmitted over WhatsApp’s servers reaching approximately 1,400 devices used by “attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.”
The Citizen Lab extended an offer to assist WhatsApp in response to the reported 1,400 victims of the alleged WhatsApp hack. Among these victims were individuals from Catalan Civil Society, such as Roger Torrent, Ernest Maragall, Anna Gabriel, and Jordi Domingo, to mention a few. Thus, the events that led to the investigation, which occurred in April-May 2019, form the foundation of the CatalanGate report. Although Citizen Lab states that their investigation began later, it does not negate the fact that the triggering events took place in April-May 2019.
Fact Check #3 Result: DEBUNKED
Fact Check #4
Summary
According to Runa, the quote I referenced from the Citizen Lab, asserting that former Parliament President Roger Torrent was successfully infected, is false.
Response
The following is the exact text taken from Page 8 of 60 in my report:
Citizen Lab in the same article then confirms Roger Torrent’s phone to be “successfully infected (Kirchgaessner & Jones, 2020 July 13th)” in a memo to the former parliament president.
The quote in my report is taken from The Guardian and I include the in-text citation as well.
The following is the exact text from The Guardian
Citizen Lab said in a memo to Torrent that this suspicious activity suggested his phone had been successfully infected.
I have properly cited my sources, and Runa’s claim that this portion of my work contains fallacies lacks validity, as there is no variation in the quoted material.
Fact Check #4 Result: DEBUNKED
Fact Check #5
Summary
According to Runa, my statement that “but the civil complaint does not reference the WhatsApp CVE-2019–3568 vulnerability at all” is false. Runa asserts that CVE-2019–3568 is indeed mentioned on page 10 of the WhatsApp Vs NSO Group complaint.
Response
I stated:
the civil complaint does not reference the WhatsApp CVE-2019–3568 vulnerability at all
Throughout the entire WhatsApp Vs NSO Group complaint, there is no direct reference provided for the WhatsApp CVE-2019–3568 vulnerability. Simply mentioning a subject does not qualify as a proper reference. In this instance, the mention of the WhatsApp CVE-2019–3568 vulnerability lacks substantial information or details. It seems that the attorneys have left readers to speculate about where they can find pertinent information concerning this CVE, such as its implications, impact, and functionality.
Fact Check #5 Result: DEBUNKED
Fact Check #6
Summary
Runa argues that the mention of CVE-2016–46578 on page 5 of the WhatsApp Vs NSO Group complaint is to provide supporting evidence, showing that vulnerabilities associated with the NSO Group have been identified multiple times. Runa says my statement, “The lawsuit references CVE-2016–46578, as one of the exploits used to hack into 1,400 mobile devices,” is false.
Response
The civil complaint includes a mention of CVE-2016–4657, along with a footnote reference. Despite the differences between the footnote reference and CVE-2016–4657, as I pointed out in my report, this is the information presented by the attorneys. On Page 6, you can find footnote 1, which uses the abbreviation “Id” or “idem,” a Latin term meaning “the same,” used to refer back to the preceding citation or reference in a legal document.
Runa is entitled to provide her opinion regarding the reasons why CVE-2016–4657 was mentioned. However, it is not reasonable for her to assert that the facts I presented are false, particularly when she is basing her argument on her own opinion. It should be noted that the association of CVE-2016–4657 with NSO Group as an exploit has not been proven, making Runa’s claim speculative and without substantiated evidence.
Fact Check #6 Result: DEBUNKED
Fact Check #7
Summary
Runa disputes my text saying there was a cautionary response from the WhatsApp team regarding Senior Researcher at The Citizen Lab, John Scott-Railton’s statement, suggesting that there is no reason to believe Roger Torrent’s phone was not hacked.
Response
My statement is as follows:
JSR’s previous confidence in saying that there was no reason to believe Roger Torrent’s phone was not hacked, and then confirming the successful infection is met with caution by the WhatsApp team.
In an interview with The Guardian John Scott-Railton said this about Roger Torrent,
“Given the nature of this attack and the limited information collected by WhatsApp on its users, we can confirm that the telephone was targeted. However, additional investigation would be necessary to confirm that the phone was hacked. At this time we have no reason to believe that it wasn’t,” Scott-Railton said in an interview”
In the same interview with The Guardian writes, “Citizen Lab said in a memo to Torrent that this suspicious activity suggested his phone had been successfully infected.”
In the same interview, The Citizen Lab states that they have no reason to believe Roger Torrent’s phone was not hacked. Additionally, they mention sending a memo to Roger Torrent, suggesting that his phone was successfully infected.
The following section of my report indicates that the Citizen Lab’s comments regarding the alleged successful infection of Roger Torrent’s device were received with caution by the WhatsApp team.
Niamh Sweeney, director of public policy, for Europe, the Middle East and Asia at WhatsApp said,
Based on the information available to us, we are not in a position to confirm whether Mr. Torrent’s device was compromised as this could only be achieved through an exhaustive forensic analysis of the device
Timeline:
July 13th, 2020 — The Citizen Lab publicly states that there is no reason to believe Roger Torrent’s phone is not hacked (infected). Furthermore, they send a memo to Torrent, suggesting that he is infected.
July 28th, 2020 — The Director of Public Policy for WhatsApp explicitly states that they cannot confirm whether Roger Torrent’s phone was infected or not.
Runa cites the April 2022 CatalanGate report, which indicates that Roger Torrent was only a target. However, this does not invalidate the statements made by The Citizen Lab in 2020, nearly two years before their CatalanGate report was published. It’s important to note that the context of my report in this section was solely focused on that specific time period and the statements provided by The Citizen Lab and WhatsApp. Runa introduced events that had not even occurred during that time intentionally skewing the understanding of the situation.
Fact Check #7 Result: DEBUNKED
Fact Check #8
Summary
Runa claims that text from my report was misrepresented
Response
Here is the full text that can be found on page 10/60 in my report.
July, 13th 2020 in an interview with The Guardian; news came forth stating that The Citizen Lab had already alerted pro-independence activists Jordi Domingo, and Anna Gabriel in early 2019 saying “it seemed clear the Spanish state [was behind the attacks.]
- Runa disregards the first first part of my text which stated 2 pro-independence activists were alerted by The Citizen Lab of potential espionage in early 2019
- What Runa failed to mention was the second paragraph in The Guardian article states:
A joint investigation by the Guardian and El País has revealed that the speaker of the Catalan regional parliament, Roger Torrent and at least two other pro-independence supporters were told they were targeted last year in what experts said was a “possible case of domestic political espionage” in Europe.
The experts mentioned in the second paragraph refer to The Citizen Lab, who were the first to propose that The Spanish State might be responsible for the espionage targeting Roger Torrent and two other pro-independence supporters. Due to The Citizen Lab’s speculation regarding the potential involvement of the Spanish State, Roger Torrent and the other two supporters came to believe that the surveillance was linked to the Spanish State. The Citizen Lab goes as far as describing it as a “possible case of domestic political espionage” in their statement.
Runa’s Fact Check appears to be misleading and lacking in providing a comprehensive analysis of The Citizen Lab’s statements. By selectively presenting only a portion of the context, she seems to be attempting to shape readers’ perceptions and downplaying the fact that The Citizen Lab did indeed suggest the possibility of the Spanish state’s involvement in the alleged illicit espionage. This selective approach raises concerns about the objectivity and credibility of the Fact Check, as it fails to offer a balanced assessment of the situation.
Fact Check #8 Result: DEBUNKED
Fact Check #9
Summary
Runa is suggesting that John Scott-Railton’s talk at the Virus Bulletin Conference in 2018 is not about DNS Cache poisoning; she argues that he is actually discussing DNS Cache Probing. Due to this, she claims that my statement regarding DNS Cache Poisoning is false.
Response
In this case, it’s a matter of viewing actions from different angles. During DNS cache probing, there’s a possibility of inadvertently triggering DNS cache poisoning, and the researcher performing the probing may never know.
For example:
- A researcher performs DNS cache probing by sending a recursive query for a randomized subdomain of the domain they control, “example.com.” The researcher is wanting to study and analyze DNS behavior, but due to an unknown vulnerability in the DNS forwarder, it incorrectly caches this recursive query, including the randomized subdomain.
- Later, a user with the same vulnerable DNS forwarder attempts to access a legitimate website, “legitwebsite.com.”
- When the user’s system made a DNS query for “legitwebsite.com,” the vulnerable forwarder, instead of forwarding the query to the authoritative DNS server for “legitwebsite.com,” serves the cached response it obtained earlier during the researchers’ probing activity.
- Since the forwarder cached the response for “example.com” with the randomized subdomain (the domain the researchers control), it returned this cached response to the user’s system.
- Because of this, the user’s system was redirected to the attacker-controlled domain, “example.com,” instead of reaching the legitimate “legitwebsite.com.”
It cannot be determined whether The Citizen Lab knows that they are potentionally performing a DNS cache poisoning attack, as they have not discussed this particular potential negative impact that may arise from DNS cache probing.
Update- July 24th, 2023: Łukasz Siewierski gives an Ad-Hominem comment about Fact Check #9
Łukasz states:
Jonathatn, DNS cache probing begins by sending a non-recursive query, that’s the whole point.
I like how in response to becoming nominated for the most epic fail you’ve decided to become an ever bigger epic fail. source
Łukasz’s Claim
- DNS cache probing begins by sending a non-recursive query, that’s the whole point.
Response to Łukasz
When Łukasz mentions “that’s the whole point,” he is essentially saying that non-recursive queries are specifically used to request information from the DNS server’s cache. This, in turn, helps to achieve the main objective of DNS cache probing, which is to evaluate the DNS server’s caching behavior and pinpoint any possible misconfigurations or vulnerabilities.
To those unfamiliar with this topic, Łukasz’s statement may give the impression that sending a non-recursive query reveals all vulnerabilities or misconfigurations, but that’s not accurate. Certain vulnerabilities and misconfigurations in DNS servers may only become evident during the complete resolution process, which involves sending recursive queries. Non-recursive queries might not expose these hidden issues, and relying solely on cached responses might overlook potential problems.
Łukasz’s Claim Result: DEBATABLE
Update- July 25th, 2023: Dan Borges gives an Ad-Hominem comment about Fact Check #9 — Łukasz’s Claim
Dan Borges aka SwordofDoom states the following:
Lmaoooo and miraculously it’s still wrong, you basicly just wrote an entire paragraph saying “I don’t understand this technique at all” 😂 it’s not looking for vulns, it’s looking for CACHED dns records
Dan Borges’s Claim
- [DNS Cache Probing] it’s not looking for vulns, it’s looking for CACHED dns records
Response to Dan Borges
In a 2019 paper authored by ARMIS titled “WannaCry Two Years Later: How Did We Get the Data?,” the ARMIS security team discusses the use of DNS Cache Probing and acknowledges adopting the technique previously utilized by The Citizen Lab to conduct their research.
The text highlights that DNS cache probing is directed at “poorly configured DNS servers,” aiming to uncover weaknesses and vulnerabilities in the way these servers handle DNS queries and caching. Moreover, the research paper underscores the significance of DNS cache probing as a legitimate approach employed by security researchers to study DNS server behavior and effectively address security concerns.
In conclusion, Dan Borges’ assertion that DNS Cache Probing is not intended to discover vulnerabilities is inaccurate. His statement lacks any supporting references, and it was essential to address this claim as it contains clear misinformation.
Dan Borges’s Claim Result: DEBUNKED
Update 7/25/2023: Dan Borges’s Response to the Debunking
Instead of giving evidence to back up his statement that DNS Cache Probing can’t identify vulnerable DNS servers, his response was more dismissive and perjorative than informative.
Just came back to say your an idiot and clearly don’t get nor have ever used this technique on an actual investigation 🤷♂️ multiple people have tried correcting you here but your dumb ignorant ass looks for any excuse to be right rather than actually listen to what ppl are saying | source
Dan tried to leverage the reference I provided to back his assertion that DNS Cache Probing can’t be utilized to identify potentially vulnerable DNS servers. However, he didn’t manage to clearly show how my own reference actually supported his point. Given that Dan declined to support his claim with a reference, I repeatedly posed a very direct question to him.
Can DNS Cache Probing be used to identify potentially vulnerable DNS servers? | source
The reply I got from Dan four times regarding my question was:
Can DNS Cache Probing be used to smuggle messages to a secrete base on the moon? source
This isn’t the first time I’ve encountered such behavior from Dan. He frequently makes unsupported statements and often resorts to personal attacks and deflects with unrelated debates. For more than two years, I have been tracking instances of Dan Borges’ inappropriate behavior, including instances of intimidation and instigation. I must highlight the importance of this documentation, as Dan has been disseminating misinformation through his assertions.
Fact Check #9 Result: DEBATABLE
Fact Check #10
Summary
Runa argues that Director of The Citizen Lab, Ron Deibert, never responded to MEP Jordi CAÑAS, stating that Elies Campo, an alleged victim of the CatalanGate and a research fellow at The Citizen Lab, performed remote work during the investigation into the CatalanGate.
Response
Among the questions posed by MEP Jordi CAÑAS was:
When Citizen Lab trusted fieldwork to Mr Elies Campo, did they already know that he was being monitored by Spanish intelligence services for his alleged implication in several illegal secessionist activities?
What type of expertise or skills served as basis for choosing Mr Elies Campo as coordinator of the fieldwork in Catalonia?
When was Mr Elies Campo trusted with the investigation fieldwork in Catalonia?
Did Mr. Elies Campo, the coordinator of the fieldwork in Catalonia, disclose any conflict of interest to the Ethics Research Committee of the University of Toronto?
MEP Jordi CAÑAS brought up these questions because in an interview with Ronan Farrow from The New Yorker, Elies Campo confirmed that he was doing remote work in Catalonia while working for The Citizen lab and being overseen by the Canadian team.
One afternoon last month, Jordi Solé, a pro-independence member of the European Parliament, met a digital-security researcher, Elies Campo, in one of the Catalan parliament’s ornate chambers. Solé, who is forty-five and wore a loose-fitting suit, handed over his cell phone, a silver iPhone 8 Plus. He had been getting suspicious texts and wanted to have the device analyzed. Campo, a soft-spoken thirty-eight-year-old with tousled dark hair, was born and raised in Catalonia and supports independence. He spent years working for WhatsApp and Telegram in San Francisco, but recently moved home. “I feel in a way it’s a kind of duty,” Campo told me. He now works as a fellow at the Citizen Lab, a research group based at the University of Toronto that focusses on high-tech human-rights abuses.
Campo collected records of Solé’s phone’s activity, including crashes it had experienced, then ran specialized software to search for spyware designed to operate invisibly. As they waited, Campo looked through the phone for evidence of attacks that take varied forms: some arrive through WhatsApp or as S.M.S. messages that seem to come from known contacts; some require a click on a link, and others operate with no action from the user. Campo identified an apparent notification from the Spanish government’s social-security agency which used the same format as links to malware that the Citizen Lab had found on other phones. “With this message, we have the proof that at some point you were attacked,” Campo explained. Soon, Solé’s phone vibrated. “This phone tested positive,” the screen read. Campo told Solé, “There’s two confirmed infections,” from June, 2020. “In those days, your device was infected — they took control of it and were on it probably for some hours. Downloading, listening, recording.”
Fact Check #10 Result: DEBUNKED
Fact Check #11
Summary
Runa disputes the claim that the circumstances of Elies Campo’s involvement in identifying potential cases of hacked Catalans before joining The Citizen Lab are unknown. According to Runa, the letter sent to MEP Jordi CAÑAS provides all the relevant information needed to understand how Elies Campo became part of this identification process.
Response
MEP Jordi CAÑAS asked the Director of The Citizen Lab, Ron Deibert some questions, and his response was as follows:
Question: When did Mr Elies Campo first contact Citizen Lab?
Answer: Mr. Campo first contacted the Citizen Lab in 2020.
Question: When was Mr Elies Campo trusted with the investigation fieldwork in Catalonia?
Answer: Mr. Campo worked with myself and my co-investigator, Mr. Scott-Railton, to provide outreach assistance for the Citizen Lab between 2020 and 2022. Mr. Campo’s work was conducted under my supervision, as well as that of my co-investigator, Mr. Scott-Railton.
My initial statement is as follows:
How Elies Campo came to be involved in the identification of potential cases of hacked Catalonians before ever being employed by The Citizen Lab, is unknown.
The questions and responses Runa mentioned don’t actually respond to what I originally said. She tried to make a connection using the info she had, but it doesn’t really address my initial point.
Fact Check #11 Result: DEBUNKED
Fact Check #12
Summary
Runa disputes the claim that Claudio Guarnieri and Etienne Maynier were research fellows with The Citizen Lab and employed by Amnesty International during the time of the CatalanGate Investigations.
Response
The CatalanGate investigations began in April-May 2019 and ended April, 2022 as previously mentioned.
Claudio Guarnieri self-asserts he is a Technologist and Researcher at Amnesty International and states he is a Senior Research Fellow at the Citizen Lab September 27th, 2020
Etienne Maynier states that he was “A research fellow at the Citizen Lab until April 2021, and worked for Amnesty International from 2019 to 2023”
Fact Check #12 Result: DEBUNKED
Fact Check #13
Summary
Runa contests a claim I’ve made: “In 2021, Amnesty published a document endorsing The Citizen Lab and indicated that they use the same methods and tools to identify Pegasus spyware indicators of compromise.” She references Amnesty’s “Forensic Methodology Report: How to Catch NSO Group’s Pegasus” and argues that it doesn’t support The Citizen Lab.
Response
Runa doesn’t offer any evidence to dispute my statement, other than a link to Amnesty’s Forensic Methodology Report: How to Catch NSO Group’s Pegasus.
Breakdown of my claims:
- Amnesty published a document endorsing The Citizen Lab.
- Amnesty suggested that both they and Citizen Lab use the same methods and tools to detect indicators of compromise from the Pegasus spyware.
The endorsement of The Citizen Lab is evident as their independent research or collaborative work with Amnesty is cited more than 10 times throughout the report.
Amnesty clearly asserts that they and The Citizen Lab have utilized identical techniques to identify Pegasus.
Amnesty International, Citizen Lab, and others have primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks.
The Citizen Lab has also said that they and Amnesty International use the same techniques to find Pegasus. This statement is directly mentioned in Amnesty’s report.
Fact Check #13 Result: DEBUNKED
Fact Check #14
Summary
Runa is arguing that the MVT-Tool wasn’t the main tool used by both Amnesty and The Citizen Lab, saying there’s no mention of this in any of Amnesty’s reports.
Response
Amnesty makes a clear statement regarding the MVT-Tool in their “Forensic Methodology Report: How to Catch NSO Group’s Pegasus”:
We are not only sharing the methodology we have built over years of research but also the tools we created to facilitate this work, as well as the Pegasus indicators of compromise we have collected.
Moreover, as I have previously pointed out, Claudio Guarnieri and Etienne Maynier were research fellows with The Citizen Lab and employed by Amnesty International during the time of the CatalanGate Investigations.
It’s undeniable that Amnesty and Citizen Lab had overlapping staff. Given the knowledge that these individuals were jointly employed by Amnesty and The Citizen Lab, claiming that only one entity used the MVT-Tool negates the reality. These researchers worked on the MVT-Tool as employees of both organizations.
Fact Check #14 Result: DEBUNKED
Fact Check #15
Summary
Runa is arguing that it’s not true to say that the MVT-Tool was jointly developed by Citizen Lab and Amnesty International. According to her, only Amnesty International created the MVT Tool.
Response
I’m saying this for the third time now — The Citizen Lab and Amnesty International shared the same researchers, even when the MVT-Tool was being developed. Ignoring that these researchers were working for both Amnesty and Citizen Lab during the development of the MVT-Tool, and acknowledging Amnesty International because they released the tool, is not factual. For more info, take a look at Fact Check #12 and #14.
Fact Check #15 Result: DEBUNKED
Fact Check #16
Summary
Runa is saying that the MVT-Tool can’t actually tell you if your device has spyware on it. She also points out, quoting Amnesty International, that “MVT is not intended for end-user self-assessment.”
Response
MVT-Tool does tell you which specific spyware your device is alleged to be infected with.
The following is an actual result from a test I conducted and for which I publicly raised a concern with the MVT-Tool team.
December 16th, 2021 Amnesty tweeted the following:
The Mobile Verification Tool from Amnesty Tech can now also be used by civil society to check mobiles devices for traces of the Cytrox spyware.
Amnesty Tech clearly says that end-users can use the MVT-Tool to check for themselves if their device has been compromised by spyware.
Fact Check #16 Result: DEBUNKED
Fact Check #17
Summary
Runa is saying I’ve made a misleading comment when I pointed out that the IOC 123tramites.com was expired for six months when it was listed as an active threat by Citizen Lab and the Amnesty team. She’s arguing that a malicious domain can be controlled by a harmful actor one year and then owned by someone harmless the next.
Response
Breaking down my statement:
- 123tramites.com had been expired for 6 months when the CatalanGate report was published
- Citizen Lab with the help of Amnesty International published 123tramites.com as an active indicator of compromise.
Breaking down Runa’s response to my statement:
- A domain name can be an indicator of compromise one year, and have a new owner and non-malicious purpose two years later
- Runa implies that I don’t have a basic understanding of forensics analysis
Firstly, just using a domain as an indicator of compromise (IOC) isn’t good practice. It’s much better to use tactics, techniques, and procedures (TTPs) along with a domain IOC to accurately identify and block any harmful actions. However, Amnesty and The Citizen Lab don’t provide these TTPs for supposed spyware infections and just give out lists of alleged domains spreading spyware.
In the report I co-authored with computer scientist Dr. Gregorio Martín Quetglas, we provide detailed discussion and test cases, emphasizing the crucial need to avoid using just a domain as an IOC. So, the claim that I lack fundamental understanding of forensic analysis is incorrect.
When the CatalanGate report was published, the domain 123tramites.com had been expired for six months. In response to Jordi CAÑAS, Director Ron Deibert of The Citizen Lab stated, “The independent review conducted by Amnesty Tech happened nearly a year later in March-April 2022.” This timing aligns with the period when 123tramites.com was expired. Yet, Amnesty claims they were still able to confirm 123tramites.com as an active indicator of compromise.
As noted by Dr. Gregorio Martín Quetglas in his testimony to the European Parliament PEGA Committee, there were no DNS records for 123tramites.com during March-April 2022. Thus, it would have been impossible for Amnesty to confirm a live infection.
Fact Check #17 Result: DEBUNKED
Fact Check #18
Summary
Runa asserts that the Citizen Lab’s report on Candiru’s hooking does not attribute the spyware infection to Joan Matamala.
Response
The CatalanGate report written by Citizen Lab literally says Joan Matamala was “patient zero” in the July 2021 report Hooking Candiru.
Fact Check #18 Result: DEBUNKED
Fact Check #19
Summary
Runa disputes my statement that over 55% of the purported targeted or infected Catalans lack specified dates of compromise.
Response
Runa says the following
- 37 have dates
- 14 have no date or say Citizen lab was “unable to determine” specific dates
- This is a total of 51 people
- The total of alleged targeted or infected is 65 as Runa has stated
- Runa is missing 14 people
I’m not sure which version of the Citizen Lab Appendix Runa is using in her blog because she links to the latest one. Since my report was published in July 2022, that Appendix has been updated a few times. For example, MEP Antoni Comín isn’t listed as being infected by Pegasus anymore because there was a mistake in labeling his forensic data. Runa doesn’t give us the list of the alleged 37 targets with dates, or the 14 targets without dates. But in my report, you can find a detailed breakdown of these percentages and how they were figured out on page 49. The breakdown totals 55.2%
Fact Check #19 Result: DEBUNKED
Conclusion
I appreciate Runa Sandvik taking the time to put together these fact-checking points — that’s always a good thing in our line of work. Even though she couldn’t refute my statements this time, I still want to thank her for making the effort.
