Boris Johnson should “pay close attention” to basic rules of cybersecurity, a former national security adviser has said, after it emerged that the United Arab Emirates was accused of hacking into a mobile phone at Downing Street.
Peter Ricketts, who held the post between 2010 and 2012, said the cyber-attack demonstrated that “commercially made” Pegasus software from NSO Group allowed a “wide range of actors” to engage in sophisticated espionage.
Anybody with access to secret information needed to be aware of the fast-changing risk, the peer added, including the prime minister, who was forced to change his mobile number last year after it emerged it had been available online.
“It’s vital that anyone with access to sensitive material up to and including the PM have to pay close attention to the basic rules of cybersecurity, including their phone numbers,” Ricketts said.
Johnson was forced to suddenly change his mobile phone last spring after it emerged that his number had been available online for 15 years. It was published on a thinktank press release from 2006 and never deleted.
Pegasus is sophisticated software, made by the Israeli company NSO Group, that can covertly take control of a person’s mobile phone, take and copy data from it and even turn it into a remote listening device without their permission. But for it to be effective, it needs to be given a phone number to target.
NSO Group said the allegations were “wrong and misleading” and the company denied involvement. “For technological, contractual and legal reasons, the described allegations are impossible and have no relation to NSO’s products,” the company said.
On Monday, Citizen Lab, a group of technology researchers based at Toronto University, said they had uncovered evidence of “multiple suspected instances of Pegasus spyware infections” within official UK networks including Downing Street and the Foreign Office.
Using digital forensic techniques developed over several years, the researchers said they concluded the attack on Downing Street was “associated with a Pegasus operator we link to the UAE”, and took place on 7 July 2020.
There is no firm evidence as to why the UAE may have wanted to target Downing Street on that date. However, a day earlier the British government announced a range of economic sanctions targeting 20 Saudi nationals accused of being involved in the murder of the journalist Jamal Khashoggi, plus individuals from Russia, Myanmar and North Korea. Neighbouring UAE is a close ally of Saudi Arabia.
The UAE ambassador to London, Mansoor Abulhoul, denied reports that the UAE may have used spyware to hack into either Downing Street or the Foreign Office.
He said: “These reports are totally baseless and we reject them. The UK is one of the UAE’s closest and dearest allies and we would never do such a thing to them.”
He added he was shocked that the allegations had even been made, pointing to the recent enhancement of relations between the two countries, including a growing economic partnership.
The denial is a reflection of the importance that the UAE attaches to the relationship, and the potential damage the espionage allegation could cause if it were given credence.
One Citizen Lab researcher told the New Yorker, which first reported on the story, that it believed some data may have been stolen from Downing Street by the hackers. But the research group said it could not identify whether Johnson’s own phone or that of any other named official was targeted.
The Foreign Office declined to discuss the story, saying: “We do not routinely comment on security matters.” But Citizen Lab said that it had alerted the UK, and officials from the National Cyber Security Centre are understood to have tested several phones but were unable to locate which one was compromised.
Pegasus is sold to governments for counter-terror or national security purposes, but there have been repeated accusations that it has been used to spy on opposition politicians, human rights defenders and journalists by at least 10 countries, including the UAE and Saudi Arabia.
Three civil society activists in Britain are in the process of bringing a civil claim against NSO Group, the UAE and Saudi Arabia, after an investigation by the Guardian and others that showed more than 400 phone numbers had been selected for potential targeting.
Last year the high court and the court of appeal also ruled that “servants or agents” of sheikh Mohammed bin Rashid al-Maktoum, the vice-president and prime minister of the United Arab Emirates, had engaged in “the surveillance of the six phones” in Britain – including of his former sixth wife, Princess Haya, with whom he was embroiled in a bitter divorce case, and her lawyer Fiona Shackleton.
After the episode was discovered, in August 2020, NSO Group is understood to have rewritten its software to prevent Pegasus from being allowed to target UK numbers.
