In both instances, the invader was military-grade spyware from NSO Group, the Israeli hack-for-hire outfit that the U.S. government recently blacklisted, say digital sleuths of the University of Toronto-based Citizen Lab internet watchdog.
Citizen Lab could not say who ordered the hacks and NSO does not identify its clients, beyond saying it works only with legitimate government agencies vetted by Israel's Defense Ministry. But both victims believe Poland’s increasingly illiberal government is responsible.
A Polish state security spokesman, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.
Lawyer Roman Giertych and prosecutor Ewa Wrzosek join a list of government critics worldwide whose phones have been hacked using the company’s Pegasus product. The spyware turns a phone into an eavesdropping device and lets its operators remotely siphon off everything from messages to contacts. Confirmed victims have included Mexican and Saudi journalists, British attorneys, Palestinian human rights activists, heads of state and Uganda-based U.S. diplomats.
But word of the Poland hacking is especially notable, coming as rights groups are demanding an EU-wide ban on the spyware. The 27-nation European Union has tightened export restrictions on spyware, but critics complain that abuse of it by EU member states urgently needs to be addressed.
Citizen Lab previously detected multiple infections in Poland dating from November 2017, though it didn't identify individual victims then. The Pegasus spyware has also been linked to Hungary, which like Poland has been denounced for anti-democratic abuses. Germany and Spain are reportedly among NSO's customers, with Catalan separatists accusing Madrid of targeting them with Pegasus.
“Once you start aggressively targeting with Pegasus, you’ll join a fraternity of dictators and autocrats who use it against their enemies and that certainly has no place in the EU,” said senior researcher John-Scott Railton of Citizen Lab.
Former EU parliament member Marietje Schaake of the Netherlands, now international cyber policy director at Stanford University, said: “The EU cannot credibly condemn human rights violations in the rest of the world while turning a blind eye to problems at home.”
The Polish targets see the hack as evidence of a perilous erosion of democracy in the very nation where Soviet hegemony began unraveling four decades ago.
Just hours before Zaryn answered emailed questions about the hack from The Associated Press, a provincial prosecutor filed a motion seeking the arrest of Giertych, the lawyer, in a financial crimes investigation.
Zaryn did not comment on whether the two matters might be related. He said Poland conducts surveillance only after obtaining court orders.
“Suggestions that Polish services use operational methods for political struggle are unjustified,” Zaryn said.
An NSO spokesperson said Monday that the company is a “software provider, the company does not operate the technology nor is the company privy to who the targets are and to the data collected by the customers.” Citizen Lab and Amnesty International researchers say, however, that NSO appears to maintain the infection infrastructure.
The company spokesperson also called the allegations of Polish misuse of Pegasus unclear: “Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in committing a crime, this would not be considered a misuse of such tools by any means.”
In July an investigation by a global media consortium found Pegasus was used in Hungary to hack at least 10 lawyers, an opposition politician and several journalists. Last month, a Hungarian governing party official acknowledged that the government had purchased Pegasus licenses.
In 2019, independent Polish broadcaster TVN found evidence the government anti-corruption agency spent more than $8 million on phone spyware. The agency denied the report but Prime Minister Mateusz Morawiecki was more ambiguous, saying all would “be clarified in due time.”
In the last four months of 2019, Giertych was hacked at least 18 times, Citizen Lab found. At the time, he was representing former Prime Minister Donald Tusk of Civic Platform, now head of the largest opposition party, and former Foreign Minister Radek Sikorski, now a European Parliament member.
The “jaw-droppingly aggressive” tempo and intensity of the targeting — day-by-day, even hour-by-hour — suggested “a desperate desire to monitor his communications,” Scott-Railton said. It was so unrelenting that the iPhone became useless and Giertych abandoned it.
“This phone was with me in my bedroom and it was with me when I went to confession. They scanned my life totally,” he said.
Most of the hacks occurred just ahead of an Oct. 13, 2019, parliamentary election that the Law and Justice party of Jaroslaw Kaczynski won by a slim margin, leading to a further erosion of judicial independence and press freedom.
Giertych was also involved representing an Austrian developer at the time who claimed that Kaczynski, Poland’s most powerful politician, stiffed him as a deal to build twin business towers in Warsaw fell apart. Revelations of that deal-gone-sour triggered a scandal because Polish law bans political parties from profit — and the towers were to be built on land owned by Kaczynski's party.
Giertych also represented Sikorski in an illegal w iretapping case in which the former foreign minister's conversations were recorded and published; Sikorski alleges the government failed to investigate the possible involvement of Kaczynski allies. Last year, anti-corruption officials searched Giertych's home and office in a manner a Polish court deemed illegal and the EU called emblematic of how Poland's government treats hostile lawyers in politically sensitive cases.
When the Lublin regional prosecutor applied for a court order Monday seeking Giertych's arrest, it said the lawyer had refused to appear for questioning, and seemed to be “deliberately hiding from justice.”
Giertych called this absurd and said the financial wrongdoing investigation was trumped-up, that a Poznan court had already dismissed it for lack of evidence. Prosecutors say he is suspected of money laundering for legal fees he received in a Warsaw property dispute case a decade ago.
Citizen Lab was still investigating how Giertych’s phone was infected but said it expects a “zero-click” vulnerability, which wouldn't involve user interaction. They believe Wrzosek was similarly hacked. Citizen Lab found six intrusions on her phone from June 24-Aug. 19.
Last year, Wrzosek ordered an investigation into whether presidential elections should be postponed over concerns they could threaten the health of voters and election workers. Almost immediately, she was stripped of the case and transferred to the distant provincial city of Srem with two days’ notice.
"I didn’t even know where the city was and I had nowhere to live there,” said Wrzosek, who was hacked shortly after returning to Warsaw and resuming media appearances critical of the government.
A vocal member of an independent prosecutors' association, Wrzosek learned she’d been hacked — and tweeted about it -- when Apple sent out alerts last month to scores of iPhone users across the globe targeted by NSO’s Pegasus, including 11 U.S. State Department employees in Uganda. In a lawsuit it filed the same day, Apple called NSO “amoral 21-century mercenaries.” In 2019, Facebook sued the Israeli firm for allegedly hacking its globally popular WhatsApp messenger app.
Wrzosek has filed an official complaint but doesn’t expect prompt accountability, believing “the same services that tried to break into my phone will now be conducting the proceedings, looking for perpetrators.”