Officials said the devices were breached by the Pegasus spyware, made by an Israeli company, which is intended to track illegal behavior but has been misused by some governments.
MADRID — Data was downloaded from cellphones used by the prime minister and the defense minister of Spain that were infected with powerful spyware known as Pegasus from an Israeli company, the country’s government said on Monday.
The revelation that Pegasus reached the highest echelons of the Spanish government broadens a scandal over political spying in the country, after a cybersecurity watchdog organization found that Pegasus had been installed on the devices of dozens of politicians from the pro-independence government of Catalonia.
Pegasus is a sophisticated and robust surveillance tool, and while it has been used by dozens of governments to hunt down criminals, terrorists and drug traffickers, the developments in Spain will add to concerns that there are insufficient checks to prevent its abuse.
The hacking represented an “illegal and external” intrusion into Spanish politics, said Félix Bolaños, a minister in the Spanish government, at a news conference, adding that the use of the spyware attack was “alien” to any national agencies and had not received any kind of judicial authorization.
Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had their phones surveilled by the Pegasus spyware about a year ago, Mr. Bolaños said, and the Spanish authorities were trying to determine whether other ministers and senior officials were targeted.
Mr. Bolaños said that the national court, which is charged with cases of terrorism and other serious crimes, would investigate how Pegasus was used to monitor Spanish officials.
Pegasus is a software that was developed by NSO Group, an Israeli company, in part to help governments track criminal and terrorist activity. The software allows users to monitor every aspect of a target’s phone — including calls, messages, photos and video.
But its usage has led to scandals in several countries, and last November the Biden administration blacklisted NSO Group, saying it had knowingly supplied spyware that has been used by foreign governments to target the phones of dissidents, human-rights activists, journalists and others.
“While we have not seen any information related to this alleged misuse and we are not familiar with the details of this specific case,” NSO Group said in a statement Monday, “NSO’s firm stance on these issues is that the use of cyber tools in order to monitor politicians, dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools.”
The announcement from the government in Madrid adds a twist to the dispute over political spying in Spain, which was reignited with the revelations last month that Catalan officials had been monitored.
Regional leaders demanded that the central government open an investigation into the usage of Pegasus against the Catalan politicians, including the region’s current leader, Pere Aragonès.
“All political espionage is extremely serious,” Mr. Aragonès said in a statement on Twitter. “We have been denouncing it for days without obtaining explanations from the Spanish government. When mass espionage is against Catalan institutions and independence, silence and excuses. Today, everything is in a hurry.”
The latest Catalan revelations was touched off by a report from Citizen Lab, a cybersecurity watchdog organization at the University of Toronto that has been investigating unlawful surveillance activities worldwide.
At the time, Citizen Lab also said it had found evidence of what it called “multiple suspected instances of Pegasus spyware infections within official U.K. networks,” including at the prime minister’s office and the Foreign Ministry.
In an emergency news conference, which was held on a public holiday in Madrid, government officials said that the prime minister’s phone was infected in May 2021, and that the defense minister’s device was hit a month later.
“These are facts and not suppositions,” Mr. Bolaños said. “We know that the Pegasus software has been used illicitly in 20 countries and that governments are among the victims.”