Citizen Lab says it informed officials that suspected Pegasus spyware was discovered in 2020 and 2021, with the Downing Street incident linked to operators in the UAE.
Pegasus is sold by NSO Group to governments to carry out surveillance through infecting phones with malicious software.
The Israeli-based company has denied the allegations, saying they are false and could not have taken place.
The Citizen Lab, which tracks electronic surveillance, said in 2020 and 2021 it notified the UK government that networks belonging to both 10 Downing Street and the Foreign and Commonwealth Office were suspected to have been infected using Pegasus spyware.
Pegasus allows governments to take control of people's phones, extract data and carry out surveillance.
NSO Group has always defended its use, saying it is only sold to selected governments for legitimate law enforcement and intelligence purposes, such as against criminals or terrorists.
The latest claims are linked to an investigation by the New Yorker magazine which looked at the targeting of individuals campaigning for Catalan independence from Spain.
The Citizen Lab said it identified at least 65 individuals targeted or infected, including members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organisations.
The New Yorker said that in the UK a number of official phones were tested including those of the prime minister, but it was not possible to establish which device was infected or what - if any data - was taken.
The Citizen Lab said the suspected Foreign Office infections were believed to be linked to operators of Pegasus in the United Arab Emirates, India, Cyprus and Jordan.
It said these could have been related to staff serving abroad and using overseas SIM cards, similar to the way US diplomats were reportedly hacked in Uganda. NSO Group has said that US phone numbers cannot be targeted.
The Citizen Lab said it believed the Downing Street suspected infection was linked to the United Arab Emirates.
Previous investigations by a consortium of journalists claimed that around 400 UK phone numbers appeared in a leaked list of numbers linked to NSO Group between 2017 and 2019, with the UAE alleged to be behind the largest number.
NSO Group reportedly ended its contract with the UAE last year after reports that Pegasus had been used by the ruler of Dubai, part of the UAE, to hack his ex-wife's phone amongst others, claims he denied.
Globally, activists, journalists and politicians were on the list of potential targets, although the Israeli-based company disputed the interpretation of the leaked material.
It was placed on a US Department of Commerce blacklist following the reports last year which restricted its access to US technology.
In response to the latest claims, a spokesperson for the UK government said it did not routinely comment on security matters.
A spokesperson for NSO Group said: "The information raised regarding these allegations are, yet again, false and could not be related to NSO products for technological and contractual reasons.
"NSO continues to be targeted by a number of politically motivated advocacy organizations, like Citizens Labs and Amnesty, to produce inaccurate and unsubstantiated reports based on vague and incomplete information.
"We have repeatedly co-operated with governmental investigations, where credible allegations merit."
The UAE Embassy in London has been approached for comment.