The Israeli spyware developer NSO Group has long claimed plausible deniability when it comes to misuse of its powerful targeted surveillance tools. Yet despite its protestations—and increased scrutiny from tech companies and regulators alike—the abuses continue. The latest revelation comes from El Salvador, where NSO's Pegasus malware was found on 37 devices belonging to 35 journalists and activists as recently as November of last year.
Those findings, jointly published by a consortium of digital rights organizations, show that despite NSO Group's insistence that its products are used to track criminals and terrorists, governments continue to deploy them against innocent targets—and that NSO has done little to rein in its clients.
Twenty-three of the infected devices belong to journalists connected to the Salvadoran news site El Faro. Three other compromised devices belong to people associated with the publication Gato Encerrado. Both have published reporting critical of El Salvador's government and have faced retaliation, like being barred from various government press conferences and, El Faro has said, being subjected to invasive financial audits and accusations of tax evasion. Salvadoran president Nayib Bukele and his administration have been broadly hostile to the media; in early 2021, the Inter-American Commission on Human Rights granted precautionary measures for 34 El Faro journalists thought to be at risk of human rights violations as a result of their work.
Other confirmed targets of the Pegasus hacking spree include devices connected to Salvadoran publications La Prensa Gráfica, Revista Digital Disruptiva, El Diario de Hoy, and El Diario El Mundo, plus those of two independent reporters. The campaign also hit devices linked to local nongovernmental organizations, including Cristosal, Fundación Democracia, and Transparencia y Justicia. Notably, the researchers found that some devices were infected with Pegasus more than 40 times. El Faro said on November 23 that Apple had alerted 12 of its journalists to the possibility that their devices had been targeted with Pegasus spyware. The Association of Journalists of El Salvador announced a day later that a total of 23 journalists from different newsrooms received the same information. Others who received Apple's Pegasus targeting notifications include parliamentarian Jhonny Wright Sol and Héctor Silva, a San Salvador local councilor.
“It was quite shocking, to be honest, given the scale and the persistence of the infections in terms of one person being targeted multiple times,” says Natalia Krapiva, tech legal counsel at Access Now, one of the organizations that investigated the campaign. “The technology gives access to everything you’re doing on your phone, and we've heard NSO say many times that they would take action to implement human rights policies. Governments are also not being transparent about the purchase and use of this spyware. They should be accountable. Surveillance of civil societies with these tools shouldn’t be the norm.”
Pegasus, which NSO has developed for both Apple's iOS mobile operating system and Google's Android OS, can be used to track a victim device's location, exfiltrate data like text messages and emails, activate the microphone and camera, and more.
“NSO is a software provider, the company does not operate the technology or is privy to the collected data,” NSO Group said in a statement. “The company does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorized uses. NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools.”
The company added, “There is no active system in El Salvador.”
The consortium of organizations that conducted the research also includes Front Line Defenders, University of Toronto's Citizen Lab, Amnesty International, Fundación Acceso, and SocialTIC. This is the first time Pegasus use has been confirmed in El Salvador, and it is one of the first examples in South and Central America in general. International investigators found in 2017 that the Mexican government was using Pegasus. The group does not attribute the Salvadoran hacking to a specific actor, but notes that NSO Group claims its customers are governments and their law enforcement agencies. Researchers at Citizen Lab found evidence that the campaign operator is focused solely on domestic targets in El Salvador.
“If Mexico was dramatic, this one is jaw-dropping,” says John Scott-Railton, senior researcher at Citizen Lab, “because what we found was this incredibly extensive, pervasive, and aggressive targeting of media in El Salvador. And that targeting is very much paired with other threats against media there.”
AccessNow's Krapiva points out that the timing of the campaign in El Salvador underscores how hollow NSO Group's defense of its products has been. In July, for example, Amnesty International and other organizations published extensive findings known as the Pegasus Project, detailing forensic evidence that NSO spyware was being abused by governments worldwide and that Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates among others might be NSO customers. The findings prompted numerous condemnations of the use of Pegasus or other invasive spyware and calls for a moratorium on the use of NSO tools. At the beginning of November when the Salvadoran targeting was still ongoing, the United States Treasury put NSO Group on its entity list.
NSO has faced significant other pushback as well, including lawsuits by Apple and the Meta-owned secure messaging platform WhatsApp.
“NSO says it’s like the car dealer, it just sells the car,” Citizen Lab's Scott-Railton says. “But in the case of El Salvador, if indeed this was the El Salvador government, you have a pretty good idea of who you're dealing with. And in general this shows that if you thought that this kind of thing only happened in a dictatorship, Pegasus is the gas on the authoritarian fire.”
NSO Group has reportedly faltered in recent months as the backlash against it grows, but the researchers emphasize that the company is far from the only commodity spyware maker serving rogue clientele.
“This is important," AccessNow's Krapiva says. “There needs to be accountability and consequences for the companies that are providing these technologies and the governments that are using them.”
Updated January 13, 2022 at 12:45pm ET to include comment from NSO Group.
- 📩 The latest on tech, science, and more: Get our newsletters!
- Welcome to Miami, where all your memes come true!
- Bitcoin's libertarian streak meets an autocratic regime
- How to start (and keep) a healthy habit
- Natural history, not technology, will dictate our destiny
- Scientists settled family drama using DNA from postcards
- 👁️ Explore AI like never before with our new database
- 💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones
