MEXICO CITY – Dozens of journalists and human rights defenders in El Salvador have had their cell phones repeatedly hacked with sophisticated spyware for the past year and a half, an Internet monitoring agency said Wednesday.
Reporting on its latest findings on the use of Pegasus spyware by Israeli firm NSO Group, the Citizen Lab at the University of Toronto said it had identified a Pegasus operator working almost exclusively in El Salvador in early 2020.
Although investigators were unable to conclusively link the hackers to the government of El Salvador, the report said that “the strong specific focus on country-specific infections suggests that this is very likely.”
Sofia Medina, a spokeswoman for President Nayib Bukele, said in a statement that “El Salvador is in no way associated with Pegasus and is not a client of NSO Group.” He said the government does not have licenses to use this type of software.
The government is investigating the use of Pegasus to hack phones in El Salvador, he said.
Medina said on November 23 she also received an alert from Apple, as did other victims, saying she could be the victim of state-sponsored hacking. He said the Minister of Justice and Security of El Salvador received the same message that day. The Citizen Lab investigation did not include government officials, Medina said.
NSO, which was blacklisted by the U.S. government last year, says it sells its spyware only to legitimate law enforcement and government intelligence agencies examined by the Ministry of Defense. of Israel to use them against terrorists and criminals.
In a statement, NSO said it does not operate the technology once it is delivered to a customer and that it cannot know the goals of its customers. But he said the use of his tools to control activists, dissidents or journalists “is a serious misuse of any technology and goes against the desired use of these critical tools.” He noted that he has terminated several contracts in the past due to misuse of the client.
NSO does not identify its customers. But people familiar with the company said it does not currently have an active system in El Salvador. People, speaking on condition of anonymity because they were talking about the company’s customers, said NSO is trying to get the phone numbers that were tracked and will investigate to see if there was any misuse.
“The company will act with all the measures at its disposal based on the contractual agreements,” the popular ones said.
Bukele, a very popular president, has criticized his critics in El Salvador’s independent press, many of whom were the target of piracy attacks.
Citizen Lab conducted a forensic analysis of 37 devices after owners suspected they could be the targets of piracy. Amnesty International’s Security Laboratory reviewed its investigation into Access Now.
John Scott-Railton, a senior Citizen Lab researcher and author of the report, said that “the aggressiveness and persistence of piracy was mind-boggling.”
“I’ve seen a lot of cases of Pegasus, but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador,” Scott-Railton said.
“This is the kind of thing that may not surprise you in a dictatorship, but at least on paper El Salvador is a democracy,” he said.
Citizen Lab has been identifying victims of Pegasus since 2015, when spyware abuses were discovered against journalists and human rights activists in Mexico and autocratic countries in the Middle East, including Saudi Arabia. Dozens of cases have been uncovered since then, including a dozen U.S. State Department employees in Uganda, British lawyers and a Polish senator who led the opposition parliamentary campaign in 2019.
While Citizen Lab is not to blame for the massive hacking of the Bukele government, Scott-Railton said all circumstantial evidence points in that direction. The victims are found almost exclusively in El Salvador.
The infrastructure used to infect Pegasus victims is global, so the command and control servers that handle surveillance in this case would not be expected to be local.
Twenty-two of them work for the independent news site El Faro, which during the piracy period was working on stories related to the Bukele administration’s alleged deal with street gangs in El Salvador to reduce the homicide rate and support the Bukele party in the media. – term elections in exchange for benefits to gang leaders.
Bukele has vehemently denied any involvement with the gangs. In December, the U.S. Treasury appointed two officials from the Bukele government and alleged, as El Faro had done, that the administration had reached an agreement with the gangs.
Julia Gavarrete, one of El Faro’s journalists whose phone was hacked, said on Wednesday that the software not only allows anyone to listen to all calls, but “enters the device and extracts all the information.”
Carlos Dada, director of El Faro, said that the high point of the interventions on his phones was in September 2020, when El Faro told the story about the alleged negotiations between the Bukele government and the gangs.
“These matches in the end are not so free,” he said. “The highest intensity of telephone interventions against 22 people in El Faro occurred over the months around our most sensitive and most critical publications with the government.”
Carlos Martinez, an El Faro investigative journalist, said the analysis found that hackers spent 269 days inside his phone.
“This is still terrifying,” he said. “It’s hard to process.”
The spyware operator tried to re-enter his phone while it was being analyzed, which allowed investigators to determine that the operator was in El Salvador.
Apple sued NSO in November, trying to prevent its software from compromising its operating systems. Facebook sued the company in 2019, alleging that it was hacking its WhatsApp messaging app.
———
Associated Press writer Christopher Sherman reported this story in Mexico City and AP writer Frank Bajak reported from Boston. Correspondent Josef Federman reported from Jerusalem.
———
An earlier version of this story incorrectly indicated a journalist’s last name. She is Julia Gavarrete, not Navarrete.
