As many as 35 journalists and civil society members from El Salvador were infected with NSO Group’s Pegasus spyware between July 2020 and November 2021, according to a joint report released by Citizen Lab and Access Now with the help of Amnesty International’s Security Lab.
The journalists who were allegedly targeted by Pegasus have reported on a controversy about the El Salvador government’s negotiation of a pact with a gang for reduced violence and electoral support, as well as other sensitive issues concerning President Nayib Armando Bukele’s administration.
Citizen Lab was able to conclude that the spyware successfully uploaded data from the targets’ phone to Pegasus infrastructure. “In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully using their mobile data connections,” it added.
Earlier, in July 2021, an international consortium of media organisations revealed that political leaders, journalists, human rights activists, businessmen, military officials, intelligence agency officials, and several others from countries across the world were targeted for surveillance by Pegasus, but there were no confirmed Salvadoran targets named at that time.
Two types of zero-click exploits identified in the Pegasus attacks
Citizen Lab identified the Pegasus targets as employees of media organisations such as El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, and El Diario de Hoy, as well as two independent journalists. It also found that civil society organisations in El Salvador, including Fundación DTJ, Cristosal, and another NGO, were hacked.
While studying the 35 cases, Citizen Lab identified two types of zero-click exploits (malware that does not require clicking on any link or downloading any malicious material to get activated) —
- Kismet: Thirteen of the phones contained the Kismet Factor, which Citizen Lab said is an artifact left behind by the execution of NSO Group’s zero-click Kismet exploit.
We saw this exploit deployed between July and December 2020, and the exploit appears to have been a zero-day exploit [takes advantage of a vulnerability that’s known but not yet patched] against iOS 13.5.1 and 13.7. The KISMET exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage’s IMTranscoderAgent process invoking a WebKit instance — Citizen Lab
- Forcedentry: Citizen Lab also recovered a copy of the Forcedentry exploit which was deployed to a phone with iOS 14.8.1, but could not conclude whether this exploit operated on the phone. “It is unclear why the exploit was fired at non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit,” it added.
244 domain names with single-click exploits also identified
We fingerprinted Pegasus URL shortener websites and identified 244 domain names registered from 2019 through 2021 that appear to have been used by various NSO Group customers to distribute the Pegasus spyware via links. — Citizen Lab
Circumstantial evidence pointing towards El Salvador govt
Citizen Lab presented three-fold ‘evidence’ to back its claim of the El Salvador government being behind this attack.
- It said that the time of the targeting of the victims coincided with moments in which those organisations were of interest to the Bukele government.
- Through evidence obtained by network scanning, Citizen Lab discovered TOROGOZ, an operator whose activities are strongly suggestive of a Pegasus customer in El Salvador. NSO has previously admitted that it only sells its products to governments.
- One of the targets at El Faro (Carlos Martínez) was targeted by TOROGOZ in an unsuccessful attempt using the Forcedentry exploit, Citizen Lab added.
- Summary: Apple’s Lawsuit Against NSO Group For Surveilling, Targeting Its Users With Pegasus Spyware
- Pegasus Probe: SC-Appointed Committee Reaches Out To Targeted People With A Request
- Supreme Court Appoints Committee To Investigate Pegasus In India; “State Does Not Get A Free Pass”
- UN Human Rights Council Faces Pressure To Denounce And Investigate Pegasus Surveillance
- Dubai’s Ruler Used Pegasus Spyware To Spy On His Ex-Wife Haya, Confirms UK’s High Court
Have something to add? Post your comment and gift someone a MediaNama subscription.