Dozens of journalists and human rights defenders in El Salvador had their cellphones repeatedly hacked with sophisticated spyware over the past year and a half, an internet watchdog said Wednesday.
Reporting on its latest findings about use of the Israeli firm NSO Group’s Pegasus spyware, the University of Toronto’s Citizen Lab said it had identified a Pegasus operator working almost exclusively in El Salvador in early 2020.
While the researchers could not conclusively link the hacks to El Salvador’s government, the report said, “the strong country-specific focus of the infections suggests that this is very likely.”
Sofía Medina, spokesperson for President Nayib Bukele, said in a statement that “El Salvador is no way associated with Pegasus and nor is a client of NSO Group.” She said the government does not have licenses to use this type of software.
The government is investigating the use of Pegasus to hack phones in El Salvador, she said.
Medina said that on Nov. 23 she, too, received an alert from Apple as other victims did saying she might be a victim of state-sponsored hacking. She said El Salvador’s justice and security minister received the same message that day. The Citizen Lab investigation did not include government officials, Medina said.
NSO, which was blacklisted by the U.S. government last year, says it sells its spyware only to legitimate government law enforcement and intelligence agencies vetted by Israel’s Defense Ministry for use against terrorists and criminals.
Bukele, a highly popular president, has railed against his critics in El Salvador’s independent press, many of whom were targeted in the hacking attacks.
Citizen Lab conducted a forensic analysis of 37 devices after the owners suspected they could be the targets of hacking. Their investigation carried out with Access Now was reviewed by Amnesty International’s Security Lab.
John Scott-Railton, senior researcher at Citizen Lab and an author of the report, said the “aggressiveness and persistence of the hacking was jaw-dropping.”
“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador,” Scott-Railton said.
“This is the kind of thing that perhaps wouldn’t surprise you in a dictatorship but at least on paper El Salvador is a democracy,” he said.
Citizen Lab has uncovered the use of Pegasus to target journalists, human rights defenders, diplomats and dissidents during the past several years. Targets have been from Saudi Arabia, the United Arab Emirates, Mexico and the United States.
While Citizen Lab is not blaming the mass hack on the Bukele government, Scott-Railton said all the circumstantial evidence points in that direction. The victims are almost exclusively in El Salvador.
The infrastructure used to infect Pegasus victims is global so the command-and-control servers managing the surveillance in this case would not be expected to be local.
Twenty-two of those targeted work for the independent news site El Faro, which during the period of hacking was working on stories related to the Bukele administration’s alleged deal-making with El Salvador’s street gangs to lower the homicide rate and support Bukele’s party in mid-term elections in exchange for benefits to gang leaders.
Bukele has vehemently denied there was any negotiation with the gangs. In December, the U.S. Treasury designated two officials from Bukele’s government, and alleged as El Faro had that the administration made a deal with the gangs.
Julia Navarrete, one of the El Faro journalists whose phone was hacked, said Wednesday that this software doesn’t just allow someone to listen in all calls, it is “entered in the device and extracts all of the information.”
Carlos Dada, El Faro’s director, said the high point of interventions in their phones was in September 2020, when El Faro broke the story about the alleged negotiations between Bukele’s government and the gangs.
“These coincidences in the end are not so gratuitous,” he said. “The highest intensity of the telephone interventions against 22 people at El Faro happened in the months around our most sensitive publications and most critical of the government.”
Carlos Martínez, an investigative reporter with El Faro, said the analysis found that the hackers spent 269 days inside his phone.
“That doesn’t stop being frightening,” he said. “It’s difficult to process.”
The spyware operator actually tried to enter his phone again while it was being analyzed, allowing investigators to determine that the operator was in El Salvador.
Apple sued NSO in November, trying to stop its software from compromising its operating systems. Facebook sued the company in 2019, alleging that it was hacking its WhatsApp messenger app.