The mobile phones of dozens of journalists and activists in El Salvador have been hacked since at least early 2020 and implanted with Israeli-made Pegasus spyware typically available only to governments and law enforcement, according to a new report by a watchdog group.
The University of Toronto’s Citizen Lab said on Wednesday it had identified an operator of the spyware working exclusively in El Salvador and targeting journalists and activists, many of whom were investigating alleged state corruption.
While the researchers could not conclusively determine the hacks came from El Salvador’s government, the report said “the strong country-specific focus of the infections suggests that this is very likely”.
The government of President Nayib Bukele has denied any association with the Pegasus technology and said it is not a client of its maker, Israeli firm NSO Group.
Pegasus technology allows users to steal encrypted messages, photos, contacts, documents and other sensitive information from infected phones without users’ knowledge. It can also reportedly turn handsets into eavesdropping devices by silently activating their cameras and microphones.
Sofia Medina, a spokeswoman for the president, told The Associated Press news agency that the government was investigating the reported hacking. She said that she and at least two other government officials had received alerts from tech company Apple in recent months warning they may have themselves been victims of state-sponsored hacking.
For its part, the NSO Group, which was blacklisted by the United States government last year, says it sells its spyware only to legitimate government law enforcement and intelligence agencies vetted by Israel’s defence ministry.
Citizen Lab conducted a forensic analysis of 37 devices after the owners – members of three human rights groups, six news publications and an independent journalist – suspected they could be the targets of hacking, according to the report.
The investigation was carried out by internet rights group Access Now and reviewed by Amnesty International’s Security Lab.
John Scott-Railton, a senior researcher at Citizen Lab and author of the report, called the “aggressiveness and persistence” of the hacking “jaw-dropping”.
He told AP the hacking was particularly concerning given Bukele’s increasingly hostile approach towards independent media in the country, which the president regularly accuses of publishing falsehoods.
“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador,” Scott-Railton said.
“This is the kind of thing that perhaps wouldn’t surprise you in a dictatorship but at least on paper El Salvador is a democracy,” he said.
Of the organisations targeted, the online news site El Faro was the hardest hit.
Citizen Lab researchers said they found telltale tracks of spyware infections on the mobile phones of 22 reporters, editors and administrative personnel – more than two-thirds of the company’s staff – and evidence that data had been stolen from many of those devices, including a few that had several gigabytes of material extracted.
The report said El Faro was under constant surveillance for at least 17 months – between June 29, 2020 and November 23, 2021 – with Editor-in-Chief Oscar Martinez’s phone infiltrated at least 42 times.
During the time of the purported infiltrations with Pegasus, El Faro reported extensively on scandals involving Bukele’s government, including allegations that he was negotiating a financial deal with the country’s violent street gangs to reduce the homicide rate to boost popular support for his New Ideas party.
Prior to the most recent findings, Citizen Lab had previously uncovered the use of Pegasus to target journalists, human rights defenders, diplomats and dissidents over the past several years. Targets have been from Saudi Arabia, the United Arab Emirates, Mexico and the US.
Apple sued the NSO Group in November, trying to stop its software from compromising its operating systems. Facebook sued the company in 2019, alleging that it was hacking its WhatsApp messenger app.