The University of Toronto's Citizen Lab along with Access Now have found the Pegasus spyware developed by the now-sanctioned NSO Group was used to target journalists and non-government organisations operating in El Salvador.
In total, the investigation found 35 individuals were targeted across 37 devices, with Citizen Lab having a high degree of confidence that data was exfiltrated from devices belonging to 16 targets.
"In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections," Citizen Lab said in a blog post.
"We observed extensive targeting using zero-click exploits, however we also identified specific instances in which targets were sent one-click infection links via SMS message."
One of the zero-click exploits was the same iMessage Kismet exploit sold by NSO Group to target Al Jazeera employees, which was patched in iOS 14, and the other was ForcedEntry, which led to Apple notifying users they could have been the target of state-sponsored hacking. Many of the Salvadorian targets received such notifications, Citizen Lab said.
"The Kismet exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage's IMTranscoderAgent process invoking a WebKit instance," Citizen Lab said.
"Additionally, we recovered a copy of the ForcedEntry exploit from one of the phones. The exploit appears to have been fired at a phone with iOS 14.8.1, which is not vulnerable to ForcedEntry. The exploit does not appear to have run on the phone.
"It is unclear why the exploit was fired at a non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit."
Apple is currently suing NSO Group over its use of Pegasus and seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices.
Citizen Lab stopped short of pointing the finger at the El Salvador government and President Nayib Bukele, but said there was a "range of circumstantial evidence pointing to a strong El Salvador government nexus".
Backing up this claim, Citizen Lab said the targets were working on sensitive domestic issues surrounding the government, such as El Faro reporting Bukele's administration was negotiating with leaders of gang MS-13 to reduce homicides in the country, prison privileges. and "long-term pledges tied to the results of congressional elections in 2021".
Citizen Lab also said the operator had a "near-total focus of infections" within the country.
"Through our ongoing Internet scanning and DNS cache probing, we identified a Pegasus operator focusing almost exclusively within El Salvador," Citizen Lab said.
"We first observed this operator in early 2020, though the domain names associated with the operator appear to have been registered as early as November 2019."
Citizen Lab said if Pegasus was sold into El Salvador, it was done despite warning signs that abuse would have take place including: An autocratic-leaning President with a fascination with digital technology; a long history of harassment of independent media and journalists; a climate of insecurity and human rights abuses; poorly regulated police, intelligence, and private security firms; and a lengthy history of corruption, organized crime, state violence, and authoritarianism.
For its part, El Faro reported two-thirds of its staff were hit, which included journalists, administration staff, and board members.
"When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration's negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers' secret negotiations related to the implementation of bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele," the outlet said.
- Apple sues NSO Group over Pegasus spyware
- Israeli govt pledges greater oversight of cyber-exports after NSO tools hacked US officials
- CEO-designate of Pegasus spyware's NSO Group resigns after US sanctions
- Apple releases update fixing NSO spyware vulnerability affecting Macs, iPhones, iPads and Watches
- Commerce Dept sanctions NSO Group, Positive Technologies and more for selling spyware and hacking tools
- Citizen Lab researcher disputes claims from NSO Group after UK court finds UAE ruler used Pegasus to hack ex-wife, lawyers