The University of Toronto's Citizen Lab along with Access Now have found the Pegasus spyware developed by the now-sanctioned NSO Group was used to target journalists and non-government organisations operating in El Salvador.
In total, the investigation found 35 individuals were targeted across 37 devices, with Citizen Lab having a high degree of confidence that data was exfiltrated from devices belonging to 16 targets.
"In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections," Citizen Lab said in a blog post.
"We observed extensive targeting using zero-click exploits, however we also identified specific instances in which targets were sent one-click infection links via SMS message."
One of the zero-click exploits was the same iMessage Kismet exploit sold by NSO Group to target Al Jazeera employees, which was patched in iOS 14, and the other was ForcedEntry, which led to Apple notifying users they could have been the target of state-sponsored hacking. Many of the Salvadorian targets received such notifications, Citizen Lab said.
"The Kismet exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage's IMTranscoderAgent process invoking a WebKit instance," Citizen Lab said.
"Additionally, we recovered a copy of the ForcedEntry exploit from one of the phones. The exploit appears to have been fired at a phone with iOS 14.8.1, which is not vulnerable to ForcedEntry. The exploit does not appear to have run on the phone.
"It is unclear why the exploit was fired at a non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit."
Apple is currently suing NSO Group over its use of Pegasus and seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices.
Citizen Lab stopped short of pointing the finger at the El Salvador government and President Nayib Bukele, but said there was a "range of circumstantial evidence pointing to a strong El Salvador government nexus".
"When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration's negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers' secret negotiations related to the implementation of bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele," the outlet said.