By Sarah Kinosian
SAN SALVADOR, Jan 12 (Reuters) - The cell phones of nearly three dozen journalists and activists in El Salvador, several of whom were investigating alleged state corruption, have been hacked since mid-2020 and implanted with sophisticated spyware typically available only to governments and law enforcement, a Canadian research institute said it has found.
The alleged hacks, which came amid an increasingly hostile environment in El Salvador for media and rights organizations under populist President Nayib Bukele, were discovered late last year by The Citizen Lab, which studies spyware at the University of Toronto's Munk School of Global Affairs. Human-rights group Amnesty International, which collaborated with Citizen Lab on the investigation, says it later confirmed a sample of Citizen Lab's findings through its own technology arm.
Citizen Lab said it found evidence of incursions on the phones that occurred between July 2020 and November 2021. It said it could not identify who was responsible for deploying the Israeli-designed spyware. Known as Pegasus, the software has been purchased by state actors worldwide, some of whom have used the tool to surveil journalists.
In the El Salvador attack, the heavy focus on editors, reporters and activists working inside that single Central American country points to a local customer with a particular interest in their activities, said Scott-Railton, a senior researcher at Citizen Lab.
"I can't think of a case where near-exclusive Pegasus targeting in one country didn't wind up being a user in that country," Scott-Railton said.
Citizen Lab released a report https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware on its findings on Wednesday.
In a statement to Reuters, Bukele's communications office said the government of El Salvador was not a client of NSO Group Technologies, the company that developed Pegasus. It said the administration is investigating the alleged hacking and had information that some top administration officials also might have had their phones infiltrated.
"We have indications that we, government officials, are also victims of attacks," the statement said.
Pegasus allows users to steal encrypted messages, photos, contacts, documents and other sensitive information from infected phones without users' knowledge. It can also turn handsets into eavesdropping devices by silently activating their cameras and microphones, according to product manuals reviewed by Reuters.
NSO, which has long kept its client list confidential, declined to comment on whether El Salvador was a Pegasus customer. The company said in a statement that it sells its products only to "vetted and legitimate" intelligence and law enforcement agencies to fight crime and that it is not involved in surveillance operations. NSO said it has a "zero-tolerance" policy for misuse of its spyware for activities such as monitoring dissidents, activists and journalists and that it has terminated contracts of some customers who have done so.
Citizen Lab researchers said they began a forensic analysis of the El Salvador phones in September after being contacted by two journalists there who suspected their devices might be compromised.
Researchers said they ultimately found evidence that spyware had been planted on a total of 37 devices belonging to three human-rights groups, six news publications and an independent journalist.
Hardest hit was the online news site El Faro. Citizen Lab researchers said they found telltale tracks of spyware infections on the cell phones of 22 reporters, editors and administrative personnel - more than two-thirds of the company's staff - and evidence that data had been stolen from many of those devices, including a few that had several gigabytes of material extracted.
El Faro was under constant surveillance during at least 17 months, between June 29, 2020 and November 23, 2021, with the phone of Editor-in-Chief Oscar Martinez infiltrated at least 42 times, Citizen Lab claimed.
"It is hard for me to think or conclude something other than the government of El Salvador" was behind the alleged hacks, Martinez said. "It's evident that there is a radical interest in understanding what El Faro is doing."
During the time of the purported infiltrations with Pegasus, El Faro reported extensively on scandals involving Bukele's government, including allegations that he was negotiating a financial deal with El Salvador's violent street gangs to reduce the homicide rate to boost popular support for the president's New Ideas party.
Bukele, who spars frequently with the press, publicly condemned El Faro's reporting on those purported talks as "ridiculous" and "false information" in a September 3, 2020 Twitter post.
Phone snooping isn't new to El Salvador, according to Citizen Lab. It alleged in a 2020 report https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles that El Salvador was among at least 25 countries using a bulk surveillance technology made by an Israeli company called Circles. The Circles technology differs from Pegasus in that it vacuums up data from the global phone network instead of planting spyware on specific devices. The report claimed the Circles system had been in operation in El Salvador since 2017.
Circles could not immediately be reached for comment.
Sofia Medina, Bukele's communications secretary, noted that his administration was not in power in 2017 and claimed, without providing evidence, that the alleged Pegasus attacks appeared to be a continuation of surveillance launched by an unknown "powerful group."
Citizen Lab's latest investigation in El Salvador was conducted as a collaboration with digital-rights group Access Now, with investigative assistance from human-rights groups Frontline Defenders, SocialTIC and Fundacion Acceso. (Reporting by Sarah Kinosian; additional reporting by Chris Bing; editing by Marla Dickerson)
Our Standards: The Thomson Reuters Trust Principles.