Medina said that on Nov. 23 she, too, received an alert from Apple as other victims did saying she might be a victim of state-sponsored hacking. She said El Salvador’s justice and security minister received the same message that day. The Citizen Lab investigation did not include government officials, Medina said.
NSO, which was blacklisted by the U.S. government last year, says it sells its spyware only to legitimate government law enforcement and intelligence agencies vetted by Israel’s Defense Ministry for use against terrorists and criminals.
In a statement, NSO said it does not operate the technology once it is given to a client and cannot know the targets of its customers. But it said the use of its tools to monitor activists, dissidents or journalists “is a severe misuse of any technology and goes against the desired use of such critical tools.” It noted that it has terminated multiple contracts in the past due to client misuse.
NSO does not identify its customers. But people familiar with the company said it does not currently have an active system in El Salvador. The people, speaking on condition of anonymity because they were discussing the company's clients, said NSO is trying to obtain the phone numbers that were tracked and will investigate to see if there was any misuse.
“The company will act with all measures at its disposal based on the contractual agreements,” the people said.
Bukele, a highly popular president, has railed against his critics in El Salvador’s independent press, many of whom were targeted in the hacking attacks.
Citizen Lab conducted a forensic analysis of 37 devices after the owners suspected they could be the targets of hacking. Their investigation carried out with Access Now was reviewed by Amnesty International’s Security Lab.
John Scott-Railton, senior researcher at Citizen Lab and an author of the report, said the “aggressiveness and persistence of the hacking was jaw-dropping.”
“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador,” Scott-Railton said.
“This is the kind of thing that perhaps wouldn’t surprise you in a dictatorship but at least on paper El Salvador is a democracy,” he said.
Citizen Lab has been identifying Pegasus victims since 2015, when abuses of the spyware against journalists and human rights activists were discovered in Mexico and autocratic Middle Eastern countries including Saudi Arabia. Dozens of cases have since been uncovered, including of a dozen U.S. State Department employees in Uganda, British lawyers and a Polish senator who led the opposition’s 2019 parliamentary campaign.
While Citizen Lab is not blaming the mass hack on the Bukele government, Scott-Railton said all the circumstantial evidence points in that direction. The victims are almost exclusively in El Salvador.
The infrastructure used to infect Pegasus victims is global so the command-and-control servers managing the surveillance in this case would not be expected to be local.
Twenty-two of those targeted work for the independent news site El Faro, which during the period of hacking was working on stories related to the Bukele administration’s alleged deal-making with El Salvador’s street gangs to lower the homicide rate and support Bukele’s party in mid-term elections in exchange for benefits to gang leaders.
Bukele has vehemently denied there was any negotiation with the gangs. In December, the U.S. Treasury designated two officials from Bukele’s government, and alleged as El Faro had that the administration made a deal with the gangs.
Julia Gavarrete, one of the El Faro journalists whose phone was hacked, said Wednesday that this software doesn't just allow someone to listen in all calls, it is “entered in the device and extracts all of the information.”
Carlos Dada, El Faro's director, said the high point of interventions in their phones was in September 2020, when El Faro broke the story about the alleged negotiations between Bukele's government and the gangs.
“These coincidences in the end are not so gratuitous,” he said. “The highest intensity of the telephone interventions against 22 people at El Faro happened in the months around our most sensitive publications and most critical of the government.”
Carlos Martínez, an investigative reporter with El Faro, said the analysis found that the hackers spent 269 days inside his phone.
“That doesn't stop being frightening,” he said. “It's difficult to process.”
The spyware operator actually tried to enter his phone again while it was being analyzed, allowing investigators to determine that the operator was in El Salvador.
Apple sued NSO in November, trying to stop its software from compromising its operating systems. Facebook sued the company in 2019, alleging that it was hacking its WhatsApp messenger app.
Associated Press writer Christopher Sherman reported this story in Mexico City and AP writer Frank Bajak reported from Boston. Correspondent Josef Federman reported from Jerusalem.
An earlier version of this story incorrectly stated the last name of a reporter. She is Julia Gavarrete, not Navarrete.