Hacker using a smartphone showing surveillance by Pegasus spyware

Pegasus Spyware Emerges Again as Journalists “Extensively” Targeted in El Salvador

A new report from watchdog Citizen Labs (with assistance from the Amnesty International Security Lab) documents an extensive campaign involving the Pegasus spyware in El Salvador. “Project Torogoz” reveals the targeting of at least 35 journalists and political activists from June 2020 to November 2021, with most of the country’s major media outlets affected during a period in which there was critical coverage of the policies of the sitting government.

Pegasus spyware found on phones of numerous journalists, with connections to negative press for Bukele administration

The University of Toronto-based watchdog group has been instrumental in revealing the scope of use of Pegasus spyware by authoritarian governments for purposes of repression. The latest case of this appears to come from El Salvador, where the current administration has some documented autocratic tendencies in spite of coming to power in a crusade against corrupt elements in the country’s traditional political parties.

The investigation, which began in September 2021, documents a period of time in which Pegasus spyware was still able to make use of a then-unknown vulnerability in Apple’s iMessage that made it relatively simple to take total surreptitious control of iPhones. However, it also finds a substantial campaign of one-click SMS attacks containing malware links from 2019 to 2021, which may have been initiated prior to the availability of the Apple zero-day attack.

Most of the 35 incidents of journalists having traces of Pegasus spyware on their phones came from newspaper and media outlets in the country that were reporting on a series of stories that cast the Bukele administration in a controversial light, most notably the administration’s “pact” with the notorious MS-13 in which the gang agreed to reduce homicides in return for prison privileges and its electoral support. Members of an office created by the Bukele government were observed repeatedly meeting with incarcerated MS-13 leaders; the gang has tens of thousands of members, more than the count of active troops in the country’s military, and unofficially control portions or even the entirety of some neighborhoods.

The “Torogoz” name was given to a specific threat actor that was highly active in targeting journalists with Pegasus spyware during this period, particularly the digital newspaper El Faro. Founded in 1998, El Faro has over a quarter of a million readers and has a reputation for running anti-authoritarian stories despite remaining relatively politically neutral.

Use of Pegasus spyware in El Salvador mirrors patterns seen in other countries

After campaigning on a platform denouncing the “strong man” dictators that El Salvador’s history has been riddled with, Bukele has shown increasingly authoritarian tendencies of his own since his election in 2019; shortly afterward he authorized the use of the country’s military for law enforcement purposes. He opened 2020 by appearing at the legislative assembly with an assortment of soldiers and armed guards in an attempt to intimidate lawmakers into passing legislation he supported, and has been accused of being behind extrajudicial violence against gang members.

Reporters Without Borders gives the country a relatively poor rating for press freedom, with the administration sometimes barring outlets that provide critical coverage (such as El Faro) from government conferences and engaging in public invectives against them. Some reporters have also been threatened with legal action for refusing to reveal sources.

The media has been the almost exclusive target of the actor named Torogoz, linked to many of the incidents of Pegasus spyware found on phones. Torogoz has been in action since at least early 2020, first sending tainted SMS text messages to targets with links to attack sites before the zero-click approach for iPhones became available. Torogoz was not conclusively linked to the Bukele government with a “smoking gun” piece of evidence, but it is difficult to think of other parties that would invest so much time and effort in tracking a wide range of journalists that work for outfits that have criticized the government.

Of the 35 confirmed Pegasus spyware infections, roughly half were found to have files from their phones exfiltrated; the report says that in several cases “multiple gigabytes” were taken. 22 of these incidents involved El Faro reporters. One journalist, Carlos Martinez, had his phone monitored for 269 days. The threat actor registered at least 244 domain names which were used to send malware to targets.

Pegasus provider NSO Group has refused to comment on whether the government of El Salvador is one of its clients. The scandal is the latest in a similar string for the spyware provider, much of which has been uncovered and documented by Citizen Lab.

Hank Schless, Senior Manager of Security Solutions at Lookout, sees this incident as removing any last shreds of plausible deniability NSO Group might have had about not knowingly providing their product to authoritarian states for the purposes of repression: “Ever since Lookout and the Citizen Lab first discovered Pegasus back in 2016, NSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations … Last year’s exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims. It seems that every couple of months, there’s more evidence mounting against NSO’s claims. This has driven many national governments, including the United States, to impose sanctions on the company. One prominent news editor’s device was found to be infected 42 times with Pegasus, and others were also infected over a dozen times … While Pegasus doesn’t persist on the device through a reboot, its operators will often re-deliver it to the target if they notice that there are no longer signals coming from the device for a particular amount of time. Since delivery and infection can take place without interaction from the user, operators can redeliver the malware over and over with high efficacy as proven in this case.”