Dozens of journalists and human rights defenders in El Salvador have been subjected to “jaw-dropping” phone hacks using the Pegasus spyware allegedly deployed by governments around the world against dissidents, reporters, diplomats and members of the clergy, according to internet security researchers.
Reporting on its latest findings about the use of the Israeli firm NSO Group’s spyware, the University of Toronto’s Citizen Lab said it had identified a Pegasus operator working almost exclusively in El Salvador in early 2020.
Citizen Lab found that 35 journalists and civil society activists had been targeted over a 16-month period that coincided with their investigations into allegations that the government of President Nayib Bukele was negotiating a pact with El Salvador’s street gangs to reduce violence and win their electoral support.
The news comes two months after the Biden administration put NSO Group on a US blacklist after determining the spyware company had acted “contrary to the foreign policy and national security interests of the US”.
Although the researchers could not conclusively link the hacks to Bukele’s government, the report said “the strong country-specific focus of the infections suggests that this is very likely”.
Such suggestions, however, were denied by the Bukele government.
“El Salvador is no way associated with Pegasus and nor is it a client of NSO Group,” said Sofía Medina, a spokeswoman for Bukele.
Bukele has often hit out at his critics in El Salvador’s independent press – many of whom were targeted in the hacking attacks.
The 40-year-old president – who once referred to himself as “the world’s coolest dictator” – made international headlines in February 2020 when he marched soldiers in combat fatigues into congress and told MPs to approve a loan for new security equipment or be summoned back in seven days for another session.
Citizen Lab conducted a forensic analysis of 37 devices and found evidence of incursions on the phones that occurred between July 2020 and November 2021. Their investigation, carried out with Access Now, was reviewed by Amnesty International’s Security Lab.
John Scott-Railton, senior researcher at Citizen Lab and an author of the report, said the “aggressiveness and persistence of the hacking was jaw-dropping”.
He added: “I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador. This is the kind of thing that perhaps wouldn’t surprise you in a dictatorship, but at least on paper El Salvador is a democracy.”
Twenty-two of those targeted work for the independent news site El Faro, which during the period of hacking, was working on stories related to the Bukele administration’s alleged deal-making with El Salvador’s street gangs to lower the homicide rate and to support Bukele’s party in midterm elections in exchange for benefits to gang leaders.
Bukele has vehemently denied there was any negotiation with the gangs. But in December last year, the US government accused his government of secretly negotiating a truce with leaders of the country’s feared MS-13 and Barrio 18 street gangs, and financial sanctions were imposed on two officials from Bukele’s administration.
Carlos Dada, El Faro’s director, said the high point of interventions in their phones was in September 2020, when El Faro broke the story about the alleged negotiations between the government and the gangs.
“These coincidences in the end are not so gratuitous,” he said. “The highest intensity of the telephone interventions against 22 people at El Faro happened in the months around our most sensitive publications and most critical of the government.”
In a statement, NSO said it does not operate the technology once it is given to a client and cannot know the targets of its customers. But it said the use of its tools to monitor activists, dissidents or journalists “is a severe misuse of any technology and goes against the desired use of such critical tools”. It noted that it has terminated multiple contracts in the past due to client misuse.
NSO does not identify its customers. But sources familiar with the company said it did not currently have an active system in El Salvador. The sources, speaking on condition of anonymity because they were discussing the company’s clients, said NSO was trying to obtain the phone numbers that were tracked and will investigate to see if there was any misuse.
“The company will act with all measures at its disposal based on the contractual agreements,” the sources said.
Erika Guevara-Rosas, Amnesty International’s Americas director, said the use of Pegasus in El Salvador had revealed “a new threat to human rights” in the country.
She added: “The authorities must stop any efforts to restrict freedom of expression, and conduct a thorough and impartial investigation to identify those responsible.”
NSO group was placed on the US blacklist three months after a consortium of journalists working with the French non-profit group Forbidden Stories, revealed multiple cases of journalists and activists who were hacked by foreign governments using the spyware, including American citizens.
The Guardian and other members of the consortium also revealed that the mobile numbers of Emmanuel Macron, the French president, and nearly his entire cabinet were contained on a leaked list of individuals who were selected as possible targets of surveillance.
NSO has said that its spyware is used by foreign government clients to target serious criminals. It has also denied that any of its clients ever targeted Macron or any French government officials.