The Pegasus malware built by the now-sanctioned NSO Group was used to target journalists and non-government organizations working in El Salvador, according to the Citizen Lab at the University of Toronto and Access Now.
The research discovered 35 people were targeted across 37 devices, with Citizen Lab having high confidence that data was exfiltrated from 16 of the targets’ devices.
“Pegasus seems to have successfully exfiltrated numerous gigabytes of data from target phones utilizing their mobile data connections in some situations,” Citizen Lab said in a blog post.
“We observed substantial targeting utilizing zero-click vulnerabilities, yet we also detected particular cases in which targets were provided one-click infection URLs through SMS message.”
The identical iMessage Kismet attack supplied by NSO Group to target Al Jazeera staff was fixed in iOS 14, and the other zero-click exploit was ForcedEntry, which led to Apple warning consumers they might have been the target of state-sponsored hacking. According to Citizen Lab, several of the Salvadorian targets got similar notices.
“The Kismet vulnerability has not yet been publicly recorded and studied,” Citizen Lab claimed. “However, it seems to require the usage of JPEG files, as well as iMessage’s IMTranscoderAgent process activating a WebKit instance.”
“We also found a copy of the ForcedEntry exploit on one of the phones,” says the report. The attack seems to have been launched on a phone running iOS 14.8.1, which is not affected by ForcedEntry. On the phone, the exploit does not seem to have worked.
“It’s unclear why the attack was targeted at a non-vulnerable iOS version, while NSO operators may not always be able to establish the exact iOS version utilised by the target before launching an exploit.”
Apple is suing NSO Group for using Pegasus and is seeking a permanent injunction prohibiting NSO Group from utilising any Apple software, services, or devices.
Citizen Lab stopped short of accusing El Salvador’s government and President Nayib Bukele of collusion, but did say there was “a spectrum of circumstantial evidence pointing to a significant El Salvador government link.”
According to Citizen Lab, the targets were working on sensitive internal matters involving the government, such as El Faro revealing that Bukele’s administration was talking with MS-13 leaders to decrease killings in the nation, as well as jail privileges. “Long-term commitments related to the outcome of legislative elections in 2021,” according to the report.
The operator had a “near-total focus of infections” inside the nation, according to Citizen Lab.
“We found a Pegasus operator focused almost solely inside El Salvador via our continuing Internet scanning and DNS cache probing,” Citizen Lab added.
“Though the domain names linked with the operator seem to have been registered as early as November 2019,” we first saw this operator in early 2020.
If Pegasus was sold into El Salvador, Citizen Lab claims it was done despite warning signs of abuse, including: an autocratic-leaning President with a fascination with digital technology; a long history of harassment of independent media and journalists; a climate of insecurity and human rights abuses; poorly regulated police, intelligence, and private security firms; and a long history of corruption, organised crime, state violence, and authoritarianism.
El Faro, for its part, said that two-thirds of its employees were affected, including journalists, administrative workers, and board members.
“At the time of the hacks, the journalists were working on investigations into the Bukele administration’s dealings with gangs, the director of prisons’ and his mother’s theft of pandemic-related food aid, the Bukele brothers’ secret negotiations related to the implementation of bitcoin, the current government’s financial holdings, the government’s pandemic response, or a profile of President Nayib Bukele,” the outlet said.
El Salvador will make bitcoin legal cash in 2021, and Bukele declared in November that he wants to build a Volcano-powered Bitcoin City.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover