Mexico’s government appears to have been using advanced spyware created for criminal investigations to target some of the country’s most prominent journalists, lawyers and anti-corruption activists.
The software — called Pegasus — was reportedly created by Israeli cyberarms manufacturer NSO Group and sold to Mexican federal agencies under the condition that it be used to track terrorists and investigate criminals.
But according to a report released on Monday by the Citizen Lab, based at the Munk School of Global Affairs at the University of Toronto, the Mexican government has been using Pegasus to spy on its critics.
“The targets share a basic connection: they have been involved in investigating or working on reports of high-level official corruption, or government involvement in human rights abuses,” the report reads. “The infection attempts often coincided with work on specific high-profile investigations and sensitive issues between January 2015 and August 2016.”
More than 10 individuals were targeted using phishing SMS messages of “troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats,” according to the report.
For example, in August 2015, journalist and on-air personality for the Mexican national television channel Televisa, Carlos Loret de Mola, received the following SMS message, accompanied with a link.
USEMBASSY.GOV/ DETECTAMOS UN PROBLEMA CON TU VISA POR FAVOR ACUDE PRONTAMENTE A LA EMBAJADA. VER DETALLES: [exploit link]
USEMBASSY.GOV/ WE DETECTED A PROBLEM WITH YOUR VISA PLEASE GO PROMPTLY TO THE EMBASSY. SEE DETAILS [exploit link]
“If you click on the link, it downloads a software ... that basically takes over your phone,” said The New York Times' Mexico bureau chief, Azam Ahmed, who co-wrote a story, also released Monday, with details about several of the 12 people targeted. “[The software] can turn on your microphone and listen to your conversations, it can turn on your video camera and film you. Encrypted messages mean nothing … so, it kind of turns your phone into a bug.”
Among the most notable of the attacks are those involving Carmen Aristegui, a prominent Mexican journalist whose work has been critical of the government. After repeated failed phishing attacks, the software was used to target her son — a minor who was attending school in the United States at the time.
“It is noteworthy in this regard that while in the United States, the minor child Emilio Arestigui received SMS messages purporting to be from the US Embassy,” Ronald Deibert, director of the Citizen Lab, wrote in a blog post on Monday. “Impersonating the US government is a violation of the US criminal code, and the targeting may very well constitute a violation of the US Wiretap Act. At the very least, it is a violation of diplomatic norms.”
It’s not clear if and how US officials will respond to these reports, which also detail an attack against at least one US citizen.
“My guess is it’s not going to become a large public confrontation, but there will potentially be a response from the American government once they can bring everybody at the same table to ask the Mexican government about this,” Ahmed said.
Mexican government officials have denied reports of gathering intelligence illegally.
“As in any democratic government, to combat crime and threats against national security, the Mexican government carries out intelligence operations,” it said in a statement to the Times, adding that the government “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization.”
Complicating this issue further is a lack of a regulating body overseeing cyberware companies and their products.
“There is no global body that looks at how these cyberweapons are sold to governments, what governments do with it. In particular with this software ... the [manufacturer] NSO can’t even police it,” Ahmed said. “They have to rely on the government they’ve sold it to, to conduct an internal investigation, and then turn those findings over to the NSO Group. And if you’re the kind of government that is going to misuse the software, the likelihood of you doing a robust internal investigation and then telling on yourself is even lower.”