El Salvador becomes latest target of Pegasus spyware

The Apple logo displayed on a store building in Washington, DC

Multiple cases of the covert Pegasus spyware have been found targeting journalists and activists in El Salvador, a report from Citizen Lab at the University of Toronto has revealed.

A total of 35 cases were confirmed after journalists and members of civil society contacted Citizen Lab to analyse their devices after becoming suspicious of a Pegasus infection, which allows operators to surreptitiously install information-harvesting and remote monitoring tools on targeted iPhones.

Targets included journalists at Salvadoran news outlets El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists.

Fundación DTJ - an NGO promoting transparency in the Salvadoran justice system, Cristosal - a school on human rights, and another unnamed NGO were also successfully targeted by Pegasus, Citizen Lab said.

Developed by Israeli outfit NSO Group, Pegasus has been used to target a number of high-profile journalists, activists, and diplomatic figures in recent years, including prominent journalist and Saudi critic Jamal Khashoggi who was murdered in 2018.

Many of the affected individuals received notifications from Apple on their devices indicating they may have been a victim of a state-sponsored spyware campaign. Apple launched a lawsuit against NSO Group the same day.

The confirmed cases were corroborated by Amnesty International’s Security Lab, an independent analysis group that drew the same conclusions as Citizen Lab.

Uncovering Pegasus

The researchers said attribution is typically difficult in Pegasus cases due to the way the spyware hides key data, but in this case, the analysis revealed one operator operating almost exclusively on El Salvador soil since at least November 2019.

Citizen Lab researchers refer to this individual as TOROGOZ and have connected the operator to an infection attempt against the El Faro news organisation.

"While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely," the Citizen Lab report said. "Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated."

The researchers were unable to attribute the attacks to NSO Group or the El Salvador administration, but found evidence that strongly suggested the operator had ties with the country's government.

The timing of the attacks coincided with moments at which the affected organisations were working on issues with great interest to President Nayib Bukele - perhaps best known in the technology community as the brainchild of El Salvador's volcano-powered Bitcoin city and the decision-maker in adopting Bitcoin as an official national currency in 2021.

TOROGOZ's "near-total focus of infections within El Salvador" was another clue linking the cases to the government, Citizen Lab said, as well as one individual from El Faro being targeted with Pegasus' telltale zero-click FORCEDENTRY exploit which is patched on more recent iOS versions.

NSO Group has consistently denied any wrongdoing and claims Pegasus is a national security tool that is not used for malicious purposes, including state-sponsored espionage. A 2021 investigation found at least ten countries had access to Pegasus and El Salvador was not previously included in that list.

Technical analysis of the attacks

Two zero-click exploit chains were used against the targeted journalists: KISMET and FORCEDENTRY. The latter of these two exploits affects older versions of iOS but was sent to an El Faro journalist's patched iPhone. Citizen Lab said it's unclear why a patched device was targeted with FORCEDENTRY but it may indicate that operators may not always be able to determine the device's iOS version before launching an attack.

RELATED RESOURCE

The secure cloud configuration imperative

The central role of cloud security posture management

FREE DOWNLOAD

KISMET is another exploit chain that requires no user interaction with a device in order to achieve infection. First disclosed in 2020, it too is now patched in more recent versions of iOS but was used in attacks launched between July and December 2020, on devices running iOS versions 13.5.1 to 13.7.

Researchers are only able to extract a forensic artefact from the KISMET exploit chain, rather than the full exploit, but it is thought to utilise .JPG attachments and an old iMessage flaw.

There are also variants of Pegasus available for Android smartphones too, which is "capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber, as well as email clients and browsers," said Jakub Vavra, Mobile Threat Analyst at Avast, speaking to IT Pro.

"The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user's inputs. These features make it a dangerous tool that can be misused to spy on unwitting individuals."

El Salvador media and political landscape

El Salvador has a troubled history tainted with cases of authoritarianism and coups - in addition to organised crime, drug trafficking, and corruption. Civil war ravaged the country in the late 1900s which left a legacy of political and military corruption.

There are plenty of critical news organisations in the region, but journalists face challenges in the form of press freedoms and access to information. The country is often ranked poorly in terms of the level of freedom given to the press - it ranks 82nd for press freedom according to Reporters Without Borders - and there are a number of cases where journalists have been blocked from attending events such as government conferences.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.