IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

El Salvador becomes latest target of Pegasus spyware

The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government

The Apple logo displayed on a store building in Washington, DC

Multiple cases of the covert Pegasus spyware have been found targeting journalists and activists in El Salvador, a report from Citizen Lab at the University of Toronto has revealed.

A total of 35 cases were confirmed after journalists and members of civil society contacted Citizen Lab to analyse their devices after becoming suspicious of a Pegasus infection, which allows operators to surreptitiously install information-harvesting and remote monitoring tools on targeted iPhones.

Targets included journalists at Salvadoran news outlets El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists.

Fundación DTJ - an NGO promoting transparency in the Salvadoran justice system, Cristosal - a school on human rights, and another unnamed NGO were also successfully targeted by Pegasus, Citizen Lab said.

Developed by Israeli outfit NSO Group, Pegasus has been used to target a number of high-profile journalists, activists, and diplomatic figures in recent years, including prominent journalist and Saudi critic Jamal Khashoggi who was murdered in 2018.

Many of the affected individuals received notifications from Apple on their devices indicating they may have been a victim of a state-sponsored spyware campaign. Apple launched a lawsuit against NSO Group the same day.

The confirmed cases were corroborated by Amnesty International’s Security Lab, an independent analysis group that drew the same conclusions as Citizen Lab.

Uncovering Pegasus

The researchers said attribution is typically difficult in Pegasus cases due to the way the spyware hides key data, but in this case, the analysis revealed one operator operating almost exclusively on El Salvador soil since at least November 2019.

Citizen Lab researchers refer to this individual as TOROGOZ and have connected the operator to an infection attempt against the El Faro news organisation.

"While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely," the Citizen Lab report said. "Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated."

The researchers were unable to attribute the attacks to NSO Group or the El Salvador administration, but found evidence that strongly suggested the operator had ties with the country's government.

The timing of the attacks coincided with moments at which the affected organisations were working on issues with great interest to President Nayib Bukele - perhaps best known in the technology community as the brainchild of El Salvador's volcano-powered Bitcoin city and the decision-maker in adopting Bitcoin as an official national currency in 2021.

TOROGOZ's "near-total focus of infections within El Salvador" was another clue linking the cases to the government, Citizen Lab said, as well as one individual from El Faro being targeted with Pegasus' telltale zero-click FORCEDENTRY exploit which is patched on more recent iOS versions.

NSO Group has consistently denied any wrongdoing and claims Pegasus is a national security tool that is not used for malicious purposes, including state-sponsored espionage. A 2021 investigation found at least ten countries had access to Pegasus and El Salvador was not previously included in that list.

Technical analysis of the attacks

Two zero-click exploit chains were used against the targeted journalists: KISMET and FORCEDENTRY. The latter of these two exploits affects older versions of iOS but was sent to an El Faro journalist's patched iPhone. Citizen Lab said it's unclear why a patched device was targeted with FORCEDENTRY but it may indicate that operators may not always be able to determine the device's iOS version before launching an attack.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

KISMET is another exploit chain that requires no user interaction with a device in order to achieve infection. First disclosed in 2020, it too is now patched in more recent versions of iOS but was used in attacks launched between July and December 2020, on devices running iOS versions 13.5.1 to 13.7.

Researchers are only able to extract a forensic artefact from the KISMET exploit chain, rather than the full exploit, but it is thought to utilise .JPG attachments and an old iMessage flaw.

There are also variants of Pegasus available for Android smartphones too, which is "capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber, as well as email clients and browsers," said Jakub Vavra, Mobile Threat Analyst at Avast, speaking to IT Pro. 

"The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user's inputs. These features make it a dangerous tool that can be misused to spy on unwitting individuals."

El Salvador media and political landscape

El Salvador has a troubled history tainted with cases of authoritarianism and coups - in addition to organised crime, drug trafficking, and corruption. Civil war ravaged the country in the late 1900s which left a legacy of political and military corruption.

There are plenty of critical news organisations in the region, but journalists face challenges in the form of press freedoms and access to information. The country is often ranked poorly in terms of the level of freedom given to the press - it ranks 82nd for press freedom according to Reporters Without Borders - and there are a number of cases where journalists have been blocked from attending events such as government conferences.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

23 Jun 2022
Apple faces a catch-22 decision with iPhones and USB-C
Policy & legislation

Apple faces a catch-22 decision with iPhones and USB-C

8 Jun 2022
Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022
software development

Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022

7 Jun 2022
The EU’s Apple App Store crackdown ‘will fuel cyber attacks’
cyber security

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

1 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022