El Salvador becomes latest target of Pegasus spyware

The list of nations with access to Pegasus is growing, with evidence pointing to potential links between 35 confirmed Pegasus cases and the Salvadoran government

The Apple logo displayed on a store building in Washington, DC

Multiple cases of the covert Pegasus spyware have been found targeting journalists and activists in El Salvador, a report from Citizen Lab at the University of Toronto has revealed.

A total of 35 cases were confirmed after journalists and members of civil society contacted Citizen Lab to analyse their devices after becoming suspicious of a Pegasus infection, which allows operators to surreptitiously install information-harvesting and remote monitoring tools on targeted iPhones.

Targets included journalists at Salvadoran news outlets El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists.

Fundación DTJ - an NGO promoting transparency in the Salvadoran justice system, Cristosal - a school on human rights, and another unnamed NGO were also successfully targeted by Pegasus, Citizen Lab said.

Developed by Israeli outfit NSO Group, Pegasus has been used to target a number of high-profile journalists, activists, and diplomatic figures in recent years, including prominent journalist and Saudi critic Jamal Khashoggi who was murdered in 2018.

Many of the affected individuals received notifications from Apple on their devices indicating they may have been a victim of a state-sponsored spyware campaign. Apple launched a lawsuit against NSO Group the same day.

The confirmed cases were corroborated by Amnesty International’s Security Lab, an independent analysis group that drew the same conclusions as Citizen Lab.

Uncovering Pegasus

The researchers said attribution is typically difficult in Pegasus cases due to the way the spyware hides key data, but in this case, the analysis revealed one operator operating almost exclusively on El Salvador soil since at least November 2019.

Citizen Lab researchers refer to this individual as TOROGOZ and have connected the operator to an infection attempt against the El Faro news organisation.

"While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely," the Citizen Lab report said. "Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated."

The researchers were unable to attribute the attacks to NSO Group or the El Salvador administration, but found evidence that strongly suggested the operator had ties with the country's government.

The timing of the attacks coincided with moments at which the affected organisations were working on issues with great interest to President Nayib Bukele - perhaps best known in the technology community as the brainchild of El Salvador's volcano-powered Bitcoin city and the decision-maker in adopting Bitcoin as an official national currency in 2021.

TOROGOZ's "near-total focus of infections within El Salvador" was another clue linking the cases to the government, Citizen Lab said, as well as one individual from El Faro being targeted with Pegasus' telltale zero-click FORCEDENTRY exploit which is patched on more recent iOS versions.

NSO Group has consistently denied any wrongdoing and claims Pegasus is a national security tool that is not used for malicious purposes, including state-sponsored espionage. A 2021 investigation found at least ten countries had access to Pegasus and El Salvador was not previously included in that list.

Technical analysis of the attacks

Two zero-click exploit chains were used against the targeted journalists: KISMET and FORCEDENTRY. The latter of these two exploits affects older versions of iOS but was sent to an El Faro journalist's patched iPhone. Citizen Lab said it's unclear why a patched device was targeted with FORCEDENTRY but it may indicate that operators may not always be able to determine the device's iOS version before launching an attack.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

KISMET is another exploit chain that requires no user interaction with a device in order to achieve infection. First disclosed in 2020, it too is now patched in more recent versions of iOS but was used in attacks launched between July and December 2020, on devices running iOS versions 13.5.1 to 13.7.

Researchers are only able to extract a forensic artefact from the KISMET exploit chain, rather than the full exploit, but it is thought to utilise .JPG attachments and an old iMessage flaw.

There are also variants of Pegasus available for Android smartphones too, which is "capable of extracting data from popular messengers such as WhatsApp, Facebook, and Viber, as well as email clients and browsers," said Jakub Vavra, Mobile Threat Analyst at Avast, speaking to IT Pro. 

"The spyware is capable of remote surveillance through microphone and camera as well as taking screenshots of the user’s screen and keylogging the user's inputs. These features make it a dangerous tool that can be misused to spy on unwitting individuals."

El Salvador media and political landscape

El Salvador has a troubled history tainted with cases of authoritarianism and coups - in addition to organised crime, drug trafficking, and corruption. Civil war ravaged the country in the late 1900s which left a legacy of political and military corruption.

There are plenty of critical news organisations in the region, but journalists face challenges in the form of press freedoms and access to information. The country is often ranked poorly in terms of the level of freedom given to the press - it ranks 82nd for press freedom according to Reporters Without Borders - and there are a number of cases where journalists have been blocked from attending events such as government conferences.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Safari bug lets websites track browsing activity and unique identifiers
web browser

Safari bug lets websites track browsing activity and unique identifiers

18 Jan 2022
Mac shipments grew at twice the pace of PCs in 2021
Hardware

Mac shipments grew at twice the pace of PCs in 2021

13 Jan 2022
Apple becomes world's first $3 trillion company
business management

Apple becomes world's first $3 trillion company

4 Jan 2022
The IT Pro Products of the Year 2021: The year’s best hardware and software
Hardware

The IT Pro Products of the Year 2021: The year’s best hardware and software

31 Dec 2021

Most Popular

Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022