An Israeli company’s software has been used to infiltrate mobile devices held by human rights lawyers, journalists and activists fighting government corruption in Mexico, according to a report published in the New York Times on Monday.
The highly-advanced software, known as Pegasus, is only sold to governments by the Israeli firm NSO Group on condition that the cyber technology be used in anti-terror or anti-criminal intelligence efforts. The company is known for its cyber expertise and according to the report, “charges $650,000 on top of a flat $500,000 installation fee,” to spy on 10 iPhone holders.
The NSO Group has also run operations under different names like OSY Technologies, which paid former U.S. national security adviser Michal Flynn over $40,000 as an advisory board member for nearly a year, until last January.
According to the New York Times, “at least three Mexican federal agencies have purchased about $80 million worth of spyware” from the Israeli company, and has used it to fully monitor and control mobile activity, including calls, texts, emails, contacts, calendars, microphones and cameras, against civilians critical of the government, most likely without the proper legal permits from a federal judge.
“Mexican security agencies wouldn’t ask for a court order because they know they wouldn’t get one,” Eduardo Guerrero, formerly an analyst in Mexico’s intelligence agency, told the New York Times. “There, of course, is no basis for that intervention, but that is beside the point. No one in Mexico ever asks permission to do so.”
The report detailed the stories of two of Mexico’s most widely-known journalists, a prominent academic figure drafting anti-corruption legislation and others formerly or currently involved in activities critical of government actions or policies, who cyber experts identified as having been targeted by the malicious software by way of false links and highly-personalized text messages meant to entice the targets to click, and unwittingly allow Pegasus free flight through their devices.
The Mexican government told the New York Times it “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person with prior judicial authorization,” but it’s considered highly unlikely by the NSO Group that anyone outside the government could make use of the technology. The New York Times report also briefly suggested the possibility that a rogue entity within the government was able to utilize the software.
While odds suggest that sources from within the government must be responsible for the hacks, the report noted that there was no direct proof to this effect, and that the NSO Group itself has little control over governments’ use of the technology after a sale is complete.
“When you’re selling AK-47s, you can’t control how they’ll be used once the leave the loading docks,” the report quoted a mobile security expert as saying.
The NSO Group absolves itself from responsibility, saying it takes governments’ human rights records into careful consideration before selling them the software. According to the report, after completing a sale, “the company’s only recourse is to slowly cut off a government’s access to the spy tools over the course of months, or even years, by ceasing to provide new software patches, features and updates. But in the case of Mexico, the NSO Group has not condemned or even acknowledged any abuse, despite repeated evidence that its spy tools have been deployed against ordinary citizens and their families.”
The revelations in Mexico however, aren’t the first time the NSO Group has been identified as the source of malicious software used to spy on human rights activists and other civilians, most likely by their governmental clients. In August, 2016, researchers in the U.S. claimed that the firm’s technology was used against a political dissident in the United Arab Emirates, a journalist in Mexico and a minority party politician in Kenya.
At the time, the software was the first-known technology that was capable of remotely taking over a fully up-to-date iPhone 6. Apple issued a patch to fix the vulnerability exploited by that version of Pegasus.