Forensic experts say it is "very likely" Salvadoran government spied on phones of journalists

Some entity within El Salvador, using software provided solely to national governments, infected and spied on the cellphones of journalists and civil society activists within El Salvador, while those journalists and activists were reporting on and criticizing the actions of the Bukele regime in El Salvador.  The greatest number of phones infected belonged to the prominent and award-winning investigative news site El Faro, which has broken a number of stories about corruption in the Bukele regime and its negotiations with leaders of the country's criminal gangs.  At this point, all indications point to the Bukele regime as the sponsor of the espionage.       

On Wednesday, the results of expert digital forensic analysis of the phones of journalists was released.  Suspicious that their phones had been compromised, El Faro went to Citizen Lab, a cybersecurity lab at the University of Toronto, for a digital forensics analysis on all the iPhones in El Faro, teaming with the digital rights organization Access Now.  

The Citizen Lab report, which can be reviewed here, concluded: 

We confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSO’s Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International’s Security Lab which independently confirms the findings.

Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundación DTJ, Cristosal, and another NGO.

The hacking took place while the organizations were reporting on sensitive issues involving the administration of President Bukele, such as a scandal involving the government’s negotiation of a “pact” with the MS-13 gang for a reduction in violence and electoral support.

While evidence linking a particular infection to a particular Pegasus customer is often unavailable, in this case we identified a Pegasus customer operating almost exclusively in El Salvador since at least November 2019 that we call TOROGOZ, and have connected this operator to an infection attempt against El Faro.

Who or what was TOROGOZ? From the Citizen Lab Report:

While there is no conclusive technical evidence that TOROGOZ represents the Salvadoran government, the strong country-specific focus of the infections suggests that this is very likely. Additionally, in the single case of hacking in this investigation in which we recovered the domain names of the Pegasus servers used, the TOROGOZ operator was implicated.

The periodical La Prensa Grafica has reported that in addition to one of its journalists who is included in the Citizen Lab report, forensic examinations have confirmed that two additional staff members had phones infected, including Cristian Villalta its editorial manager.

The Pegasus spyware is produced by an Israeli company NSO Group.  In November, the US government put NSO Group on a blacklist preventing it from access to US technology as a result of revelations that its Pegasus Software had been used to target journalists and activists around the world. 

NSO insists that only governments are provided access to its snooping tools. The company, which says in effect that it only provides the weapons but does not pull the triggers, provided a statement to El Faro which declared:

NSO provides its software only to vetted and legitimate intelligence agencies as well as to law enforcement agencies, who use these systems under warrants by the local judicial system to fight criminals, terrorists and corruption. These systems are sold following a vetting and licensing process by the Israeli MOD [Ministry of Defense].

“NSO is a software provider. The company does not operate the technology [n]or is [it] privy to the collected data. The company does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorized uses. While we have not seen the report mentioned in your inquiry, and without confirming or denying specific customers, NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools.

Not surprisingly, the Bukele government denied any connection to the spying:

In a statement to Reuters, Bukele's communications office said the government of El Salvador was not a client of NSO Group Technologies, the company that developed Pegasus. It said the administration is investigating the alleged hacking and had information that some top administration officials also might have had their phones infiltrated.

"We have indications that we, government officials, are also victims of attacks," the statement said. 

From CNN:

"The government of El Salvador doesn't have the resources nor the licenses to utilize this type of software," Sofía Medina, Bukele's communication secretary said in a statement. Medina said that the government is not connected to the use of Pegasus software, nor to the company that created it, an Israeli company called NSO Group.

Medina added that in November, she received an alert from Apple -- as did others in the government -- about a possible hack into her cell phone.

"We have indications that members of the government were also victims of these attacks," said Medina, adding that the government is already investigating the use of Pegasus and other systems to hack cell phones in the country.

The El Faro reporters whose phones were infected have been speaking out. 

In Reuters:

El Faro was under constant surveillance during at least 17 months, between June 29, 2020 and November 23, 2021, with the phone of Editor-in-Chief Oscar Martinez infiltrated at least 42 times, Citizen Lab claimed.

"It is hard for me to think or conclude something other than the government of El Salvador" was behind the alleged hacks, Martinez said. "It's evident that there is a radical interest in understanding what El Faro is doing."

In the Washington Post:

Martínez, the news editor, said the journalists had endured two years of government harassment, and many of their relatives had urged them to quit. “People are very stressed,” he said. The reporters tried to meet in-person with sources and use encrypted messaging, but Martínez said the government always seemed to know what they were doing. “Now we have an explanation,” he said. “We were hacked.”

Julia Gavarrete, one of the El Faro reporters, told the Committee to Protect Journalists:

What has become very clear to us is that during the periods when we have been surveilled, El Faro was working on hard-hitting reports into corruption or irregular purchases. There isn’t a single day that the reports showed we had been infected that wasn’t related to something that El Faro published or an ongoing investigation....

It is a stressful burden. Now it’s confirmed, it is not only about protecting our integrity and that of our sources, but also our families, trying to explain what is going on and why they can’t communicate with us “normally.” [Our devices] may still be infected. Anything sensitive that they want to say to me, they can only say in person. This is one of the most significant pressures that I have had to deal with.

I was cautious before, but [now] I am even more extreme to avoid putting sources in danger. But it wears you out day-to-day, and you have to make an even greater effort to be able to produce journalism.

In response to the revelations, a group of 30 media, journalism and press freedom organizations issued a statement demanding that the Bukele regime investigate the events and refrain from its hostile acts towards journalists in the country.

Although El Salvador's government-controlled newspaper Diario El Salvador ran an AFP story in the summer of 2021 when Pegasus software was found on the phone of a dissident activist in the UAE, the paper has not to date had any coverage of the revelations of the spy software infecting the phones of dozens of journalists and others in the country for which the paper is named.

One of the civil society organizations which was spied upon was the Foundation for Democracy Transparency and Justice (FundacionDTJ).  Both its president and executive director had their phones infected with the Pegasus software.   FundacionDTJ issued a strong denunciation:

Although the information is not yet definitive, everything leads to the conclusion that espionage with the software Pegasus against these 35 people can only come from a source close to or from the government itself.

The non-judicially authorized use of digital surveillance tools violates human rights such as privacy, freedom of expression and freedom of the press. Furthermore, it goes against the mandate of the international human rights law that obliges states to protect and guarantee human rights of its citizens.

This new attack against civil society and journalism in El Salvador is consistent with the rapid authoritarian advance in the country and with the pattern of intimidation, stigmatization and coercion from the Government against critical voices and against those who expose the abuses of a government that, for now, acts with impunity.

Brian Nichols, Asst. Secretary for Western Hemispheric Affairs in the Biden administration tweeted:

Reports of the phone hacking of Salvadoran journalists, politicians, and members of civil society are very troubling. We strongly oppose efforts to silence critical voices. Freedom of expression and independent media are essential for any democracy.

In yet another attack against Salvadoran journalists, the WhatsApp account of the Association of Journalists of El Salvador (APES for its initials in Spanish), along with various journalists and chat groups were hacked on Thursday.  Today, APES went to the offices of the Attorney General of El Salvador to lodge formal notifications and demands that both the Pegasus software spying and Thursday's hacking of APES be investigated and prosecuted.

The revelations about the Pegasus spy software targeted at Salvadoran journalists does not come out of nowhere.   Nayib Bukele has had an antagonistic relationship with the independent press in the country since before he took office.  He has disparaged the press, calling it the opposition, and alleged it is beholden to foreign interests.  The situation is grave enough that the InterAmerican Commission of Human Rights required that the Bukele government take steps to protect journalists at El Faro.  There is no evidence it has attempted to comply with that ruling.