“NSO is a software provider, the company does not operate the technology or is privy to the collected data,” NSO Group said in a statement. “The company does not and cannot know who the targets of its customers are, yet implements measures to ensure that these systems are used solely for the authorized uses. NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools.”
The company added, “There is no active system in El Salvador.”
The consortium of organizations that conducted the research also includes Front Line Defenders, University of Toronto’s Citizen Lab, Amnesty International, Fundación Acceso, and SocialTIC. This is the first time Pegasus use has been confirmed in El Salvador, and it is one of the first examples in South and Central America in general. International investigators found in 2017 that the Mexican government was using Pegasus. The group does not attribute the Salvadoran hacking to a specific actor, but notes that NSO Group claims its customers are governments and their law enforcement agencies. Researchers at Citizen Lab found evidence that the campaign operator is focused solely on domestic targets in El Salvador.
“If Mexico was dramatic, this one is jaw-dropping,” says John Scott-Railton, senior researcher at Citizen Lab, “because what we found was this incredibly extensive, pervasive, and aggressive targeting of media in El Salvador. And that targeting is very much paired with other threats against media there.”
AccessNow’s Krapiva points out that the timing of the campaign in El Salvador underscores how hollow NSO Group’s defense of its products has been. In July, for example, Amnesty International and other organizations published extensive findings known as the Pegasus Project, detailing forensic evidence that NSO spyware was being abused by governments worldwide and that Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates among others might be NSO customers. The findings prompted numerous condemnations of the use of Pegasus or other invasive spyware and calls for a moratorium on the use of NSO tools. At the beginning of November when the Salvadoran targeting was still ongoing, the United States Treasury put NSO Group on its entity list.
NSO has faced significant other pushback as well, including lawsuits by Apple and the Meta-owned secure messaging platform WhatsApp.
“NSO says it’s like the car dealer, it just sells the car,” Citizen Lab’s Scott-Railton says. “But in the case of El Salvador, if indeed this was the El Salvador government, you have a pretty good idea of who you’re dealing with. And in general this shows that if you thought that this kind of thing only happened in a dictatorship, Pegasus is the gas on the authoritarian fire.”
NSO Group has reportedly faltered in recent months as the backlash against it grows, but the researchers emphasize that the company is far from the only commodity spyware maker serving rogue clientele.
“This is important,” AccessNow’s Krapiva says. “There needs to be accountability and consequences for the companies that are providing these technologies and the governments that are using them.”
Updated January 13, 2022 at 12:45pm ET to include comment from NSO Group.
More Great WIRED Stories