Mexican journalists targeted by zero-click spyware infections

Mexican journalists and a human rights defender investigating links between extrajudicial killings, drugs cartels, and the Mexican military, were infected with NSO Group’s spyware after being hacked through zero-click attacks, a new investigation has alleged.

The investigation follows a series of eight reports published in 2017 detailing “widespread Pegasus targeting” in Mexico. It suggests such targeting has continued despite repeated commitments by the current president, Andrés Manuel López Obrador, that his government would not use the spyware.

The new cases, which took place between 2019 and 2021, were uncovered by the Mexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) with technical support provided by the Citizen Lab at Toronto University.

Citizen Lab said that while technical data available doesn’t enable them to attribute the hacking to a particular NSO customer, “each of the victims would be of intense interest to entities within the Mexican government and in some cases, troublingly, to cartels.”

Who was targeted?

The targets included Raymundo Ramos Vázquez, a journalist turned human rights defender who has documented suspected military killings committed by the Mexican Army and Navy. His work contributed substantially to a 330-page report by Mexico’s National Human Rights Commission (CNDH) detailing links between more than two dozen kidnappings and murders and the military.

According to Citizen Lab, forensic indicators collected from Ramos' device show that it was repeatedly infected by the Kismet zero-click exploit around August and September of 2020.

Such exploits are among the most potent an attacker can use as they do not even require the target to interact with a phishing message —simply by sending the maliciously-crafted communication over iMessage the attacker would gain access to the victim’s device.

Ricardo Raphael, a journalist and political analyst, was repeatedly targeted around October and November 2019, and then again in December 2020, according to the investigation. Forensic analysis of his mobile device found he had also been targeted by Pegasus in 2016, having been hacked through the HOMAGE zero-click exploit.

Raphael, who has investigated municipal corruption and the disappearances of school students, was targeted while on a media tour to promote his book describing the military origins of the Los Zetas drugs cartel.

President Trump had announced his intention to legally designate the criminal syndicate a terrorist group but then delayed the move in 2019 on the request of López Obrador.

The identity of the third journalist, who works for the digital news organization Animal Político, was kept anonymous for his personal security. Animal Político has been accused by Mexico's current president of receiving foreign financing to discredit him. Daniel Moreno, the organization’s director, said that the spyware put the entire newsroom at risk.

This journalist’s device was attacked by the FORCEDENTRY zero-click exploit, which was subsequently examined by Google's Project Zero team who described it as "one of the most technically sophisticated exploits we've ever seen."

NSO Group

NSO's offices were raided last year by Israel’s Ministry of Defense after a consortium of international journalists revealed the company had sold its software to oppressive governments across the world to spy on journalists, human rights activists, and political rivals. NSO denied the veracity of those reports.

The company was subsequently sanctioned by the U.S. government on the grounds that its Pegasus spyware was used “to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers” —described as “part of the Biden-Harris Administration’s efforts to put human rights at the center of U.S. foreign policy.” In response, NSO denied operating against American values.

The sanctions, which prohibit U.S. companies such as Microsoft from selling any equipment to NSO, are believed to have had a powerful impact on its operations. There have reportedly been many redundancies at the company and its chief executive and founder Shalev Hulio stepped down earlier this year.

In a statement sent to The Record, NSO denied the veracity of the R3D and Citizen Lab report.

It said that Citizen Lab’s analysis was not independently verified and claimed that the laboratory was “unable to differentiate between NSO’s tools and those of other cyber intelligence companies in operation, including previous reports that were proven to be wrong.”

The statement continued that the only way to verify the accuracy of the Citizen Lab’s assessment was if NSO itself was able to examine the data, and complained that this was not shared with them — alleging this was “so as to report predetermined outcomes that intentionally mislead the public.”

“NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about customers or who they monitor. NSO licenses Pegasus solely to law enforcement and intelligence agencies of sovereign states and government agencies following approval by the Israeli government. When we determine wrongdoing, we terminate contracts,” the statement added.

The spokesperson did not respond to questions about which previous reports were proven to be wrong, or how the company could determine wrongdoing if it has no visibility into how customers use Pegasus.