‘Jaw-dropping’ targeting: How Pegasus was used against critical journalists in El Salvador
A new report by Citizen Lab and Access Now, shared with Forbidden Stories, shows how investigative journalists at El Faro and GatoEncerrado, two independent media outlets in El Salvador, were repeatedly and aggressively targeted with Pegasus spyware.
By Phineas Rueckert
Reading time: 7m
January 13, 2022
Carlos Martínez thought a call to his brother Óscar on the encrypted messaging app Signal was safe. In July 2020, the investigative journalist was getting ready to publish a major scoop and had called his brother, the editor in chief of independent news outlet El Faro, to discuss new material he had received.
For the past decade, Carlos had reported on criminal gangs operating in El Salvador and their connections to corrupt politicians. Through his reporting, he had uncovered proof that the administration of the newly-elected president of El Salvador, Nayib Bukele, had negotiated with MS-13, one of the most violent gangs in the region, in exchange for political favors.
But an event three days before publication nearly stopped Carlos in his tracks: three days before publication, a colleague of his was sent an audio recording of the private conversation between Carlos and Óscar by a government source. It was the first time Carlos suspected his phone might be tapped.
“It was a conversation that only the two of us were aware of,” he said.
El Faro went ahead and published the piece. But a year and a half later, his suspicions were confirmed: starting sometime between in late June or early July 2020, Carlos’s phone was under near-constant surveillance.
He’s not the only one.
A government suspected to be El Salvador has aggressively and regularly hacked top investigative journalists in that country, according to a new report released Wednesday by digital rights advocacy groups Citizen Lab and Access Now and shared with Forbidden Stories. The report is based on forensic analyses of the phones of journalists mostly working at El Faro and GatoEncerrado, independent media outlets that have come under increasing pressure from the government of President Nayib Bukele.
Citizen Lab and Access Now found that Pegasus was successfully installed on 37 phones between July 2020 and November 2021. In a peer-review, Amnesty International’s Security Lab confirmed the findings.
“What we found is just a jaw-dropping amount of targeting of media organizations and civil society in El Salvador,” said John Scott-Railton, a Senior Researcher at Toronto’s Citizen Lab, which co-authored the report.
“The extensive use of Pegasus to spy on journalists and civil society in general is disproportionate and you can almost say unprecedented,” said Paolo Nigro, Digital Security Helpline Shift Manager at Access Now.
According to the report, more than half of El Faro’s staff was infected with Pegasus, with some journalists’ phones tapped over long periods of time and others on numerous occasions. Hacking often coincided with the outlet’s investigations into government corruption, negotiations with criminal gangs, and mismanagement of Covid-19 relief funds, according to editor in chief Óscar Martínez, who himself was hacked 42 times – the most of any individual journalist on staff.
“This was more than one year of sustained, obsessive targeting of the newsroom using Pegasus,” Martínez told Forbidden Stories. “All areas of the newspaper have been targeted, that is, the administrative staff, editorial staff, management, the board of directors of the newspaper, its commercial team.”
In all, 22 staff members of El Faro were infected with Pegasus.
While the report does not explicitly name the Salvadoran government as the author of the attacks, “all signs point toward one of the most obvious conclusions, which is that the government is involved,” Martínez added.
Contacted by Forbidden Stories, the office of the Salvadoran president and the Salvadoran embassy in Paris did not respond to multiple requests for comment.
After Pegasus Project investigation, Apple strikes back at NSO Group
El Faro journalists first learned that their phones may have been compromised in late November, 2021.
Gabriela Cáceres was working from her home office when she received a message from Apple’s threat notification team around 3 pm on November 23.
“Apple believes you are being targeted by state sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID,” the message read, adding: “The attackers are likely targeting you individually because of who you are or what you do.”
After Cáceres, who was the first to receive the message, other staff members began to see the notification pop up on their devices: Óscar Martínez, Nelson Rauda Zablah, Valeria Guzmán, and so on. In all, 12 journalists from El Faro received the notification, according to a report published later that day by the newspaper’s editorial staff.
“It was like what we had suspected was coming true,” Cáceres said.
At least 28 journalists around the world – including in Bahrain, Ghana, Lebanon, South Africa and Uganda – received a message from Apple’s threat notification team in late November, according to social media posts seen by and testimonies given to Forbidden Stories.
The messages were sent just hours after Apple announced that it had sued Israel-based spyware company NSO Group – which sells its remote phone hacking tool Pegasus to more than 40 governments around the world – in a California court.
“While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously,” Apple’s senior vice president of Software Engineering Craig Federighi said in a statement.
Apple’s lawsuit and notifications came months after Forbidden Stories and 16 media organizations, with the technical support of Amnesty International’s Security Lab, published the Pegasus Project, detailing widespread abuse of Pegasus by more than 10 government clients, including in India, Hungary, Mexico and Saudi Arabia. In its press release, the company cited Citizen Lab’s discovery of a new exploit, called FORCEDENTRY, which was used by Pegasus clients to remotely infect mobile devices.
“These notifications from Apple to journalists in El Salvador once again prove that the Pegasus Project revelations were the tip of the iceberg,” said Danna Ingleton, Deputy Director of Amnesty Tech. “With more targets and client countries surfacing we need, more than ever, accountability for these violations and a moratorium on spyware until regulations are in place that protect human rights.”
Contacted by Forbidden Stories, an NSO Group spokesperson wrote in an email: “NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools. The international community should have zero tolerance policy towards such acts, therefore a global regulation is needed.”
Sources familiar with the company told Forbidden Stories that there is “no active system in El Salvador,” adding: “When the company will receive the numbers related to the allegations, it will perform an investigation to determine if a misuse of its system occurred in the past in the country.”
One tool in the authoritarian playbook
Journalists who spoke with Forbidden Stories for this article said that they had long suspected their phones may have been tapped by the government.
Surveillance of journalists at El Faro, Óscar Martínez said, often peaked during key political moments, such as May 1, 2021 when Bukele dismissed the country’s Attorney General and Supreme Court judges, giving him unprecedented control over the three branches of government.
Non-newsroom staff members were targeted extensively after the government opened up an audit against El Faro for potential tax evasion, he added.
In El Salvador, spyware attacks constitute just one form of harassment of the independent press.
Salvadoran journalists and press freedom advocates describe increasingly bold attacks under president Nayib Bukele, who took power in 2019, including physical surveillance of journalists using drones and an attempted car bombing of the El Faro office.
“It seems like the powers that be in El Salvador are just looking for different ways to try to intimidate the journalists there and see which of these strategies seem to be more effective,” said Natalie Southwick, the Latin America and Caribbean program coordinator at the Committee to Protect Journalists. Salvadoran journalists, she added, “have cause for concern about both kinds of more traditional forms of physical surveillance and monitoring and then also some of these newer tools.”
After publishing an investigation into how Covid relief funds were redirected into Bukele’s campaign coffers, Cáceres received numerous rape and death threats online, she told Forbidden Stories. Other journalists at El Faro have reported being monitored by drones and video cameras.
In February 2021, the Interamerican Human Rights Commission put in place protective measures for 34 journalists at El Faro because of “sufficient proof that the personal rights of the staff were at risk.”
According to César Fagoaga, the president of press freedom watchdog APES and an investigative journalist for the past 20 years, El Faro was an obvious target for the Bukele government because of the types of investigations they do.
“I think it’s probably the most important investigative outlet in the country,” he said. “The journalists at El Faro showed how millions of pesos dedicated to pandemic relief are being wasted on other things. Perhaps most critically, they showed how the president has been negotiating with criminal gangs.”
The goal of putting El Faro journalists under surveillance, according to Nelson Rauda Zablah, an investigative reporter at El Faro and a member of the outlet’s leadership team, was simple.
“They want to know who I speak with and where and how I get the information that I get,” he said. “It’s pretty blatant.”
A wide surveillance net
According to the report published today by Citizen Lab and Access Now, Pegasus may have been operated in El Salvador as early as November 2019. Previous reporting by Citizen Lab and others found that El Salvador is also a “likely” customer of Circles, an NSO affiliate based in Bulgaria.
“Clearly, El Salvador is a pretty technical and technologically enabled surveillance power at this point,” Scott-Railton said.
However, exactly how many people were targeted by Pegasus across the country remains unknown, Access Now’s Nigro said, noting: “This is clearly a political use aimed at civil society.”
According to sources who spoke with El Diario de Hoy on a condition of anonymity, the potential target list may have exceeded 500 people, including journalists, opposition politicians, and even a staff member at the US Embassy. Forbidden Stories was unable to independently confirm whether US Embassy staff was targeted by Pegasus.
Despite the widespread interventions into their phones, journalists at El Faro reiterated that they would continue to report on critical issues.
“This confirms a strong fact. There is a huge interest in knowing what investigations this newspaper is doing,” Óscar Martínez said. “And that’s only for one reason: that the journalism that this newspaper is doing is very uncomfortable to a big group of corrupt people in this country.”
The message was reiterated by his brother Carlos. “We believe that in these times, more than ever, journalism is indispensable to carrying out and safeguarding what is left of democracy,” he said. “We’re not intimidated, we’re going to keep doing our jobs.”
Update (January 14, 2022):
In a statement to Reuters on January 11, the Salvadoran government denied the hacking allegations, saying it was “in no way related to Pegasus, nor a client of NSO Group,” and adding that El Salvador “does not have the resources for this type of software.”