Spying on Mexican journalists: investigating the lucrative market of cyber-surveillance
Despite repeated scandals, the global cyber-surveillance industry continues to supply Mexico with more and more invasive technologies, assisted by well-connected intermediaries. Multiple journalists have been targeted by these tools, but Mexican authorities remain unconcerned. Veracruz, the state with the highest count of murdered journalists, including Regina Martínez, even used a sophisticated espionage unit to monitor journalists.
It was a message that almost went unnoticed. But behind the message hid a state-of-the-art surveillance operation. Or at least that was the intention. In the spring of 2016, Mexican journalist Jorge Carrasco was wrapping up a months-long investigation of the Panama Papers for Proceso magazine. When his research into Mexican customers led him to the notorious Panamanian business firm Mossack Fonseca, he received a text message from an unknown number: “Hello Jorge. I am sharing this memo that Animal Politico published today. I think it’s important to reshare.” The message came with a link. “Who is this?” Carrasco texted back. The sender never responded.
Hidden behind this mysterious message was an attempt to gain access to Carrasco’s phone using Pegasus spyware, which the Israeli company NSO Group sells to multiple governmental clients in Mexico. This discovery is the result of a technical analysis conducted by Amnesty International’s team of digital security specialists in collaboration with Forbidden Stories. When clicked, the link installs an invisible software that sucks all the phone’s data, including text messages. It also enables the microphone and camera to be activated remotely—a formidable threat for a journalist.
“I noted the message at the time, but I receive a lot of these kinds of messages,” remembered Carrasco, who is now editor-in-chief at Proceso magazine.
“The message that we recovered was likely part of an ongoing campaign that was happening in Mexico throughout that particular period of time,” said Claudio Guarnieri of Amnesty Security Lab. At the time, the software was widely used by clients in Mexico. According to Amnesty, the phone number that targeted Jorge Carrasco was the same number used to send multiple text messages containing malicious links to Carmen Aristegui, one of the most well-known investigative journalists in Mexico. The domain name behind the link was also used in 2017 with the same software to target supporters of a soda tax.
It seems that almost every tech out there at some point has either been pitched to Mexico, demoed there or perhaps used there
“The targeting was not only extensive, but it was often done in a fairly reckless way with alarming and upsetting messages used to try to speed the malware targets into clicking,” explained John Scott-Railton of Citizen Lab, an organization that has spent several years investigating attacks that employ Pegasus software.
Jorge Carrasco joins a list of nine journalists in Mexico whose phones showed evidence of a Pegasus spyware attack. In the past decade, Mexico has been a major importer of surveillance technologies, despite repeated scandals surrounding the use of these tools against journalists and activists. And despite the government’s promises, no measures have been implemented to regulate these tools. No previous operators have been brought to justice, and the country continues to import invasive tools from foreign companies.
The appeal of Israeli technology
According to a high-ranking official at the U.S. Drug Enforcement Administration (DEA), approximately 20 private spyware companies have sold software to Mexican federal and state police departments. “It seems that almost every tech out there at some point has either been pitched to Mexico, demoed there or perhaps used there when it comes to many of the major companies that sell this stuff,” said Scott-Railton.
Israeli technologies in particular have a good reputation with Mexican officials. “In Mexico, it’s typical for the security and intelligence community to think that Israel has the most advanced technologies and the best techniques for civilian and military training,” said Paloma Mendoza Cortés, analyst and consultant on national security issues.
Mexico was for a long time one of NSO Group’s biggest clients. After an initial contract signed with the Secretary of National Defense, the Israeli company cemented its place in the market in 2014 by signing a $32 million contract with the Attorney General’s office. Emails from NSO’s competitor, Italian Hacking Team, which were hacked and widely circulated in 2015, revealed the growing power of NSO during this period. For Italian sellers, the challenge was “debunking the NSO myth.” Mexican clients were obsessed with this technology that promised to turn over complete access to the contents of their targets’ cell phones.
We’re a complete ghost. We’re totally transparent to the target, and we leave no traces.
According to security expert Gadi Evron, Israeli companies offer a set of tools that range from accessing software vulnerabilities to a turnkey service where a customer simply provides a phone number or email address and receives all information necessary on a target.
NSO has established itself as the market leader. “We’re a complete ghost,” cofounder Omri Lavie bragged in 2013. “We’re totally transparent to the target, and we leave no traces.” The company’s flagship solution, Pegasus, infects targeted cell phones through malicious text messages, like the one received by Jorge Carrasco. But in 2018, the company started looking for more discreet modes of infection. “SMS messages are very visible and leave behind a significant trace which has been used again and again in investigations to confirm targeting such as this one,” explained Claudio Guarnieri. In 2019, it was revealed that the Israeli company was using a flaw in the messaging platform WhatsApp. Today, no user action is needed thanks to nearly invisible redirects of internet traffic. Once an attack is successful, the customer can view everything on the targeted phone.
“It’s my belief that problems with abuses have probably gone up around the world, but it’s harder to find them,” said John Scott-Railton. “As NSO and others are moving towards selling ‘zero-click’ technologies that don’t rely on a text message, we’re certainly in a more difficult situation in terms of investigating it.”
Because of the development of the technology, in many places they are able to identify the next Nelson Mandela before he even knows he is the next Nelson Mandela
The powerful tool, intended to combat terrorism and organized crime, can be very dangerous if used against journalists, dissidents, or activists. “Because of the development of the technology, in many places they are able to identify the next Nelson Mandela before he even knows he is the next Nelson Mandela,” said Eitay Mack, an Israeli human rights lawyer. Yet it is difficult to make the general public aware of this type of threat. “Most of the people, if you show them a picture of a gun, they’ll think that this is the symbol of something bad, something dangerous,” Mack explained. “But if you’re talking about a surveillance system, it’s something that is harder to understand…something that you cannot see.”
In written answers to Forbidden Stories, NSO Group claimed to “fully investigate any credible claim of misuse, which includes assertions that [their] technology was used for any purpose other than legally preventing and investigating legitimate cases of terror and other serious crimes.”
From the perspective of Israeli authorities, even repeated denunciations of using Pegasus against civilians do not justify sanctioning NSO Group, which continues to get its export license renewed. “The fact that there were journalists and activists targeted with Pegasus, for the Israeli government that’s just a basic fact of life,” said Mack. “Each licensing assessment is made in light of various considerations including the security clearance of the product and assessment of the country toward which the product will be marketed,” a spokesperson from the Israel Ministry of Defense told Forbidden Stories. “Human rights, policy and security issues are all taken into consideration.”
According to a former employee of Hacking Team, the cyber-surveillance industry was first created to fight organized crime, but its mission and its customers changed over time. This was the case for the Italian company. “Agencies started to equip themselves to run those operations by themselves,” the ex-employee explained. “So they go to a different customer segment, governments that don’t have tools. Gradually there were more and more operations that were really borderline. Eventually, towards the end, most of the operations were on that side of the spectrum.” When contacted by Forbidden Stories, the former director of Hacking Team, David Vincenzetti, declined to answer our questions.
Countries like Mexico insist they need to equip themselves against powerful organized crime groups. “We have seen a narrative that has reduced the security issues in Mexico and the violence related to organized crime as an excuse, as a selling point to spend large sums of money in acquiring technology allegedly to be used under this context,” explained Luis Fernando García, director of RD3, a digital rights organization. “Even though, as we know in Mexico, the line between organized crime and the government is nonexistent or frequently very blurry.”
Governors colluding with cartels
This is particularly true at the state level, where officials sometimes have connections to cartels operating in their region. But Mexico’s state system is exactly what attracts cyber-surveillance companies. These companies can sell technologies reserved for public authorities to multiple clients.
This strategy works well. Impressed by Hacking Team’s Remote Control System (RCS), which infects computers through malicious files, Tomás Zerón, chief director of the Criminal Investigation Agency (AIC) at the prosecutor’s office, became the ambassador for RCS in Mexican states. “His idea is, step by step and if it is getting success, install an RCS on each [local prosecutor] of the country,” wrote a Hacking Team employee in an email in 2014.
Beyond the prosecutor’s office, local executive governments, and even a public company, Pemex, acquired the RCS software. “They don’t have these powers under the Constitution to do the interception of communications, but they have acquired tools that allow them to do just that,” explained Fernando García. According to Paloma Mendoza Cortés, the security analyst, legal confusion arises due to a lack of adequate legislation and clear security definitions.
Sometimes people would show up in front of us saying they worked for the intelligence. It was normal that we could ask ourselves ‘who are these people?
The identities of end-users are not always clear to cyber-surveillance companies themselves. For example, for several months in 2011, a Mexican intermediary DTXT Corp. kept RCS software instead of giving it to the federal police— who were the presumed customers. Hacking Team employees asked repeatedly for the signed end-user license agreement to be returned, but without success. One year later, an employee wrote in a general note that “it seems like it [is] a common thing in Mexico.”
In the state of Puebla, employees from Hacking Team told of a particularly suspicious installation. “They were deploying the solution to customers. They were brought to an abandoned house with no windows. It was away from the city by like… 2 hours,” one former employee who oversaw the operation remotely testified.
Then, one of the Hacking Team engineers panicked when he recognized Joaquin Arenal Romero, an official who he suspected had links to the Zetas cartel. “I’m not saying that such things happened daily, but they surely happened often. Sometimes people would show up in front of us saying they worked for the intelligence. It was normal that we could ask ourselves ‘who are these people?’” remembers one ex-employee. When asked by the New York Times in 2017, the Puebla government denied purchasing any technology from Hacking Team.
A former employee of Hacking Team remembers that the level of professionalism varied considerably between clients. “High tier agencies, they were structured. They had secure rooms and everything […] you had an auditor in place who was actually doing his or her job,” he said. “[But] you could see agencies that had no process. Anybody could do anything.”
This scenario is not out of the ordinary, according to a senior DEA official who says police with access to cyber surveillance technology sell it to cartels. The drug traffickers appear to be particularly fond of those types of tools as evidenced at the trial of the Sinaloa cartel leader, Joaquín Guzmán Loera. One engineer who worked for the drug lord admitted during a hearing that he bought “interception equipment that allows access to phone calls, the Internet, text messages.” Cartels who do not have their own engineers can turn to corrupt officials who, according to the DEA, agree to target certain people in exchange for bribes.
“If the agency that had it in use made a cartel use it, we could not know,” said one former Hacking Team employee. “The only thing we could do if we were aware of violations was to not renew the license and let it expire. But we couldn’t shut it down remotely.”
Journalists are closely watched
In the state of Veracruz, a sophisticated espionage unit run by the public security ministry has been in place since the 1990s. A vast network of paid informants – waiters, shoe shiners, street vendors, small scale drug dealers, as well as bogus activists and journalists – were recruited to gather information on so-called political opponents. The unit used classic intelligence-gathering techniques such as keeping personal files on journalists, according to a public official who worked for multiple governors during this period.
Throughout its existence, the unit has supplemented human intelligence with surveillance technology. Between 2017 and 2019, the unit acquired high tech solutions—notably of European origin. But, emails from Hacking Team revealed that Veracruz already had access to a trial version of RCS in 2012. In 2018, the current governor announced an end to these kinds of activities, but it’s unclear if the spying was suspended or dismantled permanently.
“Veracruz has very sophisticated spy technology. It’s not Pegasus, but it’s just as good,” reported a well-placed source. “Intelligence analysts are very experienced and have the skill and technology to hack into phones and computers.”
Veracruz could be considered one of the most competent and sophisticated state espionage units in the country. The Veracruz State Public Security Secretariat did not respond to multiple emails from Forbidden Stories.
She heard noises from her phone, echoes. But we were all spied on. It was part of daily life
For journalists, the situation is particularly dangerous. In 2012, journalist Regina Martínez was murdered while investigating two state governors, Fidel Herrera and Javier Duarte. According to Reporters Without Borders, the latter’s election in 2010 sparked a reign of terror against journalists. Sixteen journalists were murdered in the following years. Duarte was arrested in neighbouring Guatemala in 2017 after six month on the run for “corruption, involvement in organized crime, and embezzling millions.”
Andres Timoteo, a former colleague of Regina Martínez, affirmed that she always felt watched. “She heard noises from her phone, echoes. But we were all spied on. It was part of daily life.” Andres Timoteo fled Mexico after Regina Martínez was murdered, fearing for his safety.
In another state, a former employee of Hacking Team remembered being present when a governor monitored a journalist from his office. “He was proud,” he recalled.
In 2017, several Mexican and international organizations collaborated to publish a report called “Gobierno Espía.” Over a year, researchers and activists worked to identify abusive infection attempts against journalists, lawyers, and anticorruption militants. They found more than 80 infection attempts by NSO spyware in Mexico between 2015 and 2016. The country has the highest number of documented software abuses. At least 25 people were illegitimately targeted, according to the Canadian research group Citizen Lab. But no corporate alarm bells went off, “which made us wonder whether the company was giving Mexico special room because of a favorite relationship,” said Scott-Railton of Citizen Lab.
NSO Group told Forbidden Stories that it had investigated all alleged misuses of its technology, adding that “in multiple instances, NSO [had] terminated contracts and severed relationships with customers after misuses were identified,” without naming any specific client.
Following the publication of the report, a group of United Nations experts asked Mexico’s government to commit to halting surveillance immediately. “Such commitment must include effective controls over the security and intelligence services in order to prevent unlawful use of the State’s monitoring tools,” the group insisted.
Impunity again and again
The government promised to launch an investigation. Associations banded with journalists targeted by Pegasus to file a complaint. Then, nothing. To further the investigation, the prosecutor’s office demanded the phones that had been targeted by the infection attempts be turned in. “Analyzing phones is notoriously hard in cases like this, in part because Pegasus has anti-forensic tools,” said Scott-Railton. “We pointed out that there were many more reliable locations for evidence such as the phone network as well as logs of the Pegasus deployment itself.”
The NGOs involved questioned the impartiality of the prosecutor’s office, and if they could investigate into a technology that they themselves used. “It’s not clear to me that the government is on track to conduct a real serious independent investigation,” said David Kaye, UN Special Rapporteur on Freedom of Expression until July 2020.
We’re in a situation where we need to assume that these tools are still available to be used
Contacted by Forbidden Stories, the prosecutor’s office would not comment on ongoing investigations.
In 2018, Mexico’s president, Andrés Manuel López Obrador, declared that the government would stop using Pegasus software. “There has not been a mention of this in his daily briefings since then,” said Fernando García. “And his commitment is not verifiable at the moment.” Mexico’s president did not respond to the list of questions sent by Forbidden Stories on this subject.
According to Kaye, “We’re in a situation where we need to assume that these tools are still available to be used, and it’s up to the government to demonstrate that they’ve put them under significant rule of law constraint.”
Ultimately, a sense of impunity dominates. Neither the operators of RCS nor Pegasus have been subjected to legal proceedings. “The most likely thing is that you won’t get caught,” said Fernando García. “If you get caught, it’s very unlikely that an investigation will be open. If an investigation gets opened, it’s very unlikely that something’s going to happen with that investigation or you’ll be prosecuted.”
Tomás Zerón, the former director of the AIC was described in 2014 as “the final buyer” of cyber-surveillance systems, notably Pegasus. He’s currently wanted by Mexican authorities on embezzlement charges related to three contracts to acquire espionage equipment between 2013 and 2014, among other crimes. He is also wanted for falsifying elements of an investigation on the disappearance of 43 students from the state of Guerrero in 2014. Citizen Lab was able to prove that a group of international experts investigating this affair were also targeted with Pegasus software.
Today, Tomás Zerón is hiding in Israel, according to the president of Mexico. “I think it’s clear that Tomás has had a very crucial role in securing and facilitating contracts, particularly for Israeli surveillance companies,” said Fernando García. “And it’s—at least in my opinion—curious, a really interesting coincidence, that he has chosen Israel as a place of hiding.”
Israel’s Foreign Ministry briefly responded to Forbidden Stories: “Israel has received a request [from the Mexican authorities] about this and we are looking into the matter.”
A game of influence and corruption
The fugitive has indeed found himself at the heart of Mexico’s opaque and lucrative system of cyber-surveillance contracts. In this sector, the majority of contracts are signed without calls for bids and without any transparency, which makes them ripe for corruption. “It becomes a race for influence,” said Fernando García. “Companies and intermediaries fight for becoming friends with the official that makes the decision of who to allocate the contract to.”
Uri Emmanuel Ansbacher is among these merchants of influence. Originally from Israel and now the owner of a galaxy of companies in Mexico, Ansbacher is a friend of NSO Group director Shalev Huilo and is said to be the intermediary for a number of Israeli cyber-surveillance companies. Asked by Forbidden Stories, Ansbacher denied it.
Foreign companies use these types of companies because they often resort to bribing Mexican officials
Intermediaries can be Mexican private security companies or shell corporations created uniquely for these types of transactions. “Foreign companies use these types of companies because they often resort to bribing Mexican officials—offering a percentage of the sale to secure the contract,” said Mendoza Cortés. “This results in overcharging for security products and services purchased by the Mexican government.”
One employee of Hacking Team talked about one intermediary: “[He] has become good friends with the son of the procurement chief and offered NSO for 15 million dollars. I am sure there are some nice payoffs going on with this purchase.” NSO Group did not respond when asked about this allegation. Leaked documents from the Italian company revealed that intermediaries received large commissions—about 30% on contracts for tens of thousands of dollars.
Some of the intermediaries mentioned at the time—Neolinx de Mexico and Sym Servicios—are still active today. Import data collected by the Mexican government, which Forbidden Stories was able to access with the help of an analyst from the think tank C4ADS, showed that these companies were still importing technology from Israeli companies in 2019.
The director of Neolinx did not respond to questions sent by Forbidden Stories. The director of Sym Servicios, Niv Yarimi, claimed that he has not acted as an intermediary for cyber-surveillance companies since 2015. He now focuses on using connected devices to help improve safety in cities. According to Mendoza Cortés, the logic of “smart and safe cities” is successfully used by private security companies today to promote their products and services in Mexico.
Another Mexican intermediary, EyeTech Solutions, received two shipments from the company Circles Bulgaria—a subsidiary of Circles owned by NSO Group—in 2016 and 2018. When contacted by Forbidden Stories, Giliad Pait, the director of operations at EyeTech Solutions, affirmed that he had not worked with NSO Group—before hanging up and blocking our number.
This raises questions about the official story of NSO Group’s withdrawal from the Mexican market—especially because many Mexican numbers appeared as Pegasus targets linked to the WhatsApp security breach in May 2019. “The federal government says it’s not them then who is? And why don’t we know?” asked Fernando García.
Where are human rights in all of this?
It’s unlikely that the answer will come from Israel. Although a judicial proceeding against NSO Group was initiated in 2018 for the company’s negligence in the face of abuses by the Mexican government, the Israeli justice system bowed to NSO Group’s demand to keep the proceedings confidential due to national security risks, interference in Israeli’s international relations, and trade secrets.
Everything concerning customers and export licenses is confidential. On the authorities’ side, “the policy is not to say anything, not to denounce, not to say it’s false, not to say anything,” explained Mack.
I can tell you they couldn’t care less, not Hacking Team, not NSO. They claim that they do things, but they absolutely don’t care at all
According to him, even committees tasked with evaluating the human rights policies of these companies don’t know anything about their clients. “If they don’t have the information, how can they do regulation? It’s a joke.”
Former French ambassador Gérard Araud, who worked as NSO Group’s external advisor on human rights issues from 2019 to 2020, confirmed that he did not know “everything that had been implemented or what had not… Secrecy is an integral part of the business, which puts my contribution into perspective,” he explained. “My job was more to have discussions with the investors, rather than with the company itself.”
According to the diplomat, “the issue of surveillance technologies and human rights would require legislation, or even a United Nations convention, or a dialogue with human rights organizations.” For their part, NSO Group praised Araud’s “important role” in advising the company.
One former employee of Hacking Team has bitter memories of the Italian company’s ethics committee. “This board never did anything. They used to deliver reports saying, ‘this country is okay’ or ‘this country is less okay, but still you can sell.’ It was just for show.” His boss’s reasoning at the time was simple: if a government says that someone is a terrorist, then he’s a terrorist. It’s not up to the company to decide otherwise.
“I can tell you they couldn’t care less,” he confided today. “Not Hacking Team…not NSO. They don’t care. They claim that they do things, but they absolutely don’t care at all.”