More Mexican Journalists And Activists Found To Be Targeted By NSO Group Malware

Last summer, a blockbuster leak of data allegedly related to NSO Group's customers made it crystal clear that earlier rumors about routine abusive use of powerful phone-targeting malware were likely true. Israel's NSO Group swiftly issued a denial that was more angry than coherent and did nothing to persuade its many critics that NSO just simply didn't care what paying customers did with its products.

Plenty of abuse had been observed for years before this leak. And plenty more was discovered once this list of apparent targets - a list that included a whole lot of journalists, dissidents, activists, religious leaders, and political figures - was made public. Reports of confirmed infections began rolling in from all over the world.

Mexican journalists and activists have been targeted by NSO's Pegasus malware for years. Investigations verifying phone infections surfaced as early as 2018, three years before a massive leak made NSO the subject of worldwide press coverage.

The 2018 report showed Mexican journalists and activists were being targeted, often immediately after publishing damning reports on government corruption. This targeting suggested the Mexican government was involved. But it wasn't just the government. Towards the end of 2021, a Mexican businessman was arrested for infecting a journalist's phone with Pegasus malware - a true oddity (not really) considering the NSO Group swore up and down it only sold to governments and that it acted quickly when it detected abusive deployments.

Things still haven't changed in Mexico. The targeting of journalists and activists continues. And again, this targeting seems to immediately follow the publication of investigative reporting about the government's abusive behavior. Citizen Lab, which has been the world leader in NSO malware abuse exposures, is again on the case.

Their latest report includes verification of relatively recent phone infections, as well as several details that show just how abusive these deployments are. It opens with a few bullet points summarizing the findings. These are the three most crucial findings:

Victims include two journalists that report on issues related to official corruption and a prominent human rights defender.

The infections occurred years after the first revelations of Pegasus abuses in Mexico.

They also occurred after Mexico's current President, Andres Manuel Lopez Obrador, assured the public that the government no longer used the spyware and that there would be no further abuses.

Hey, thanks for the assurances, but if you're actually powerless to stop abuse (or just trying to erect a little plausible deniability) maybe just keep your mouth shut. You're not helping when you issue promises that are immediately broken.

The targets were hit with NSO's most malicious product, Pegasus' zero-click version that compromises phones with no interaction by targets.

These were the targets: human rights activist Raymundo Ramos (infected at least three times), journalist Ricardo Raphael (infected four times in less than a year and twice more in 2016 and 2017), and an anonymous journalist writing for Animal Politico.

The infections themselves are suspicious. The timing of the infections, even more so.

Ramos was infected with Pegasus in August and September 2020. R3D found that the infections occurred after the publication of a video showing the extrajudicial killing of civilians by the Mexican army in Tamaulipas.

[...]

In 2020, [Raphael] was infected after writing on extrajudicial detentions and official impunity, such as this Washington Post editorial. Not long before he was infected in December 2020, he had accused Mexico's Attorney General of serious misconduct in their investigation of the Iguala Mass Disappearances case.

[...]

[The anonymous journalist] was infected on the same day [Animal Politico] published a report on human rights violations by the Mexican Armed Forces.

All obviously abusive uses of NSO malware. All occurring after the head of the Mexican government said things like this would no longer happen. And all occurred while the NSO Group pretended it was both (1) not responsible for end user actions, and (2) proactively policing worldwide use to deter abuse.

There are no surprises in this report. But there is more verification that NSO customers like to abuse the powerful malware. And more verification that NSO was unwilling to end its business relationship with the Mexican government following the 2018 exposure of abusive deployments, allowing the government to continue to target journalists and activists for another three years.