Reckless abuse (again) of surveillance spyware that was sold to governments

We keep seeing a common theme when it comes to spyware sold exclusively to governments, surveillance spyware which is marketed as lawful tools to help governments fight crime and terrorism; those remote intrusion solutions are increasingly used to spy on people who the governments consider to be a threat because those people are revealing the truth to the public. The latest example comes from Mexico, showing how powerful spyware was used to target journalists investigating high-level official corruption and human rights defenders investigating government-sponsored human rights abuses.

The surveillance spyware Pegasus (pdf), sold by the Israel-based NSO Group, is meant to remotely take complete control of mobile phones. While this isn’t the first time the stealthy Pegasus has been abused by governments for purposes other than preventing and investigating crimes, Citizen Lab said it is the first time a minor has been targeted with infection attempts using governmental spyware. Why target a kid? To spy on his mother.

Mexico is already “one of the most dangerous places in the world for journalists. Reporters covering sensitive issues often face threats of kidnapping, intimidation, or physical violence as a result of their work.” But organized criminal groups aren’t the only ones trying to intimidate journalists; one report revealed that at least half of the threats were linked to government officials. Since sophisticated spyware is designed to stay “invisible,” and even self-destruct to avoid detection, the digital surveillance can be hard to document.

Yet Citizen Lab’s newest report about the reckless use of NSO surveillance spyware explains how 10 Mexican journalists and human rights defenders, as well as one minor child, were targeted. Citizen Lab’s investigation, in collaboration with three other groups, revealed:

The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats. The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years.

The NSO Group uses the same blah-blah-blah statements as other companies which sell surveillance spyware to governments… that the company complies with laws and regulations…that the malware is only to be used lawfully…to help make the world safer…to be used solely to prevent and investigate crimes. The NSO Group included a statement absolving it from responsibility if its stealthy spyware is used unlawfully as it is a tech company and doesn’t operate the systems it sells to governments.

Of the 11-total people targeted, six were Mexican journalists and TV reporters, one was a kid, and five people were part of civil society organizations. They all received phishing messages, some impersonating the United States Embassy with warnings about problems with VISAs, others included taunts to click on the link to see their partner having sex with someone else, or to click to see the unlicensed vehicle stalking the victim, as well as others such as the usual type of fake billing or purchase notifications meant to make the victim click.

If a target nibbles on the bait by clicking, the phone is infected with malware which turns it into a “digital spy in the pocket of a victim, fully under the control of the operator. An infected phone can be configured to report back all activities on the device, from messages and calls (even those via end-to-end-encrypted messaging apps), to recording audio and taking pictures.”

It’s all sickening, but when the attackers couldn’t get a highly respected journalist to take the bait for over a year, they switched to targeting her minor son with at least 21 text messages which included links to the NSO’s Exploit Framework. He was targeted for three months, before the attackers switched back to targeting both mother and son. Regarding the alarming text messages impersonating the US Embassy, Citizen Lab suggested “impersonating a United States Government communication while he was located in the United States may have violated US Law.”

In light of the newest investigation and report, Citizen Lab believes “there is evidence of an informal ‘principle of misuse’ for government-exclusive spyware: when the technology is sold to a government without sufficient oversight, it will eventually be misused. This principle highlights the need to hold spyware manufacturers accountable for their contributions to global cyber insecurity.”

I highly recommend reading Citizen Lab’s full report.