Spyware for crime targets Mexico’s top critics
MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.
The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.
Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates
smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.
The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.
But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society.
“We are the new enemies of the state,” said Juan E. Pardinas, the general director of the Mexican Institute for Competitiveness, who has pushed anti-corruption legislation. His iPhone, along with his wife’s, was targeted by the software, according to an independent analysis. “Ours is a society where democracy has been eroded,” he said.
The deployment of sophisticated cyberweaponry against citizens is a snapshot of the struggle for Mexico itself, raising profound legal and ethical questions for a government already facing severe criticism for its human rights record. Under Mexican law, only a federal judge can authorize the surveillance of private communications, and only when officials can demonstrate a sound basis for the request.
It is highly unlikely that the government received judicial approval to hack the phones, according to several former Mexican intelligence officials. Instead, they said, illegal surveillance is standard practice.
“Mexican security agencies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduardo Guerrero, a former analyst at the Center for Investigation and National Security, Mexico’s intelligence agency and one of the government agencies that use the Pegasus spyware. “I mean, how could a judge authorize surveillance of someone dedicated to the protection of human rights?”
“There, of course, is no basis for that intervention, but that is besides the point,” he added. “No one in Mexico ever asks for permission to do so.”
The hacking attempts were highly personalized, striking critics with messages designed to inspire fear — and get them to click on a link that would provide unfettered access to their cellphones.
Carmen Aristegui, one of Mexico’s most famous journalists, was targeted by a spyware
ware operator posing as the U.S. Embassy in Mexico, instructing her to click on a link to resolve an issue with her visa. The wife of Pardinas, the anti-corruption activist, was targeted with a message claiming to offer proof that he was having an extra-marital affair.
For others, imminent danger was the entry point, like a message warning that a truck filled with armed men was parked outside Pardinas’ home.
"I think that any company that sells a product like this to a government would be horrified by the targets, of course, which don't seem to fall into the traditional role of criminality,” said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the Uni-verisity of Toronto, which examined the hacking attempts.
The Mexican government acknowl-edges gathering intelligence against legitimate suspects in accordance with the law. "As in any democratic government, to combat crime and threats against national security the Mexican government carries out intelligence operations,” it said in a statement.
But the government “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization.”
The Mexican government’s deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.
Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker’s individual fingerprints. Even the software-maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.
But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.
Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.
The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers’ communications, making it harder for government agencies to conduct surveillance.
Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael Flynn, President Donald Trump’s former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.
Before selling to governments, the NSO Group says, it vets their human rights records. But once the company licenses the software and installs its hardware inside intelligence and law enforcement agencies, the company says, it has no way of knowing how its spy tools are used — or whom they are used against.
The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.
Even when the NSO Group learns that its software has been abused, there is only so much it can do, the company says, arguing that it cannot simply march into intelligence agencies, remove its hardware and take back its spyware.
“When you’re selling AK-47s, you can’t control how they’ll be used once they leave the loading docks,” said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.
Mexico is still a far cry from Turkey, which jails more journalists than any other nation in the world. It is hardly China, an authoritarian state where critics are silenced and a Western-style free press has been cast as a political peril by the government. But Mexico is in crisis all the same.
More journalists were killed in Mexico last year than during any other year this century, and 2017 is off to an even worse start. Government critics are routinely harassed and threatened, and now they are being targeted with incredibly sophisticated software.
“The fact that the government is using high-tech surveillance against human rights defenders and journalists exposing corruption, instead of those responsible for those abuses, says a lot about who the government works for,” said Luis Fernando García, the executive director of R3D, a digital rights group in Mexico that has helped identify multiple abuses of Pegasus in Mexico. “It’s definitely not for the people.”