Commercial spyware unleashed against Mexican political activists

When you sell sophisticated spyware to governments – tools intended to invisibly track criminals and terrorists – what happens when they start using those tools against peaceful political opponents?  Is it realistic to imagine they won’t?

These are just two of the questions raised by The New York Times’ report that “Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government” by NSO Group, an Israeli company that claims it made “an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans”.

Through NSO Group’s Pegasus software, governments can send a personalized text message with an infected link to a blank page: as soon as that link is clicked on an iOS or Android smartphone, the software takes full control over the device, monitoring all messaging, contacts, and calendars, and possibly even turning on microphones and cameras to spy on its targets.

According to the NYT’s report, targets in Mexico included Juan E. Pardinas, a key advocate for anti-corruption legislation, and his wife – who received a text message that purported to include links to photos proving he was having an affair. Also targeted: leading journalist Carmen Aristegui, who received a message claiming to be from the local United States embassy, telling her to click a link to solve a visa problem. Aristegui’s son received at least 22 NSO-infected SMS messages while at school in the US – again including messages impersonating US government officials, a likely violation of US law.

NSO Group has said it vets governments’ human rights records before selling software to them. It then charges per target, but doesn’t know who’s been targeted. It’s a lucrative business, says the NYT, which uncovered copies of recent NSO Group marketing proposals: “To spy on 10 iPhone users… the company charges $650,000 on top of a flat $500,000 installation fee.” The newspaper says NGO Group has been paid $80,000,000 since 2011 by three or more Mexican federal agencies – a price tag that implies plenty of targets.

NSO Group’s Pegasus software was first revealed in August 2016 by the University of Toronto’s Citizen Lab, which also consulted on the NYT’s new report. In its original report, Citizen Lab found that Pegasus was used to target United Arab Emirates (UAE) political activist Ahmed Mansoor, utilizing several linked iOS zero-day exploits. (According to Amnesty International, Mansoor is now in solitary confinement in a UAE prison.) Later, in February 2017, Citizen Lab worked with two Mexican NGOs to show that “Mexican government food scientists, health, and consumer advocates also received links to infrastructure… connected to NSO Group”.

Subsequent to Citizen Lab’s August 2016 report, Apple quickly closed down the zero-day exploits NGO Group had used, via a new patch, iOS 9.3.5. However, CyberScoop recently reported that “NSO Group executives have told business associates that the Pegasus incident – which burned three zero-day vulnerabilities – disrupted their work for around 30 minutes before they pulled the next three zero-days off the shelf and resumed operations.”

NSO Group is currently 70% owned by the private investment firm Francisco Partners, with the remainder owned by its founders and key executives. According to Calcalist, a leading Israeli business publication that follows Israel’s technology sector closely, Francisco Partners is trying to sell its investment. Based on the asking price, the company would be valued at $1bn – five times what Francisco paid for its investment in 2014. Good times for commercial spyware authors; perhaps not so much for the journalists and human rights activists that annoy their customers.