Journalists in El Salvador Targeted With Spyware Intended for Criminals

El Salvador’s leading news outlet, El Faro, said on Wednesday that the phones of a majority of its employees had been hacked with the spyware Pegasus, which has been used by governments to monitor human rights activists, journalists and dissidents.

The revelation came just months after the American government blacklisted the Israeli firm that produces Pegasus, the NSO Group, in an attempt to curb the largely unregulated global market in spyware.

According to Citizens Lab and Access Now, two cybersecurity watchdogs that analyzed the phones of El Faro’s employees, the spyware had been installed on the phones of 22 reporters, editors and other employees between July 2020 and November 2021.

During that time, El Faro was investigating the Salvadoran government’s clandestine connections to the country’s gangs and corruption scandals. The government has denied any connection to local gangs.

“It’s completely unacceptable to spy on journalists,” said Carlos Dada, the founder and director of El Faro. “It endangers our sources, it limits our work and it also endangers our families.”

The cybersecurity watchdogs said 13 journalists from other Salvadoran news organizations were targeted as well. An El Faro journalist’s phone had been reinfected with the spyware over 40 times, the most persistent hacking attempt by Pegasus yet to be discovered.

“NSO Group’s tentacles continue to spread across the globe, crushing the privacy and rights of journalists and activists into oblivion,” said Angela Alarcón, who campaigns on Latin America and the Caribbean at Access Now. “Revelations that Pegasus software has been used to unjustly spy in El Salvador may not come as a complete surprise, but there is no match to our outrage.”

It remains unclear who was using NSO’s surveillance technology to spy on the journalists. El Salvador’s government denied responsibility, and a spokesperson with NSO Group would not say whether Pegasus spyware had been provided to El Salvador’s governments, past or present.

“The government of El Salvador is in no way related to Pegasus and is not a client of the NSO Group,” Sofía Medina, the communications director for President Nayib Bukele of El Salvador, said in a statement.

“The government of El Salvador is investigating the possible use of Pegasus,” the statement added, before going on to describe a similar hacking attempt targeting Salvadoran government officials.

The development is the latest scandal to rock NSO Group, a prized Israeli technology company whose spyware has long been under scrutiny for its ability to capture all activity on a smartphone — including a user’s keystrokes, location data, sound and video recordings, photos, contacts and encrypted information — and for mounting allegations of misuse by repressive governments.

In August it was revealed that Pegasus had been secretly installed on the smartphones of at least three dozen journalists, activists and business executives across the world, including close associates of the murdered Saudi journalist Jamal Khashoggi. In Mexico, it was used against influential journalists and others.

The Biden administration blacklisted NSO Group in November, stating that the company had knowingly supplied spyware used by foreign governments to “maliciously target” the phones of human rights activists, journalists and others.

The measure was a notable break with Israel, an American ally, as the company is one of Israel’s most successful technology firms and operates under direct surveillance of the Israeli government.

After the American government blacklisted NSO Group, the company promised that Pegasus was only licensed to governments with good human rights records.

But in December it was announced that the iPhones of 11 American Embassy employees working in Uganda had been hacked using Pegasus spyware.

In an emailed statement, a spokesperson for NSO Group, who declined to provide their name, maintained the company only provides its software to legitimate intelligence agencies and to law enforcement agencies to fight criminals and terrorists.

The spokesman added that the company does not know who the targets of its customers are, but that NSO works to ensure that its tools are used only for authorized purposes.

Israel’s Defense Ministry is in charge of regulating and approving any exports of NSO’s software. The Israeli military has also been criticized for its human rights violations at home and abroad.

While it remains unclear what entity targeted the Salvadoran journalists, El Salvador has been criticized for intimidating and censoring local media.

El Salvador’s president, Mr. Bukele, has come under withering criticism from the United States government and rights groups for using the military to interfere with the legislature and to suspend Supreme Court judges and the attorney general .