The Israeli spyware developer NSO Group has long claimed plausible deniability when it comes to misuse of its powerful targeted surveillance tools. Yet despite its protestations—and increased scrutiny from tech companies and regulators alike—the abuses continue. The latest revelation comes from El Salvador, where NSO’s Pegasus malware was found on 37 devices belonging to 35 journalists and activists as recently as November of last year.
Those findings, jointly published by a consortium of digital rights organizations, show that despite NSO Group’s insistence that its products are used to track criminals and terrorists, governments continue to deploy them against innocent targets—and that NSO has done little to rein in its clients.
Twenty-three of the infected devices belong to journalists connected to the Salvadoran news site El Faro. Three other compromised devices belong to people associated with the publication Gato Encerrado. Both have published reporting critical of El Salvador’s government and have faced retaliation, like being barred from various government press conferences and, El Faro has said, being subjected to invasive financial audits and accusations of tax evasion. Salvadoran president Nayib Bukele and his administration has been broadly hostile to the media; in early 2021, the Inter-American Commission on Human Rights granted precautionary measures for 34 El Faro journalists thought to be at risk of human rights violations as a result of their work.
Other confirmed targets of the Pegasus hacking spree include devices connected to Salvadoran publications La Prensa Gráfica, Revista Digital Disruptiva, El Diario de Hoy, and El Diario El Mundo, plus those of two independent reporters. The campaign also hit devices linked to local non-governmental organizations including Cristosal, Fundación Democracia, and Transparencia y Justicia. Notably, the researchers found that some devices were infected with Pegasus more than 40 times. El Faro said on November 23 that Apple had alerted 12 of its journalists to the possibility that their devices had been targeted with Pegasus spyware. The Association of Journalists of El Salvador announced a day later that a total of 23 journalists from different newsrooms received the same information. Others who received Apple’s Pegasus targeting notifications include parliamentarian Jhonny Wright Sol, and Héctor Silva, a San Salvador local councilor.
“It was quite shocking, to be honest, given the scale and the persistence of the infections in terms of one person being targeted multiple times,” says Natalia Krapiva, tech legal counsel at Access Now, one of the organizations that investigated the campaign. “The technology gives access to everything you’re doing on your phone, and we’ve heard NSO say many times that they would take action to implement human rights policies. Governments are also not being transparent about the purchase and use of this spyware. They should be accountable. Surveillance of civil societies with these tools shouldn’t be the norm.”
NSO Group did not return WIRED’s request for comment about the findings. Pegasus, which NSO has developed for both Apple’s iOS mobile operating system and Google’s Android OS, can be used to track a victim device’s location, exfiltrate data like text messages and emails, activate the microphone and camera and more.