This article is part of the Cartel Project, a series of investigations coordinated by Forbidden Stories, whose mission is to continue the work of journalists who have been killed. The story and others are being published across the world by 25 news outlets after a 10-month investigation by 60 journalists.
It was a message that almost went unnoticed. But behind the message hid a state-of-the-art surveillance operation. Or at least that was the intention. In the spring of 2016, Mexican journalist Jorge Carrasco was wrapping up a months-long investigation of the Panama Papers for Proceso magazine. When his research into Mexican customers led him to the notorious Panamanian business firm Mossack Fonseca, he received a text message from an unknown number: “Hello Jorge. I am sharing this memo that Animal Politico published today. I think it’s important to reshare.” The message came with a link. “Who is this?” Carrasco texted back. The sender never responded.
Hidden behind this mysterious message was an attempt to gain access to Carrasco’s phone using Pegasus spyware, which the Israeli company NSO Group sells to multiple governmental clients in Mexico. This discovery is the result of a technical analysis conducted by Amnesty International’s team of digital security specialists in collaboration with Forbidden Stories. When clicked, the link installs an invisible software that sucks all the phone’s data, including text messages. It also enables the microphone and camera to be activated remotely—a formidable threat for a journalist.
“I noted the message at the time, but I receive a lot of these kinds of messages,” remembered Carrasco, who is now editor-in-chief at Proceso magazine.
“The message that we recovered was likely part of an ongoing campaign that was happening in Mexico throughout that particular period of time,” said Claudio Guarnieri of Amnesty Security Lab. At the time, the software was widely used by clients in Mexico. According to Amnesty, the phone number that targeted Jorge Carrasco was the same number used to send multiple text messages containing malicious links to Carmen Aristegui—one of the most well-known investigative journalists in Mexico. The domain name behind the link was also used in 2017 with the same software to target supporters of a soda tax.
“The targeting was not only extensive, but it was often done in a fairly reckless way with alarming and upsetting messages used to try to speed the malware targets into clicking,” explained John Scott-Railton of Citizen Lab, an organization that has spent several years investigating attacks that employ Pegasus software.
Jorge Carrasco joins a list of nine journalists in Mexico whose phones showed evidence of a Pegasus spyware attack. In the past decade, Mexico has been a major importer of surveillance technologies, despite repeated scandals surrounding the use of these tools against journalists and activists. And despite the government’s promises, no measures have been implemented to regulate these tools. No previous operators have been brought to justice, and the country continues to import invasive tools from foreign companies.
- How Israeli firearms fall into the hands of Mexican drug cartels
- Revealed: The Israelis making millions selling cyberweapons to Latin America
- The secret of NSO’s success in Mexico
The appeal of Israeli technology
According to a high-ranking official at the U.S. Drug Enforcement Administration (DEA), approximately 20 private spyware companies have sold software to Mexican federal and state police departments. “It seems that almost every tech out there at some point has either been pitched to Mexico, demoed there or perhaps used there when it comes to many of the major companies that sell this stuff,” said Scott-Railton.
Israeli technologies in particular have a good reputation with Mexican officials. "In Mexico, it’s typical for the security and intelligence community to think that Israel has the most advanced technologies and the best techniques for civilian and military training," said Paloma Mendoza Cortés, analyst and consultant on national security issues.
Mexico was for a long time one of NSO Group’s biggest clients. After an initial contract signed with the Secretary of National Defense, the Israeli company cemented its place in the market in 2014 by signing a $32 million contract with the Attorney General’s office. Emails from NSO’s competitor, Italian Hacking Team, which were hacked and widely circulated in 2015, revealed the growing power of NSO during this period. For Italian sellers, the challenge was “debunking the NSO myth.” Mexican clients were obsessed with this technology that promised to turn over complete access to the contents of their targets’ cell phones.
According to security expert Gadi Evron, Israeli companies offer a set of tools that range from accessing software vulnerabilities to a turnkey service where a customer simply provides a phone number or email address and receives all information necessary on a target.
NSO has established itself as the market leader. “We’re a complete ghost,” cofounder Omri Lavie bragged in 2013. “We’re totally transparent to the target, and we leave no traces." The company’s flagship solution, Pegasus, infects targeted cell phones through malicious text messages, like the one received by Jorge Carrasco. But in 2018, the company started looking for more discreet modes of infection. “SMS messages are very visible and leave behind a significant trace which has been used again and again in investigations to confirm targeting such as this one,” explained Claudio Guarnieri. In 2019, it was revealed that the Israeli company was using a flaw in the messaging platform WhatsApp. Today, no user action is needed thanks to nearly invisible redirects of internet traffic. Once an attack is successful, the customer can view everything on the targeted phone.
“It's my belief that problems with abuses have probably gone up around the world, but it's harder to find them,” said Scott-Railton. “As NSO and others are moving towards selling ‘zero-click’ technologies for infection technologies that don't rely on a text message, we're certainly in a more difficult situation in terms of investigating it.”
The powerful tool, intended to combat terrorism and organized crime, can be very dangerous if used against journalists, dissidents, or activists. “Because of the development of the technology, in many places they are able to identify the next Nelson Mandela before he even knows he is the next Nelson Mandela,” said Eitay Mack, an Israeli human rights lawyer. Yet it is difficult to make the general public aware of this type of threat. “Most of the people, if you show them a picture of a gun, they’ll think that this is the symbol of something bad, something dangerous,” Mack explained. “But if you’re talking about a surveillance system, it’s something that is harder to understand…something that you cannot see.”
In written answers to Forbidden Stories, NSO Group claimed to "fully investigate any credible claim of misuse, which includes assertions that [their] technology was used for any purpose other than legally preventing and investigating legitimate cases of terror and other serious crimes."
From the perspective of Israeli authorities, even repeated denunciations of using Pegasus against civilians do not justify sanctioning NSO Group, which continues to get its export license renewed. “The fact that there were journalists and activists targeted with Pegasus, for the Israeli government that’s just a basic fact of life,” said Mack.
“Each licensing assessment is made in light of various considerations including the security clearance of the product and assessment of the country toward which the product will be marketed,” a spokesperson from the Israel Ministry of Defense told Forbidden Stories. “Human rights, policy and security issues are all taken into consideration.”
Countries like Mexico insist they need to equip themselves against powerful organized crime groups. “We have seen a narrative that has reduced the security issues in Mexico and the violence related to organized crime as an excuse, as a selling point to spend large sums of money in acquiring technology allegedly to be used under this context,” explained Luis Fernando García, director of RD3, a digital rights organization. “Even though, as we know in Mexico, the line between organized crime and the government is nonexistent or frequently very blurry.”
This is particularly true at the state level, where officials sometimes have connections to cartels operating in their region.
According to a senior DEA official, police with access to cyber surveillance technology sell it to cartels. The drug traffickers appear to be particularly fond of those types of tools as evidenced at the trial of the Sinaloa cartel leader, Joaquín Guzmán Loera. One engineer who worked for the drug lord admitted during a hearing that he bought “interception equipment that allows access to phone calls, the Internet, text messages." Cartels who do not have their own engineers can turn to corrupt officials who, according to the DEA, agree to target certain people in exchange for bribes.
Journalists are closely watched
In the state of Veracruz, a sophisticated espionage unit run by the public security ministry has been in place since the 1990s. A vast network of paid informants – waiters, shoe shiners, street vendors, small scale drug dealers, as well as bogus activists and journalists – were recruited to gather information on so-called political opponents. The unit used classic intelligence-gathering techniques such as keeping personal files on journalists, according to a public official who worked for multiple governors during this period.
Throughout its existence, the unit has supplemented human intelligence with surveillance technology. Between 2017 and 2019, the unit acquired high tech solutions—notably of European origin. But, emails from Hacking Team revealed that Veracruz already had access to a trial version of RCS (Remote Control System) in 2012. In 2018, the current governor announced an end to these kinds of activities, but it’s unclear if the spying was suspended or dismantled permanently.
“Veracruz has very sophisticated spy technology. It's not Pegasus, but it's just as good,” reported a well-placed source. “Intelligence analysts are very experienced and have the skill and technology to hack into phones and computers.”
Veracruz could be considered one of the most competent and sophisticated state espionage units in the country. The Veracruz State Public Security Secretariat did not respond to multiple emails from Forbidden Stories.
For journalists, the situation is particularly dangerous. In 2012, journalist Regina Martínez was murdered while investigating two state governors, Fidel Herrera and Javier Duarte. According to Reporters Without Borders, the latter’s election in 2010 sparked a reign of terror against journalists. Sixteen journalists were murdered in the following years. Duarte was arrested in neighbouring Guatemala in 2017 after six month on the run for “corruption, involvement in organized crime, and embezzling millions.”
Andres Timoteo, a former colleague of Regina Martínez, affirmed that she always felt watched. “She heard noises from her phone, echoes. But we were all spied on. It was part of daily life.” Andres Timoteo fled Mexico after Regina Martínez was murdered, fearing for his safety.
In 2017, several Mexican and international organizations collaborated to publish a report called “Gobierno Espía.” Over a year, researchers and activists worked to identify abusive infection attempts against journalists, lawyers, and anticorruption militants. They found more than 80 infection attempts by NSO spyware in Mexico between 2015 and 2016. The country has the highest number of documented software abuses. At least 25 people were illegitimately targeted, according to the Canadian research group Citizen Lab. But no corporate alarm bells went off, “which made us wonder whether the company was giving Mexico special room because of a favorite relationship,” said Scott-Railton of Citizen Lab.
NSO Group told Forbidden Stories that it had investigated all alleged misuses of its technology, adding that "in multiple instances, NSO [had] terminated contracts and severed relationships with customers after misuses were identified,” without naming any specific client.
Following the publication of the report, a group of United Nations experts asked Mexico’s government to commit to halting surveillance immediately. “Such commitment must include effective controls over the security and intelligence services in order to prevent unlawful use of the State's monitoring tools,” the group insisted.
Impunity again and again
The government promised to launch an investigation. Associations banded together with journalists targeted by Pegasus to file a complaint. Then, nothing. To further the investigation, the prosecutor’s office demanded the phones that had been targeted by the infection attempts be turned in. “Analyzing phones is notoriously hard in cases like this, in part because Pegasus has anti-forensic tools,” said Scott-Railton. “We pointed out that there were many more reliable locations for evidence such as the phone network as well as logs of the Pegasus deployment itself.”
In 2018, Mexico’s president, Andrés Manuel López Obrador, declared that the government would stop using Pegasus software. “There has not been a mention of this in his daily briefings since then,” said Fernando García. “And his commitment is not verifiable at the moment.” Mexico’s president did not respond to the list of questions sent by Forbidden Stories on this subject.
Where are human rights in all of this?
It’s unlikely that the answer will come from Israel. Although a judicial proceeding against NSO Group was initiated in 2018 for the company’s negligence in the face of abuses by the Mexican government, the Israeli justice system bowed to NSO Group’s demand to keep the proceedings confidential due to national security risks, interference in Israeli’s international relations, and trade secrets.
Everything concerning customers and export licenses is confidential. On the authorities’ side, “the policy is not to say anything, not to denounce, not to say it’s false, not to say anything,” explained Mack.
According to him, even committees tasked with evaluating the human rights policies of these companies don’t know anything about their clients. “If they don’t have the information, how can they do regulation? It’s a joke.”
Paloma Dupont de Dinechin, Nina Lakhani (The Guardian) and Amitai Ziv (Haaretz) contributed to this article.