We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here: https://citizenlab.ca/2017/08/nso-spyware-mexico-corruption/

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: https://citizenlab.ca/2017/08/lawyers-murdered-women-nso-group/

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here: https://citizenlab.ca/2017/07/open-letter-to-blackstone-possible-nso-acquisition/

PDF here: https://citizenlab.ca/wp-content/uploads/2017/07/Blackstone_open_letter_NSO_group_citizen_lab.pdf

The Mexican surveillance scandal in which the Citizen Lab is involved now widens substantially.

Our latest report confirms that a phone belonging to an international group of experts from several countries assembled by the Inter-American Commission on Human Rights (known as the GIEI), charged with investigating the 2014 Iguala Mass Disappearance, was targeted with infection attempts using spyware developed by the NSO group, an Israeli “cyber warfare” company.

The infection attempts we documented took place in early March 2016, shortly before the publication of GIEI’s final report on their investigation.

For those who do not know, the 2014 Iguala Mass Disappearance refers to a horrific episode in which 43 students from the Ayotzinapa Rural Teachers’ College were disappeared while travelling to Mexico City to participate in an event commemorating yet another tragic episode in Mexico, the Tlatelolco Massacre. The Mexican government’s inadequate response to the mass disappearance, and suspicions that Mexican government agencies themselves were implicated, led to calls for the creation of the independent international investigation.

While carrying out their investigations, the GIEI experts faced numerous threats and harassment, and eventually a public falling-out with the Mexican attorney general’s office. Just prior to the release of their public report in March 2016, we determined that a phone belonging to the investigators was targeted with SMS messages containing links to NSO Group exploit infrastructure.

While we cannot definitively attribute the targeting we discovered to a particular Mexican government agency or individual, it is highly significant that leaked documents show numerous Mexican government agencies, including the Mexican attorney general’s office itself, purchased NSO Group spyware.

This latest report of ours adds to the growing number of cases clearly showing the abuse of commercial spyware in the context of Mexico.   So far we have positively determined that technology sold by an Israeli-based company ostensibly restricted to governments for anti-terror, criminal, and national security investigations has been used instead to target health scientists and anti-obesity activists, anti-corruption NGOs, journalists (and their family), opposition politicians, and now members of an independent international inquiry into the massacre of 43 students.

These findings will undoubtedly deepen the surveillance crisis in Mexico.  But what’s going on in that country is symptomatic of a much wider global problem. Surveillance companies are making millions selling their products to governments that lack oversight and public accountability who are then turning these powerful and highly invasive tools on civil society to further their corrupt aims.

Addressing this problem will require a comprehensive policy response across multiple domains, from the domestic to the international.  My colleague Sarah McKune and I have outlined recommendations to bring more accountability to the commercial spyware trade in the form of a checklist, which can be found here.  We hope our documentation of cases of abuse such as these will inspire such comprehensive responses.

We are grateful for the cooperation of the GIEI experts, and our Mexican colleagues, R3D, SocialTic, and Article19, without whom this investigation could not be undertaken.

Read the full report here: https://citizenlab.org/2017/07/mexico-disappearances-nso/

For years, Citizen Lab has been sounding alarms about the abuse of commercial spyware. We have produced extensive evidence showing how surveillance technology, allegedly restricted to government agencies for criminal, terrorism, and national security investigations, ends up being deployed against civil society.

Today’s report not only adds to the mountain of such evidence, it details perhaps the most flagrant and disturbing example of the abuse of commercial spyware we have yet encountered.

Working with Mexican civil society partners R3D, Social Tic, and Article 19, our team — led by John Scott Railton — identified more than 75 SMS messages sent to the phones of 12 individuals, most of whom are journalists, lawyers, and human rights defenders. 10 are Mexican, one was a minor child at the time of targeting, and one is a US citizen.

These SMS messages contained links to the exploit infrastructure of a secretive Israeli cyber warfare company, NSO Group.  Had they been clicked on, the links would activate exploits of what were, at the time, undisclosed software vulnerabilities in the targets’ Android or iPhone devices.  Known in NSO Group’s marketing as “Pegasus”, this exploit infrastructure allows operators to surreptitiously monitor every aspect of a target’s device: turn on the camera, capture ambient sounds, intercept or spoof emails and text messages, circumvent end-to-end encryption, and track movements.

We first encountered NSO Group in August 2016 when UAE human rights defender Ahmed Mansoor shared with Citizen Lab researchers suspicious SMS messages he received containing links to NSO infrastructure. When we published our report on Mansoor, we had some evidence of targeting in Mexico that subsequently led to a follow-up report earlier this year on the use of NSO’s surveillance technology to target Mexican health advocates and food scientists.

The targeting we outline in our latest report, which runs from January 2015 to August 2016, involves a much wider campaign. It includes 12 individuals who share a common trait:  investigations into Mexican government corruption, forced disappearances, or other human rights abuses. All of the individuals who cooperated in our research consented to be named in the report. The August 2016 endpoint coincides with the time of our disclosure to Apple about NSO’s exploits, which led to the shutdown of NSO’s infrastructure (or at least that particular phase of it).  

Among the noteworthy aspects of this latest case are the persistent and brazen attempts by the operators to trick recipients into clicking on links.  Each of the targets received a barrage of SMS messages that included crude sexual taunts, alleged pictures of inappropriate, threatening, or suspicious behavior, and other ruses.  Many received fake AMBER Alert notices about child abductions as well as fake communications from the US Embassy in Mexico.

What is most disturbing is that the minor child of one of the targets — Emilio Aristegui, son of journalist Carmen Aristegui — received at least 22 SMS messages from the operators while he was attending school in the United States.  Presumably these attempts to infect Emilio’s phone were intended as a backdoor to his mother’s phone. But it is also possible the operators had a more sinister motivation.  The attempts to infect both Carmen and Emilio took place at the same time Carmen Aristegui was investigating a major corruption scandal involving the President of Mexico.

Our report makes it clear that the NSO Group, like competitor companies Hacking Team and FinFisher, is unable or unwilling to control the abuse of its products.  Time and again, companies like these, when presented with evidence of abuse, effectively pass the buck, claiming that they only sell to “government agencies” to use their products for criminal, counterintelligence, or anti-terrorism purposes.  The problem is that many of those government clients are corrupt and lack proper oversight; what constitutes a “crime” for officials and powerful elites can include any activity that challenges their position of power — especially investigative journalism.

Mexico is a case in point.  Ranked by the Economist’s Intelligence Unit as a “flawed democracy”, Mexico’s government agencies are riven with corruption.  Mexico is one of the most dangerous places to be a journalist not only because of violence related to the drug cartels but also because of threats from government officials.   As Reporters Without Borders notes, “[w]hen journalists cover subjects linked to organized crime or political corruption (especially at the local level), they immediately become targets and are often executed in cold blood.”

In spite of these glaring insecurity and accountability issues, the NSO Group went ahead and sold its products to multiple Mexican government agencies, according to leaked documents reported on in the New York Times.  Other leaked documents show that Mexico was at one time another commercial spyware company’s (Hacking Team) largest single country client.  Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?

What is to be done about these abuses? In a recent publication, Citizen Lab senior researcher Sarah McKune and I outlined a “checklist of measures” that could be taken to hold the commercial spyware market accountable, including application of relevant criminal law. It is noteworthy in this regard that while in the United States, the minor child Emilio Arestigui received SMS messages purporting to be from the US Embassy.  Impersonating the US Government is a violation of the US Criminal Code, and the targeting may very well constitute a violation of the US Wiretap Act.  At the very least, it is a violation of diplomatic norms.  How will the United States Government respond?

NSO Group is an Israeli company, and thus subject to Israeli law.  In the past, Israel has prided itself on strict export controls around commercial surveillance technology.  Yet this latest example shows yet again the ineffectiveness of those controls.  Will Israeli lawmakers tighten regulations around NSO Group in response?

Among the checklist of measures McKune and I identified is the importance of evidence-based research on the commercial spyware market to help track abuses and raise awareness.  It is important to underline that the work undertaken in this report could not have been done without the close collaboration between Citizen Lab researchers and Mexican civil society groups, R3D, SocialTic, and Article 19.   Collaborations like these are essential to exposing the negative externalities of the commercial spyware market, documenting its harms, and shedding light on abuse.

I suspect it will not be the last collaboration of this sort.

Read the full report, “Reckless Exploit: Journalists, Lawyers, Children Targeted in Mexico with NSO Spyware,” authored by John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and me, here: https://citizenlab.org/2017/06/reckless-exploit-mexico-nso

I am pleased to announce a new Citizen Lab report, entitled “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links,” authored by John Scott-Railton, Bill Marczak, Claudio Guarnieri, and Masashi Crete-Nishihata.

The full report is here:  https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/

New York Times has an exclusive here: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

In recent years, the research of the Citizen Lab and others has revealed numerous disturbing cases involving the abuse of commercial spyware: sophisticated products and services ostensibly restricted in their sales to government clients and used solely for legitimate law enforcement.

Contrary to what companies like Hacking Team, Gamma Group, NSO Group and others claim about proper industry self regulation, we have repeatedly uncovered examples where governments have used these powerfully invasive tools to target human rights defenders, journalists, and legitimate political opposition.

To this list, we can now add research scientists and health advocates.

The “Bitter Sweet” case has its origins in a prior Citizen Lab investigation — our Million Dollar Dissident report, in which we found that a UAE-based human rights defender, Ahmed Mansoor, was targeted by UAE authorities using the sophisticated “Pegasus” spyware suite, sold by Israeli cyber warfare company, NSO Group.

As part of that report, we published technical indicators — essentially digital signatures associated with the NSO Group’s infrastructure and operations — and encouraged others to use them to find evidence of more targeting.  When we published our report in August 2016, we knew there was at least one Mexican targeted — a journalist — and so suspected there might be some targeting there.

Shortly after the publication of our report, Citizen Lab was contacted by Access Now, which had received a request for assistance on its digital helpline from two Mexican NGOs working on digital rights and security, R3D and SocialTIC.  Together, we worked to track down suspicious messages received by Mexicans, which led us to the Bitter Sweet case.

The title of our report refers to the fact that all of those whom we found targeted in this campaign were involved in a very high-profile “soda tax” campaign in Mexico. A soda tax is part of an anti obesity effort to add taxes to lower consumption of sugary drinks and sodas.  Although many in Mexico are behind the campaign, some in the beverage industry and their stakeholders are obviously not.

In the midst of controversy around the soda tax campaign, at least three prominent research scientists and health advocates received similar (in some cases, identical) suspicious SMS messages that included telltale signs of NSO Group’s attack infrastructure. Had any of them clicked on the links, their iPhones would have been silently compromised, allowing the perpetrators to listen in on their calls, read their emails and messages, turn on their camera, and track their movements — all without their knowledge.

What is most remarkable about the targeting are the steps the perpetrators took to try to trick the scientists and advocates to click on the links.  For example, one of the targets, Dr. Simon Barquera, a well respected researcher at the Mexican Government’s Instituto Nacional de Salud Pública, received a series of increasingly inflammatory messages.  The first SMSs concerned fake legal cases in which the scientist was supposedly involved.  Those following got more personal: a funeral, allegations his wife was having an affair (with links to alleged photos), and then, most shocking, that his daughter, who was named in the SMS, had been in an accident, was in grave condition, and that Dr. Barquera should click a link to see which hospital emergency room into which she was admitted.

While we can’t attribute this campaign to a particular company or government agency, it is obvious those behind the targeting have a stake in getting rid of the soda tax, and that points to the beverage industry and their investors and backers in the Mexican government. It is important to point out that Mexico is on record purchasing NSO Group’s services and NSO Group itself asserts it only sells to legitimate government representatives.  But clearly the NSO’s “lawful intercept” services are not being used in Mexico to fight crime or hunt terrorists, unless those who are advocating against obesity are considered criminal terrorists. We feel strongly that both the Mexican and the Israeli governments (the latter approves exports of NSO products) undertake urgent investigations.

Finally, our report shows the value of careful documentation of suspicious incidents, and ongoing engagement between researchers, civil society organizations, and those who are targeted by malicious actors who wish to do harm.  The epidemic of targeted digital attacks facing civil society will require an all-of-society defence.  The cooperation shown on this investigation by Citizen Lab researchers, Access, R3D, and SocialTIC is a model of how it can be done.