Update (Monday June 19 2017): According to a recent report, NSO Group may be re-branding itself as “Q Cyber Technologies“or “Q.”

Key Findings

Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware).

The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses.

Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children.

At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.

Summary

In the past five years it has become increasingly clear that civil society is under threat from the misuse of powerful spyware tools exclusively sold to governments. Research has repeatedly shown how governments around the world use digital spying tools designed for criminal investigations and counterintelligence to target journalists, human rights defenders, and others.

In August 2016, Citizen Lab released a report uncovering how United Arab Emirates (UAE) activist Ahmed Mansoor was targeted with “Pegasus” (sophisticated government-exclusive spyware) and “The Trident” (a chain of iOS zero day exploits) designed to infect his iPhone 6 via a malicious link in an SMS text message. We attributed Pegasus and The Trident exploit chain to an Israel-based “cyber warfare” company, NSO Group.

In February 2017 Citizen Lab, with assistance of Mexican non-governmental organizations (NGOs) R3D and SocialTic, documented how Mexican government food scientists, health, and consumer advocates also received links to infrastructure that we connected to NSO Group. We suspect that the links were designed to install Pegasus on their phones.

This report expands the Mexican investigation and shows how 10 Mexican journalists and human rights defenders, one minor child, and one United States citizen, were targeted with NSO’s Exploit Framework. Our investigation was conducted with the collaboration and assistance of R3D, SocialTic and Article 19. With their assistance, we have confirmed over 76 additional messages containing NSO exploit links. They are co-publishing an extensive investigation (in Spanish).

Figure 1: Selected Mexican NSO Targets in media, human rights and anti corruption advocacy, and public health.

The targets share a basic connection: they have been involved in investigating or working on reports of high-level official corruption, or government involvement in human rights abuses. The infection attempts often coincided with work on specific high-profile investigations and sensitive issues between January 2015 and August 2016, at which time our previous report likely led to the shutdown of the operations.

The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats. The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years. A majority of the infection attempts, however, took place during two periods: August 2015 and April-July 2016 (See: Figure 2).

Figure 2: Timeline of receipt of SMSes with NSO Exploit Links

The timeline shows at least two periods of intense targeting that our collaborators have connected to key events in Mexican politics.

Period 1 (August 2015) During this period the Mexican President was officially exonerated for his role in the “Casa Blanca” scandal on which Carmen Aristegui had first reported, and Carlos Loret de Mola was questioning the government’s role in extrajudicial killings.

Period 2 (April- July 2016) : A range of key events concerning revelations of government involvement in human rights abuses and extra-judicial killings, and questions around official accounts happened during this time frame. Revelations of bribery and counter-lawsuits, and lawmaking around corruption and government accountability also occurred around this period.

Even more disturbing, we have determined that the minor child of at least one target was also sent upsetting messages with NSO exploit links, presumably in attempt to spy on the child’s mother. In addition, at least one target was located within the United States during some of infection attempts.

The NSO Group, which is reportedly being offered for sale at a price of one billion dollars, claims that its products are restricted “to authorized government agencies.” We have no conclusive evidence attributing these messages to specific government agencies in Mexico. However, circumstantial evidence suggests that one or more governmental of NSO’s government customers in Mexico are the likely operators.

The infrastructure and SMS content is exclusively Mexico specific

Targets work on domestic issues of immediate concern to powerful Mexican interests, and the governmen

Multiple government agencies in Mexico are reportedly NSO customers

Regardless of the specific client, however, the cases we outline here provide evidence that clearly shows the lack of oversight and the misuse potential of NSO Group’s products, and of “government-exclusive” spyware more generally.

Background

This section provides background on the NSO Group and its spyware suite, threats faced by journalists in Mexico, and our investigation.

NSO’s Spyware

The NSO Group is an Israel-based company that sells remote intrusion solutions to governments. NSO markets their product, known as Pegasus, as a fully featured tool to remotely compromise and then monitor mobile phones of all popular operating systems.

To remotely compromise phones, NSO’s government customers trick targets to click on a link. When the link is clicked, the phone visits a server that checks the handset model (iPhone, Android, etc) and then sends the phone a remote exploit for its operating system. These servers are part of what we call NSO’s Exploit Framework.

Figure 3: NSO’s Exploit Framework [Source: Hacking Team E-mails] In 2016, when human rights defender Ahmed Mansoor was sent messages with links to NSO’s Exploit Framework he provided the messages to Citizen Lab. When we clicked on the messages in a controlled environment, we observed a chain of three zero day exploits used to remotely jailbreak and infect the phone with NSO’s Pegasus spyware. In 2017, Lookout and Google released details on an Android version of Pegasus.

Once infected, a phone becomes a digital spy in the pocket of a victim, fully under the control of the operator. An infected phone can be configured to report back all activities on the device, from messages and calls (even those via end-to-end-encrypted messaging apps), to recording audio and taking pictures.

NSO’s Claims of Due Diligence & Lawful Use

In response to prior Citizen Lab reporting, NSO has claimed that “their mission is to help make the world a safer place, by providing authorized governments with technology that helps them combat terror and crime.” The company claimed that it “fully complies with strict export control laws and regulations.” Implying that they have limited ability to see exactly how their product is used, NSO Group stated that “the company does NOT operate any of its systems.” Furthermore, NSO Group claims that its “products may only be used for the prevention and investigation of crimes.”

Figure 4: NSO Group’s Claims of Oversight [Source] Despite these claims, Citizen Lab has repeatedly uncovered abuses of NSO’s spyware, demonstrating a failure to control the end-uses of their products. The misuse of NSO’s products is part of a larger problem, abuse of government-exclusive spyware to target individuals and organizations who are neither criminal, nor terrorists, but members of civil society. In our previous investigation of NSO use in Mexico we found targeting of civil society even included scientists. It is also worth noting that for many authoritarian or otherwise democratically-challenged governments, what constitutes a “crime” can be very broad, and include any activity that challenges powerful elites. The infection attempts against investigative journalists and civil society members in Mexico that we outline here is a case in point.

Journalism Under Threat in Mexico

Mexico is one of the most dangerous places in the world for journalists. Reporters covering sensitive issues often face threats of kidnapping, intimidation, or physical violence as a result of their work. Mexican organized criminal groups are responsible for much of this violence. However, according to a recent report from human rights group Article 19, at least 53% of the 426 acts of violence and intimidation against journalists in 2016 were linked to officials. The report also found that virtually none of these actions resulted in legal consequences for the aggressor. In spite of these risks, reporters and editors continue to report on important issues, including corruption at the highest levels of the country. Reporters working on these topics often face threats in an attempt to intimidate them into silence.

Many Mexican journalists have stated their belief that their communications are monitored by elements within the Mexican government and security services. Prior Citizen Lab research on NSO group also included an example of a targeted Mexican journalist (Rafael Cabrera). In another case indicating surreptitious monitoring, a recording of a private phone call between Santiago Aguirre and the parent of one of the victims of the Iguala Mass Disappearance appeared online. Aguirre is one of the targets of infection attempts using NSO exploit links that we examine here.

While these cases provide indications that Mexican journalists are under digital surveillance, their clandestine nature can make them hard to document. This report, and corresponding reporting by R3D, Social Tic, and Article 19, provide the clearest evidence yet that government-exclusive spyware is being used in an effort to infect and monitor Mexican journalists.

The Investigation

We worked closely with Mexican NGOs R3D, SocialTic, and Article 19 to collect a large number of suspect text messages sent to journalists and members of civil society. We then compared the ultimate destination of the links with known NSO exploit servers. At the time of writing, we have collected over 76 confirmed (and previously unreported) messages sent to 11 targets. All of the targets described in this report have consented to be named. However, the text content of several messages have been redacted because of the personal or confidential information they contain.

This report includes four parts:

Part 1: The Targets Describes 11 individuals targeted over a period of more than one and a half years with SMS messages containing links to NSO’s Exploit Framework.

Part 2: Reckless Infection Attempts Details the reckless characteristics of the infection attempts against journalists and other targets.

Part 3: Connecting the SMSes to NSO Exploit Infrastructure Analyzes the connection between the SMS messages sent to the targets and server infrastructure used to operate NSO exploits.

Part 4: Discussion Discusses the implications of such a reckless approach to infection attempts, and the apparent lack of oversight in the Mexican case.

Part 1: The Targets

Six Mexican journalists and television personalities received text messages with NSO links. The minor child of one journalist was also targeted. Five members of Mexican nongovernmental organizations also received such messages. The targets range across Mexico’s political spectrum, and paint a picture of an effort to track key figures in Mexican media.

The targeting described in this report took place between January 2015 and August 2016. In the following sections, we detail the targeting of journalists and civil society groups.

Targeted Journalists

Television personality and investigative journalist Carmen Aristegui, along with her son Emilio Aristegui (a minor), were the most heavily targeted individuals we identified. Other media targets include several journalists working with Aristegui Noticias (a well known Mexican news organization that emphasizes independent, investigative journalism), including Rafael Cabrera and Sebastián Barragán. From a more mainstream media direction, Televisa anchor Carlos Loret de Mola, was also extensively targeted. In addition, Salvador Camarena and Daniel Lizárraga, both journalists specializing in investigating corruption with Mexicanos Contra la Corrupción y la Impunidad (MCCI: Mexicans Against Corruption and Impunity), were also targeted with infection attempts. Both Camarena and Lizárraga had previously collaborated with Aristegui Noticias.

Targets: Aristegui Noticias

In the past several years, Aristegui Noticias has been heavily involved in major investigations. In the original Citizen Lab report on NSO Group, we presented evidence that journalist Rafael Cabrera (a reporter with Aristegui Noticias, and now BuzzFeed) was targeted with NSO exploit links. We now know that his colleagues Sebastián Barragán and Carmen Aristegui were also among the targets.

Figure 5: Aristegui Noticias Journalists and a minor child targeted with NSO exploit links. Note: Rafael Cabrera now works with BuzzFeed.

Aristegui Noticias has conducted several investigations of corrupt practices among Mexican officials. However, the timeline of targeting with NSO links corresponds to their work on the so-called “Casa Blanca scandal”.

The scandal, which was first reported on by Aristegui Noticias, concerns a luxurious house provided to the Mexican President Peña Nieto’s wife, but paid for by the subsidiary of a Mexican company (Groupo Higa, which is led by a friend of the President, and linked to a consortium of Chinese investors). Groupo Higa was given a series of highly lucrative contracts during the period when Peña was governor of the State of Mexico. After the scandal broke, the Mexican Federal government made the unusual step of rescinding the contracts.

While three individuals working with Aristegui Noticias were targeted during the period, Carmen Aristegui (see above) and her son were the most heavily targeted with infection attempts.

The messages targeting Aristegui Noticias reporters were exceptionally varied, and covered all of the themes highlighted in Section 3.

Special Note: Targeting Mother and Child

On January 12 2015, Carmen Aristegui received a text message saying that the “previous message was not sent” along with a link that led to NSO Group’s Exploit Framework. Over the next year and a half, Aristegui received a further 25 messages that included NSO links purporting to come from: the US Embassy in Mexico, Amber Alerts, colleagues, people in her personal life, her bank, phone company, and notifications of kidnappings.

Emilio Aristegui, Aristegui’s son, who was a minor when the messages were sent, was also intensively targeted. Emilio was located within the United States when he was targeted with many of these infection attempts.

We confirmed that over 21 messages with NSO exploit links were sent Emilio Aristegui. A further set were not confirmed as we were unable to view the original links, but are highly suspect as they used language found in other targeting, or came from the same phone number as NSO exploit link messages. Some of these infection attempts contained crude sexual taunts, others impersonated the United States’ Embassy, or his mother’s reporting and activities.

Figure 6: Targeting of Carmen Aristegui and her son Emilio

After heavily targeting Carmen Aristegui for more than a year, in March 2016 the operators appear to cease targeting her and instead focus their efforts on her son, Emilio (See: Figure 6). The infection attempts then focus on Emilio Aristegui for approximately three months, before returning to target both mother and son in June 2016. In July 2016, the operators alternate between targets every one to three days (see Figure 6).

We speculate that this “off center” targeting was an attempt to indirectly monitor Emilio Aristegui’s mother Carmen. This is the first example of which we are aware of a minor being targeted with infection attempts using governmental spyware. Moreover, as we discuss below, sending Emilio Aristegui a message impersonating a United States Government communication while he was located in the United States may have violated US Law.

Target: Carlos Loret de Mola

Carlos Loret de Mola is a well known journalist and on-air personality for the Mexican national television channel Televisa. The NSO messages first arrived in August 2015 during a period when he was covering a massacre that took place on May 22, 2015 at a farm known as “Rancho El Sol” in western Mexico. Loret was reporting on the possible involvement and subsequent cover up of elements of the Mexican Federal government in the disappearance of 42 persons that took place at Rancho El Sol.

On August 8, 2015, Loret published an article in which he claimed new evidence from the Mexican Federal Public Prosecutor’s Office contradicted official claims at the time of the massacre, and showed Mexican security forces had actually committed extrajudicial killings. Many of the victims were killed with point-blank gunshot wounds to the back of their heads.

Figure 7: Televisa Journalist Carlos Loret de Mola targeted with NSO exploit links

On August 20, 2015, Loret received the following SMS message purporting to be from the US Embassy involving issues with his visa application.

USEMBASSY.GOV/ DETECTAMOS UN PROBLEMA CON TU VISA POR FAVOR ACUDE PRONTAMENTE A LA EMBAJADA. VER DETALLES: [exploit link] USEMBASSY.GOV/ WE DETECTED A PROBLEM WITH YOUR VISA PLEASE GO PROMPTLY TO THE EMBASSY. SEE DETAILS [exploit link]

On August 29, 2016, Loret then received another SMS message, this time claiming that he was being watched by people in a suspicious van. The SMS included a link to what was purported to be pictures of the van:

estas personas vinieron preguntando por usted vienen en camioneta sin placas tome foto los conoce? mire [exploit link] these people came asking for you they come in a van without license plates i took a picture do you know them? look: [exploit link]

From September 1 to September 6, 2015 Loret then received a further four messages with topics ranging from AMBER Alerts, service charges, to pictures of alleged rumours being spread of Loret. On March 5, 2016, Loret then received another SMS message with links to NSO infrastructure, this time with a message about the supposed death of a friend’s father and the funeral details:

Loret hoy fallecio mi padre estamos devastados envio datos del velatorio espero contar contigo mau [exploit link] Loret my father died today and we are devastated I am sending you the dates for the wake I hope I can count on you mau [exploit link]

As we detailed in our prior research, similar text messages with details of a supposed “father’s death” with links to NSO infrastructure were received on July 8, 2016 by Mexican health advocate Alejandro Calvillo, and on July 13, 2016 by the Mexican health scientist Dr. Simon Barquera.

Finally, on April 20, 2016, Loret received another SMS message with links purporting to show inappropriate behavior:

Querido Loret, fijate que tvnotas tiene fotos tuyas donde estas con una chava cenando. Dales una checada: [exploit link] Dear Loret, look that tvnotas has photos of you in which you are dining with a chick. Look at them: [exploit link]

Targets: Mexicanos Contra la Corrupción y la Impunidad (MCCI)

Shortly after Mexicanos Contra la Corrupción y la Impunidad (MCCI: Mexicans against Corruption and Impunity) was founded, Salvador Camarena and Daniel Lizárraga received text messages containing links to NSO’s Exploit Framework.

Figure 8: Mexicanos Contra la Corrupción y la Impunidad Journalists targeted with NSO exploit links.

During the period of the targeting, Camarena and Lizárraga were working on topics that included the Panama Papers, and investigating evidence of offshore holdings linked to corrupt officials and prominent individuals in Mexico.

Civil Society Groups

Staff and directors of two Mexican civil society organizations were also targeted using NSO exploit links: Centro Miguel Agustín Pro Juárez (Centro PRODH) and the Mexican institute for Competitiveness (IMCO).

Targeted Org: Centro Miguel Agustín Pro Juárez

Centro PRODH is a Mexican human rights and legal aid organization. At the time of targeting with NSO exploit links they were representing the families of the 43 students disappeared in the Iguala Forced Disappearance case. The attempts at infection took place shortly before the public announcement of an investigation that cast doubt on an official account of the events.

Figure 9: Centro PRODH Director and staff targeted with NSO exploit links

Targets at Centro PRODH included their Director Mario Patrón as well as Stephanie Brewer and Santiago Aguirre. Patrón and Aguirre are Mexican citizens, Brewer is a United States citizen.

There is public evidence suggesting the monitoring of Centro PRODH communications, and these individuals in particular. Audio from a purported phone call between Santiago Aguirre and the parent of one of the victims of the Iguala Forced Disappearance was released in Mexican media as a video. The same video included audio of another lawyer working with the families, and seemed intended to impugn the character of the lawyer.

Targeted Org: Mexican institute for Competitiveness

The Mexican Institute for Competitiveness is a Mexican NGO that works on supporting economic competitiveness. Legislative and policy engagement and activism around anti-corruption form a core part of their work.

From December 21 2015 to May 18 2016, IMCO staff Juan Pardinas and Alexandra Zapata received four messages containing NSO links.

Figure 10: IMCO Director and an investigator targeted with NSO exploit links

Message themes included fake news updates of stories about corruption within IMCO, messages referring to other IMCO staff, a warning of armed men outside a house, and a message about a fictitious death.

Part 2: Reckless Infection Attempts

The journalists and human rights defenders targeted for infection with NSO links were sent a wide variety of messages designed to trick them into clicking, and being infected. Some of the tactics used by the operators are common, such as using alarming false notifications, offers of enticing information, and other personal content. What sets this targeting apart is the reckless and brazen nature of some of the lures, such as impersonating the United States Embassy. The targeting also used sexual themes and taunts, which we also highlighted in previous reporting on Mexican government food scientists, health, and consumer advocates targeted with NSO spyware.

Infection Attempts Against A Minor in the United States

Emilio Aristegui was a minor at the time that many of the messages were sent and received. He was also residing in the United States. On June 3rd, 2016, Emilio received a message purporting to come from the US Embassy in Mexico, concerning the status of his visa (See: Figure 11). The message was sent from a Mexican number to a phone located in the US. While his mother Carmen Aristegui, and Carlos Mola also received similar messages in 2015, the fact that the message, among others, was sent to someone in the US may have violated US law (See Section 4: Reckless Targeting).

Impersonating the United States Embassy in Mexico

On August 20, 2015, journalists Carlos Loret de Mola and Carmen Aristegui separately received alarming messages from the US Embassy in Mexico. The messages claimed that there were problems with their United States visas, and advised them to go to the US Embassy immediately.

Figure 11: Messages impersonating the United States Embassy in Mexico

The messages were fakes, and contained links to the NSO Group’s Exploit Framework. Impersonating official communications from the United States Embassy is an alarming precedent, and suggests that the NSO customer had little concern for the possibility of violating diplomatic norms, such as not impersonating foreign consular activities.

Fake Amber Alerts

On August 24, 2015 journalist Carmen Aristegui received a message purporting to be an AMBER Alert (an emergency broadcast) about the kidnapping of a nine year old boy. On September 29, 2015 another journalist, Carlos Loret de Mola, also received a fake Amber Alert, this time referring to a missing university student. By impersonating Amber Alert, the operators of the NSO deployment run the risk of sowing suspicion around real alerts, with potential consequences for actual kidnapped children.

Figure 12: Fake Amber Alerts with NSO exploit links

Messages related to personal safety

Several journalist received messages purportedly warning them about threats to their personal safety. On August 29, 2015, journalist Carlos Loret de Mola received a message claiming that a group of people had come looking for him in a van with a purported link to a picture of the van. Human rights defender Juan Pardinas received a message on December 24, 2015 warning him that two armed men were waiting for him in a van at his house. On May 25, 2016 Salvador Camarena received a similar message, referring to a group of people conducting surveillance of his house. These messages appear to play on concerns for personal safety and the physical threats that journalists face in Mexico.

Figure 13: Upsetting messages about personal safety

Upsetting Personal Messages

The operators use a variety personal and upsetting themes in their messages. Many of the messages were sexual in tone, suggesting a preference for the theme on the part of the NSO customer. Themes of the messages included:

Crude sexual taunts and accusations

Promises of nude pictures of a partner or spouse

Fake stories about leaks of affairs and leaked sexual videos

Death or loss of family members, strangers

These messages are clearly attempts to play on the emotions of the target intensified by reference to family members and partners. For example, journalists Rafael Cabrera & Salvador Camarena each separately received an identical message on the exact same day purporting to show someone having sex with their spouses.

Figure 14: Upsetting sexual taunts

Urgent Work-related messages

Messages included urgent notifications of workplace issues including:

Notifications of kidnappings of colleagues

Breaking news about major issues

Notifications of website errors

Notifications of defamation lawsuits

Not all of the work related messages were so urgent. On June 8 and 28, 2016, human rights defender Santiago Aguirre received messages asking him to comment on the thesis of a student that was supposedly was based on Aguirre’s own dissertation. Aguirre is also an instructor, and it would not be uncommon to receive such messages.

Figure 15: Urgent work-related messages sent to Carmen Aristegui

Financial Concerns

The operators made frequent use of fake bills and other concerns to get the attention of their target including:

A fake phone bill

Fake credit card purchase notifications

Fake phone sex billing notifications

These messages reflect more conventional social engineering approaches.

Part 3: Connecting the SMSes to NSO Exploit Infrastructure

In our prior investigation of NSO targeting against Ahmed Mansoor, we scanned the Internet looking for NSO Group’s exploit domain names. The targets discussed in this report were sent messages pointing to domains on this previously identified list. In total, we identified 10 NSO exploit domains used in the targeting:

NSO Exploit Domain Messages secure-access10[.]mx 3 network190[.]com 3 iusacell-movil[.]com.mx 2 mymensaje-sms[.]com 1 smscentro[.]com 1 unonoticias[.]net 27 fb-accounts[.]com 5 smsmensaje[.]mx 31 ideas-telcel.com[.]mx 5 twiitter.com[.]mx 1

Figure 17 shows the connection between these domains and messages sent to targets in Mexico.

Figure 17: NSO Exploit Domains and Targets [click for high resolution] Importantly, we are unsure whether the domains were all used by a single government operator, or reflect targeting by multiple government operators.

Interestingly, some of the earliest NSO Group exploit domains first served their exploits over HTTP rather than HTTPS. If NSO was using zero-day exploits at this time, their exploits may have been exposed to interception by third parties with visibility over the network traffic through which such exploits passed.

Part 4: Discussion

Digital Targeting Mirrors Physical Risks to Journalists

The physical threats journalists face in Mexico as a result of their work are well documented. Our investigation makes it clear that these threats extend to the digital realm. In the cases we describe in this report, the text messages included violent taunts and threats reflecting the pervasiveness of physical threats that Mexican media face. There were at least 426 documented attacks and incidents of intimidation against Mexican journalists in 2016 and more than half of them had an official origin.

The digital targeting that we describe compounds physical threats and harassment in several ways. Many of the journalists and civil society members who were targeted with infection attempts using NSO links, and their colleagues, were similarly targeted for other forms of harassment, and intimidation.

Reckless Targeting

A feature of the Mexican case that bears special discussion is the intensity of the targeting with NSO links, as well as the often extreme content of the messages.

NSO’s Pegasus solution is designed for surreptitious monitoring of phones. Getting a victim to click and then remain infected without raising suspicion is a delicate task. Contrary to this imperative, the entities operating NSO products in this case were, at best, using the tool for something closer to a digital smash-and-grab operation: the messages were both brazen and extremely obvious. Not only did most of the messages use deceptions that were easy to falsify, but the Mexican operators show a recurring preference for crude, sexual taunts, as we have noted in both prior reports. Someone clicking on them would be likely to almost immediately recognize their mistake.

The recklessness of the operation extends to impersonating official programs and entities including AMBER Alerts and the United States Embassy in Mexico, which can trigger negative consequences. Creating fake malicious AMBER Alerts threatens to reduce the credibility of real AMBER Alerts. Meanwhile, impersonating messages from the United States Embassy runs the risk of violating diplomatic norms, and upsetting a major ally and trading partner. Were these messages sent to lower-profile private individuals, the ruse may never have been discovered. But instead, the messages were sent to very high profile and well known journalists, increasing the likelihood of discovery.

We highlighted several of these themes in previous reporting about the misuse of NSO spyware to target Mexican food scientists and health advocates. The findings in this investigation make it clear that substantial additional abuse took place.

The infection attempts against the minor child who was physically residing in the United States may have criminal ramifications. For example, under Section 18 U.S. Code § 912, impersonating a federal official is a federal criminal offense. Further, under the Computer Fraud and Abuse Act ( 18 U.S.C. § 1030), attempts to access a computer without authorization may be criminal offenses. Moreover, the US Wiretap Act has been previously cited with respect to other cases of cross-border targeting on US soil using commercial malware.

Lack of Oversight and Accountability

The choice of targets, and the style of targeting, provides strong evidence that the targeting was conducted without proper oversight and judicial accountability.

Like the federal food scientists and consumer advocates who were also targeted with NSO exploit links, the targets in this report are neither criminals nor terrorists, but widely respected journalists and human rights defenders.

The recklessness of the targeting also points to a lack of oversight. R3D, SocialTic, and Article 19 highlight the legal issues surrounding this case in their report. Mexico does not have specific legal regulations governing the use of malware, but the constitution and law (under Article 16) does authorize several legal entities to conduct intercepts. Interception of this type requires federal judicial authorization. Mexico’s Centro de Investigación y Seguridad Nacional (CISEN) is authorized to conduct interceptions when there is an imminent threat to national security, Mexico’s Federal police is authorized when there is probable cause to believe certain crimes are being committed, and Mexican local and federal prosecutors are similarly authorized. However, such surveillance always requires the approval of a judge. R3D provides a detailed discussion of the legal issues governing surveillance in Mexico in this report.

Our investigation also provided the first example that we are aware of in which a minor child was targeted with government exclusive spyware. Emilio Aristegui received at least 21 confirmed NSO messages, and several more that we strongly suspect to be NSO messages. The relentless targeting included many of the same upsetting and highly personal themes as the adult recipients.

It is difficult to conceive of what legitimate investigation would include these journalists, human rights defenders, and a minor child. There is no clear basis for them to be categorized as threats to national security. The same could be said for prior evidence of the NSO spyware campaign against Mexican government food scientists, health, and consumer advocates. Regardless of the legitimacy of the targets, this type of aggressive surveillance with malware may not pass the necessary and proportionate tests under Mexican law.

Furthermore, it seems unlikely that a federal judge, or other source of operational oversight, would have authorized such a politically risky act as masquerading as the United States Embassy to two of the country’s highest profile journalists, or targeting an individual located within the United States.

Conclusion: The “Principle of Misuse”

There is extensive research into the market for government-exclusive spyware and cases of abuse. Around the globe, spyware sold to governments ostensibly to track terrorists and investigate criminals is, in a growing number of documented incidents, abused for nakedly political ends.

More recently, several spyware manufacturers, including Gamma Group (FinFisher) and Hacking Team, were subject to breaches, and had their customer data posted online. Some customers appeared to be engaged in what many would consider legitimate investigations. However, the breach also revealed a global list of government customers in countries known to abuse human rights. Taken together, these findings made it clear that misuse of government-exclusive spyware is a global problem.

This report, taken together with the results of two previous investigations into NSO Group, suggest that their product and corporate behavior fits the same pattern of proliferation and misuse.

After cases of abuse come to light, spyware companies are often asked by the media for comment. Typically company executives respond with a mixture of evasiveness and allusions to their own internal due-diligence processes. The evidence, however, continues to mount that self-regulation, as well as international regulatory efforts, have failed to stop the continued proliferation and abuse of these technologies.

As a result, we think that there is evidence of an informal “principle of misuse” for government-exclusive spyware: when the technology is sold to a government without sufficient oversight, it will eventually be misused. This principle highlights the need to hold spyware manufacturers accountable for their contributions to global cyber insecurity.

In a recent publication, Citizen Lab researchers outlined a checklist of measures that could be taken to reign in such abuses. Until steps are taken to limit the possibility of abusive use, we anticipate finding more cases where highly-invasive spyware is used to stifle dissent and block opposition to powerful elites.

Acknowledgements

We thank the targets of these infection attempts who accepted to share their cases with the collaborating organizations, and with the public.

Citizen lab would like to thank the collaborating organizations including R3D, SocialTic and Article19, for their careful and important investigative work. Without their assistance, this report would not have been possible

We would like to especially thank and highlight the contribution of Luis Fernando García of R3D for his support of our investigation.

We thank Access Now, especially their Help Line team, and Amnesty International for assistance compiling evidence, and ensuring that the initial NSO case in Mexico came to our attention. With special thanks to Claudio Guarnieri, Senior Technologist at Amnesty International, and Co-Founder of Security Without Borders.

Thanks to the whole Citizen lab team, especially: Amitpal Singh, Irene Poetranto, Adam Senft, Adam Hulcoop.

Appendix A: Full Message List