wordpress blog stats
Connect with us

Hi, what are you looking for?

Pegasus targeted 35 journalists and activists in El Salvador, several gigabytes of data hacked

An investigation has revealed how the spyware was delivered while also presenting some evidence against the government.

As many as 35 journalists and civil society members from El Salvador were infected with NSO Group’s Pegasus spyware between July 2020 and November 2021, according to a joint report released by Citizen Lab and Access Now with the help of Amnesty International’s Security Lab.

The journalists who were allegedly targeted by Pegasus have reported on a controversy about the El Salvador government’s negotiation of a pact with a gang for reduced violence and electoral support, as well as other sensitive issues concerning President Nayib Armando Bukele’s administration.

Citizen Lab was able to conclude that the spyware successfully uploaded data from the targets’ phone to Pegasus infrastructure. “In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully using their mobile data connections,” it added.

Earlier, in July 2021, an international consortium of media organisations revealed that political leaders, journalists, human rights activists, businessmen, military officials, intelligence agency officials, and several others from countries across the world were targeted for surveillance by Pegasus, but there were no confirmed Salvadoran targets named at that time.

Two types of zero-click exploits identified in the Pegasus attacks

Citizen Lab identified the Pegasus targets as employees of media organisations such as El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, and El Diario de Hoy, as well as two independent journalists. It also found that civil society organisations in El Salvador, including Fundación DTJ, Cristosal, and another NGO, were hacked.

Advertisement. Scroll to continue reading.

While studying the 35 cases, Citizen Lab identified two types of zero-click exploits (malware that does not require clicking on any link or downloading any malicious material to get activated) —

  • Kismet: Thirteen of the phones contained the Kismet Factor, which Citizen Lab said is an artifact left behind by the execution of NSO Group’s zero-click Kismet exploit.

    We saw this exploit deployed between July and December 2020, and the exploit appears to have been a zero-day exploit [takes advantage of a vulnerability that’s known but not yet patched] against iOS 13.5.1 and 13.7. The KISMET exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage’s IMTranscoderAgent process invoking a WebKit instance — Citizen Lab

  • Forcedentry: Citizen Lab also recovered a copy of the Forcedentry exploit which was deployed to a phone with iOS 14.8.1, but could not conclude whether this exploit operated on the phone. “It is unclear why the exploit was fired at non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit,” it added.

244 domain names with single-click exploits also identified

We fingerprinted Pegasus URL shortener websites and identified 244 domain names registered from 2019 through 2021 that appear to have been used by various NSO Group customers to distribute the Pegasus spyware via links. — Citizen Lab


Source: Citizen Lab

Circumstantial evidence pointing towards El Salvador govt

Citizen Lab presented three-fold ‘evidence’ to back its claim of the El Salvador government being behind this attack.

  • It said that the time of the targeting of the victims coincided with moments in which those organisations were of interest to the Bukele government.
  • Through evidence obtained by network scanning, Citizen Lab discovered TOROGOZ, an operator whose activities are strongly suggestive of a Pegasus customer in El Salvador. NSO has previously admitted that it only sells its products to governments.
  • One of the targets at El Faro (Carlos Martínez) was targeted by TOROGOZ in an unsuccessful attempt using the Forcedentry exploit, Citizen Lab added.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ