Advertisement

NSO Group spyware used to target widow of Mexican journalist, researchers say

The text messages sent to the widow, who is also a journalist, were laced with exploits that would have turned her phone into a multifaceted surveillance device.
Mexican journalist Griselda Triana (right) at a memorial for her slain husband, Javier Valdez Cárdenas. Triana has been targeted by the Pegasus spyware, according to Citizen Lab ( Photo credit: Tania Victoria/ Secretaría de Cultura CDMX)

A notorious piece of spyware has been used to target the wife of a slain Mexican journalist, security researchers said Wednesday, adding to ongoing public scrutiny of the company that developed the powerful surveillance tool.

Days after Javier Valdez Cárdenas, a reporter known for his coverage of international drug trafficking, was murdered in May 2017, multiple attempts were made to hack the phone of his widow, Griselda Triana, with spyware made by NSO Group, according to Citizen Lab, a digital rights and research organization at the University of Toronto.

The text messages sent to Triana, who is also a journalist, were laced with software that would have turned her phone into a multifaceted surveillance device, Citizen Lab researchers said. One of the messages tugged at her grief as a widow, asking, “What do you think of this story?”

Triana didn’t click on either link and turned the texts over to Mexican advocacy groups, which shared them with Citizen Lab for forensic analysis.

Advertisement

The surveillance tool aimed at Triana is known as Pegasus, the researchers said, an invasive malware strain developed by Israeli vendor NSO Group. The spyware uses a chain of exploits capable of accessing a target device’s microphone and camera, contact list, GPS location, and personal passwords.

Last November, Citizen Lab published evidence that two of Valdez’s colleagues received Pegasus-laden texts claiming to have evidence linking the Valdez’s slaying to a cartel.

The researchers said a Mexican government-linked organization was behind those attempted hacks. The links sent to Triana would have directed her to domains controlled by the same organization, Citizen Lab said. Researchers have not specifically identified that organization, referring to it only as RECKLESS-1.

There are now 11 documented cases of Pegasus being trained on journalists in Mexico and elsewhere, according to Citizen Lab. The spyware was allegedly used to track Saudi journalist Jamal Khashoggi before his brutal murder, according to a lawsuit filed against NSO Group by a Saudi dissident in December.

NSO Group co-founder Shalev Hulio has denied that the company’s technology was used to track Khashoggi.

Advertisement

NSO Group says it carefully vets customers and that governments use its products to fight crime and terrorism. But in addition to journalists, Pegasus has been used to target anticorruption watchdogs and political dissidents, according to Amnesty International and Citizen Lab. In Mexico alone, Citizen Lab has documented 25 people – including lawyers, politicians, and public health professionals – who have been targeted by Pegasus.

An NSO Group spokesperson told CyberScoop that any use of the company’s tools that “falls outside of preventing or investigating crime and terror is considered a misuse and will be investigated. The company takes misuse seriously and has the right to shut down the system if necessary.”

NSO Group is one of multiple spyware vendors whose specialized surveillance services have been in demand from governments. The company, whose founders recently re-acquired it from a private equity firm, reported $250 million in revenue and dozens of customers last year.

UPDATE, 8:40 a.m. EDT: This story has been updated with a statement from an NSO Group spokesperson. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts