The same spyware that was used against Mexican journalists, lawyers, and even a child was also used against a group of international investigators.
A collective known as the Interdisciplinary Group of Independent Experts (GIEI), was hit by the spyware while in Mexico in 2016. The group was appointed by the Inter-American Commission on Human Rights (IACHR) a human rights organization based in Washington D.C. to look into the 2014 Iguala Mass Disappearance of 43 students.
The New York Times and researchers with Citizen Lab at the Munk School of Global Affairs at the University of Toronto published reports last month describing how Pegasus was being used to infect and monitor Mexican non-governmental organizations. According to an update from both entities on Monday, the GIEI was hit by the same strain of Pegasus in March 2016 that infected journalists and activists advocating for the passage of anti-corruption legislation later that year.
According to Citizen Lab, a member of the GIEI was sent text messages with links to the NSO Group’s exploit infrastructure as the group was prepping its final report on the disappearance.
The report “strongly contradicted key statements and theories by the Mexican government” and “highlighted irregularities in the investigation led by Mexico’s Office of the Prosecutor.” GIEI’s findings cast an air of uncertainty around the Mexican government’s accounts of the disappearance of the students. The infection attempts also came shortly after the GIEI publicly criticized the Mexican government for interfering with its investigation by refusing to hand over documents or grant interviews with those involved.
The group was comprised of investigators from outside Mexico, including Colombia, Chile, Guatemala and Spain. That’s notable, especially according to the New York Times, because members of the group were essentially given diplomatic immunity.
“You are not just hacking anyone’s phone, you are hacking the phone of someone who has been granted immunity,” Francisco Cox, a lawyer based in Chile and a member of the GIEI told the New York Times. “If this can happen to an independent body that has immunity and that is invited by the government, it is a bit scary to think of what could happen to a common citizen in Mexico.”
Citizen Lab pointed out last month how unlikely it would be for a Mexican judge to approve the distribution of malware such as Pegasus against dissenters. Researchers at the lab said it would be even more unlikely for a judge to allow a group of international diplomats that were given free reign over a critical case like the 2014 Iguala Mass Disappearance to be targeted.
Citizen Lab’s June report described a much more widespread infection attempt: 11 victims receiving 76 malicious links. Monday’s report describes how a phone belonging to the GIEI received only two messages. They weren’t any less sinister however; the messages were lures to trick an investigator into thinking a friend’s father had died. At the end of the messages was a link to the NSO Group’s exploit infrastructure that if clicked, would have turned the phone into a spying post.
The NSO Group, the Israeli firm that developed and sells the Pegasus spyware, has previously stressed the company only sells to governments. Like they did last month, researchers with Citizen Lab said they couldn’t definitively link the Mexican government to the infection attempts, but said it adds to the “already-strong circumstantial evidence that entities within the Mexican government are the responsible party.”
As far as the Mexican spyware campaign goes, the malicious text messages sent to the GIEI mark the 19th case of a person targeted by Pegasus. Citizen Lab has been tracking each case in hopes of better illustrating how NSO Group’s spyware has undermined human rights issues in Mexico. In addition to journalists, researchers with the laboratory have previously published findings on how three Mexican food scientists and anti-obesity campaigners, and politicians from Mexico’s oppositional National Action Party were targeted.
According to the Times, the Mexican government has purchased $80 million worth of the Pegasus spyware since 2011. Mexico’s president, Enrique Peña Nieto, admitted during a press event last month his government purchased the spyware but denied he ordering any surveillance be carried out.