Smartphone spyware targets investigators hunting for missing Mexican students

Pegasus spyware deployed against international investigation opposed by the Mexican government.

Mexicans targeted with Israeli-developed Pegasus spyware

At least 19 Mexican individuals have found themselves the unwitting target of infection at the hands of a sophisticated Israeli-developed smartphone spyware known as "Pegasus."

In March 2016, a phone belonging to the Interdisciplinary Group of Independent Experts (GIEI) suffered two infection attempts, disguised as text messages pretending to be related to the death of a relative.

Each of the SMS messages contained a phishing link pointing to the domain smsmensaje[.]mx.

Giei investigation into iguala mass disappearance targeted with nso spyware 2

Infection attempts sent to a phone belonging to the GIEI investigation. (Source: Citizen Lab)

Clicking that URL would have produced an infection by Pegasus, a piece of spyware developed by NSO Group. The Israeli "cyber warfare" firm made headlines back in the summer of 2016 for its exploit code targeting the "Trident" iOS security holes.

Pegasus is capable of leveraging the Trident exploit to access calls, emails, and data for Facebook, Skype, and other apps. According to Lookout's analysis, the spyware can even persist across mobile device software updates and update itself if one of its hardcoded exploits becomes obsolete.

The targeted phone belonged to the coordinator of the GIEI. All other individuals and their sources involved with the group used the device as part of their work. At the same time, other investigators received similar infection attempts on their own devices, thereby rendering safeguards like encrypted messages useless.

In total, 19 individuals in Mexico have encountered infection attempts from technology developed by the NSO. These cases are documented in three separate reports written by Citizen Lab researchers at the Munk School of Global Affairs at the University of Toronto.

Missing students

Missing students

The GIEI received the infection attempts shortly after criticizing the Mexican government for obstructing their investigation into the 2014 Iguala mass kidnapping.

On 26 September 2014, 43 male students from the Ayotzinapa Rural Teachers' College went missing on their way to Mexico City, where they sought to commemorate the anniversary of the 1968 Tlatelolco Massacre. As of this writing, investigators have failed to find any of the missing students. It's believed the Guerreros Unidos drug cartel intercepted and killed them, but it's unclear whether local police and/or federal forces associated with the Mexican government had something to do with the students' disappearance.

The Inter-American Commission on Human Rights appointed the GIEI to investigate what happened to the students. For a while, the investigators enjoyed the cooperation of the government. But their relationship soured when the group began publishing reports revealing evidence that contradicted the government's story of the incident.

It's unclear if the Mexican government purchased Pegasus from the NSO Group, just one of several hacking firms which has catered exclusively to state clients over the years.

James L. Cavallaro, president of the Inter-American Commission, isn't ruling out that possibility. As he told The New York Times:

"The Mexican government implored the commission to create this expert group, and then when their investigation did not ratify the official version, things changed. If it’s true that the government spied or tried to spy on our experts, that would be an outrage of historic proportions."

We might never know who used the technology. Even the NSO Group said it can't identify who exactly uses Pegasus and its other tools to conduct hacking attempts. Such "plausible deniability" constitutes the allure of companies like NSO Group. Governments can contract with them to conduct surveillance of persons they deem a threat, and they can deny any wrongdoing if things go sour.

But that's not even the scariest part.

The GIEI investigators came from outside Mexico and enjoyed a level of diplomatic immunity to conduct their work in Mexico. Francisco Cox, one of the GIEI investigators, reflects on what this would mean if the Mexican government was responsible for the hacking attempts:

"You are not just hacking anyone’s phone, you are hacking the phone of someone who has been granted immunity. They couldn’t even search my bags in the airport. If this can happen to an independent body that has immunity and that is invited by the government, it is a bit scary to think of what could happen to a common citizen in Mexico."

Scary indeed. All the more reason to be on the lookout for suspicious links and email attachments, including those sent to you via text.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

One Response

  1. David L

    July 12, 2017 at 3:08 pm #

    Hi all,

    The information in the article is originally derived from the research done by Citizens Lab in Toronto Canada. Here is the link: https://citizenlab.ca/2017/07/mexico-disappearances-nso/
    There are several previous reports going back to when this was first discovered, months ago.

    And in another attempt to infiltrate and distribute malware to Chinese News Groups outside the mainland,Citizens Lab has this new report: https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/
    This is not the first time ether, as the NYT, and GitHub were attacked last year by a massive DDoS, for the same reasons, an attempt at Censorship of those who report on the Chinese government.

Leave a Reply