NSO Group promised to stop selling tools to spy on journalists. A new report proves otherwise

In July, a consortium of journalists unveiled the Pegasus Project: An investigation detailing how governments across the world deployed Pegasus spyware against journalists, activists, and opposition politicians. In response, the founder and CEO of the Israeli developer of the software, the NSO Group, vowed it would not work with countries that violated human rights and targeted journalists, and claimed that it had suspended the software in five countries that had abused the malware’s usage, although did not specify which ones. 

Now, a newly published report from a group of prominent digital rights organizations suggests that NSO spyware tools are still being used against journalists in El Salvador.

The report, produced in partnership by Access Now, The Citizen Lab, Fundación Acceso, Amnesty International, and other digital rights groups, found that Pegasus had been installed and used to infect the devices of 35 Salvadoran journalists and activists between July 2020 and November 2021. The findings have been analyzed and corroborated by two of the groups behind the report. 

“It’s a huge harm to democracy if the price of doing their job is being surveilled by the government as criminals,” Gaspar Pisanu, the Latin America policy manager at Access Now told Rest of World.

The Pegasus malware can infect phones in a variety of ways: some are infected after users click seemingly innocuous links and others are the result of a more sophisticated zero-click hack. According to the report, journalists flagged that their phones had potentially been infected after running Amnesty International’s Mobile Verification Toolkit to detect the spyware. 

The infections were confirmed through a forensic analysis by The Citizen Lab and then independently confirmed by Amnesty International, which found that the devices had been infected between July 2020 and November 2021. Several of the Pegasus attacks occurred after the Pegasus Project revelations. One journalist’s phone was reinfected over 40 times, representing one of the most persistent uses of Pegasus. 

The NSO Group has publicly stated that it only sells its spyware to ‘certain government entities‘.

“NSO’s firm stance on these issues is that the use of cyber tools in order to monitor dissidents, activists, and journalists is a severe misuse of any technology and goes against the desired use of such critical tools. The international community should have zero tolerance policy towards such acts, therefore a global regulation is needed. NSO has proven in the past it has zero-tolerance for these types of misuse, by terminating multiple contracts,” a company spokesperson said in a statement sent to Rest of World.

Meanwhile, it’s unclear which party is responsible for targeting the Salvadoran journalists, though the report outlines the manner in which the administration of Salvadoran president Nayib Bukele has frequently confronted the press. The Salvadoran government has denied being a client of the NSO Group.

Twenty-three of the 35 individuals whose devices were infected worked for El Faro, a news organization critical of Bukele. El Faro has repeatedly claimed that the outlet has been targeted by the current government, including reports of administrative harassment.

Reporters have also been blocked from government press conferences, and earlier this year, the Association of Journalists of El Salvador reported that a journalist’s house had been burglarized, including their laptop (the perpetrator was never identified).

Other targets of the Pegasus attacks also included the investigative outlet Gato Encerrado, as well as several NGOs. Activists and politicians, including a congressman from the opposition party, also received notifications from Apple in November that their phones may have been compromised, although this was not confirmed by the digital rights groups.

Following the release of the Pegasus Project in July, Shalev Hulio, the founder and CEO of the NSO Group, told a Tel Aviv-based radio station that “if there is a country that you know … violates human rights, doesn’t value human life, tracks journalists, even if not through our tools — these are countries that we do not want to work with, and that is why we stopped working with them.”

The report challenges the NSO Group’s narrative of reform and suggests its products are still being abused. “You can connect the dots and see that NSO Group is not changing their practices,” said Access Now’s Pisanu.