Some of Mexico’s most prominent journalists and activists were targeted by a massive spyware campaign, according to a new report from Citizen Lab. Conducted mostly between August 2015 and July 2016, the campaign included 76 separate spyware-laced SMS messages sent to 11 different targets, including prominent TV journalist Carmen Aristegui and her young son. It’s unclear why Aristegui and the others were targeted, although she and many of the other targeted journalists were investigating the “Casa Blanca” scandal, in which Mexican President Enrique Peña Nieto is accused of receiving a multimillion-dollar mansion from a favored contractor.
The messages themselves ranged from a simple “message not sent” text to more aggressive attempts, which masqueraded as the US Embassy’s visa division or a bereaved friend sending details of a funeral. Some texts even posed as Amber Alerts, claiming to offer details on a missing child. Once clicked, the software exploited a trio of previously disclosed iOS vulnerabilities to silently install itself on the target device.
Citizen Lab believes the campaign was orchestrated by the Israeli spyware vendor NSO Group, based on similarities in the code of the spyware and the host domains where it was stored. The group, rumored to be on sale for as much as $ 1 billion, rose to prominence last year after similar spyware was detected on the iPhone of human rights activist Ahmed Mansoor in the United Arab Emirates.
The research prompted an emergency patch from Apple to close the rare iOS vulnerabilities exploited by the attack. Notably, the Mexican campaign took place before that patch took effect, so all of the iOS vulnerabilities would have been exploitable at the time.
Notably, the NSO Group only sells to governments, and is subject to various export restrictions on sanctioned countries like North Korea and Iran. Those restrictions would not prevent sales to the Mexican government, however, and there is a record of the roughly $ 80 million in NSO sales to various Mexican federal agencies, according to a report from The New York Times. It’s unclear whether there was any legal authorization for the campaign, and one expert told the Times it’s unlikely such a request would be approved by a judge.
Let’s block ads! (Why?)