President Enrique Pena Nieto's government denies accusations that it has had journalists and activists spied on. Yet the spyware used in recent attacks is sold exclusively to governments.
Cyberespionage has been a real problem for Norma Trujillo for some time: "Your phones are often monitored, your online activity is tracked or emails are sent to you," the Mexican journalist told DW during this week's Global Media Forum in Bonn.
Trujillo says the feeling of constantly being surveilled makes her work very difficult; she explains that she must either take complicated steps to avoid surveillance and hide important information that could compromise sources' identities, or avoid sensitive issues altogether to keep herself and informants away from the focus of the state.
She herself has seen research data and case-relevant information deleted from journalists' computers by hackers. The disappearance of evidence makes it impossible for them to publish delicate findings without the risk of having to appear in court to justify themselves.
Until now, journalists could only guess as to the source of such cyberattacks. Now, however, Norma Trujillo feels confirmed in her suspicions: Research conducted by the US newspaper The New York Times (NYT) concluded that prominent journalists, human rights lawyers and anti-corruption activists in Mexico have been the target of deliberate government surveillance. The NYT says that no one other than the Mexican government or one of its intelligence agencies could possibly have been behind the surveillance.
Text messages with infected links
Apparently, the surveillance was carried out using a highly sophisticated spyware that the Mexican government purchased to fight organized crime and terrorism. That fact came to light when cyber experts from the University of Toronto's Citizen Lab found the spyware on cellphones belonging to prominent government critics.
Among those critics were lawyers from the human rights organization Centro Prodh, which is investigating the 2014 disappearance and killing of 43 students in the Mexican state of Guerrero, and activists who initiated an anti-corruption bill that was later passed by the Mexican Senate and signed into law by the president.
The well-known investigative journalist Carmen Aristegui was apparently among the targets as well. Her research into a private villa owned by President Pena Nieto's wife, Mexican first lady Angelica Rivera, erupted into a multimillion-dollar corruption scandal.
A group of those spied upon, among them Aristegui and Centro Prodh's director, Mario Patron, immediately lodged a complaint with Mexico's public prosecutor's office, which announced on Wednesday that it would begin an investigation into the matter.
According to the NYT, text messages containing links infected with Pegasus malware were sent to the smartphones of a number of people. Pegasus, which is produced and sold by the Israeli company NSO Group, makes all information contained on a smartphone externally accessible: location, contact lists, recorded conversations, emails, chat messages, etc. It also enables remote access to microphones and cameras.
Clear denials versus strong evidence
The Mexican government vehemently denies the accusation, claiming that the software was used for legitimate purposes only. Tangible proof of the contrary is unlikely to be found in the future. That is because Pegasus spyware is designed to make it impossible to trace by whom or where it was installed, and where the smartphone data are being sent after the device has been infected. It is said that not even the NSO Group can find out who is behind the attacks.
Nevertheless, NSO sells its spyware exclusively to governments, and it can only be used by the authorities that have installed it. This makes it practically impossible for cybercriminals to have spied on the aforementioned people.
State espionage – 'a usual practice'
The espionage affair has occupied Mexican media outlets since the NYT article was published, even though the intimidation of journalists and activists there is anything but new - whether by the government, organized crime cartels or powerful interest groups.
Journalist Norma Trujillo is thus not very surprised: "We are looking at a practice that is usual for the Mexican government." Luis Fernando Garcia, the director of R3D, a Mexican network that fights for the protection of digital rights, also pointed to 15 other recent surveillance cases and spoke of "systematic attacks on Mexican civil society." According to research conducted by R3D, Mexico is also the largest purchaser of Galileo malware, with regional governments even going so far as to purchase the software, developed and sold by the Italian company Hacking Team, to illegally monitor the communications of private citizens.
Norma Trujillo knows of numerous cases in which colleagues found signs that their computers had been hacked and scanned. In the state of Veracruz alone, where Trujillo writes for the La Jornada newspaper, some 2,000 government employees are tasked with monitoring online activity.