In life, Mexican journalist Javier Valdez Cárdenas was a thorn in the side of the Sinaloa cartel. His weekly paper, Ríodoce, based in Sinaloa, doggedly reported on drug trafficking and the Mexican Drug War, until it cost him his life in 2017. In death, he’s proven to be a millstone around the neck of the Mexican Attorney General’s Office.
Days after his killing, Valdez’s colleagues—Ríodoce‘s Director, Ismael Bojórquez, and journalist Andrés Villarreal—were targeted with Pegasus, a powerful cyber weapon built by the Israeli company NSO Group, designed to completely takes over a user’s smartphone to reveal location data, private messages, and other personal information. Researchers ultimately confirmed that 24 other individuals, including some of Mexico’s most prominent journalists, anti-corruption activists, and human rights lawyers, had been “abusively targeted” by the spyware.
Today, a 25th person has been added to the list: Valdez’s wife, Griselda Triana.
A journalist herself at the radio show “La otredad,” Triana was targeted by Pegasus infection attempts a week after Villareal and Bojórquez were attacked by the spyware, according to research by digital watchdog group Citizen Lab. On May 25th and 26th, 11 days after Valdez’s murder, Triana received two text messages designed to bait her into clicking on Pegasus’s malicious links.
NSO Group has drawn a firestorm of criticism since 2016, when researchers revealed that its spyware was being used by governments to monitor members of civil society in Mexico, Saudi Arabia, the United Arab Emirates and elsewhere. Saudi journalist Jamal Khashoggi was also tracked with NSO software before he was murdered by government agents in October, one lawsuit alleges. A Qatari journalist and five of the Mexican journalists and activists who allege they were targeted by Pegasus have also filed suits against NSO. The company maintains that its software is used lawfully.
In 2012, the government of Mexico also said that it had signed a $20 million contract with NSO, and in a rare interview in January, the company’s founder claimed that Pegasus was used to help Mexican authorities apprehend drug lord El Chapo.
After reports emerged last year that Pegasus was being used on journalists and other non-criminal suspects in Mexico, the government opened a federal investigation. But the inquiry has been sluggish, and so far no one has been punished. Initially, Mexico’s Attorney General’s office had denied that any contracts existed, then refused to divulge them. Last month, the office finally disclosed it had contracts with NSO totaling $32 million.
As Triana told researchers, the suspicious messages arrived during a time when she was cooperating with authorities investigating Valdez’s killing, and also publicly protesting his death. The first message claimed to be an update on Valdez’s murder, suggesting it was a botched carjacking. The second message, which arrived the following day, claimed Triana was being attacked by the media. Suspicious, she didn’t open either message.
As Citizen Lab research confirmed, the links in the messages to Triana pointed to domains associated with previous Pegasus infection attempts—exploit infrastructure operated by what the researchers called “RECKLESS-1.” Only one agency is known to have a license for Pegasus: the federal Attorney General’s Office, or in Spanish, the Fiscalia General de la Federacion (FGR).
“In our recent reporting on RECKLESS-1 and other NSO Group operators, we determined that the operator was active until June 2017,” reports Citizen lab. “The infrastructure associated with the RECKLESS-1 operator was active until June 2017 when we published a third report describing abuses of Pegasus in Mexico. While that specific infrastructure has not been re-enabled, our recent scanning results indicate that Mexican government-linked NSO Group operators have been active as recently as late September 2018.”
The Mexican Attorney General’s office initially denied that contracts with NSO Group existed, then reversed course, refusing to hand over documents to the Mexican government’s information commission (INAI), which was investigating the agency’s use of Pegasus. The state privacy authority told the Associated Press that the Attorney General’s Office subsequently claimed no records existed of the software being used.
Luis Fernando Garcia, Director of RD3, a Mexican non-profit NGO that researches and litigates cases related to human rights, says it’s unclear why criminal investigators targeted Triana. “Many speculations could be made [and] a proper investigation should clarify that,” says Garcia. “[But] under no circumstance could the targeting be deemed legal or legitimate.”
NSO dismisses research
NSO Group seems unconcerned with the Pegasus abuses in Mexico. In February, an NSO spokesperson told Fast Company “we take any credible allegation of misuse seriously, investigate it and take the appropriate action, including suspending or terminating a contract.” It’s a claim echoed by NSO Group’s new investor, Novalpina Capital, whose founder, Stephen Peel, said that the private equity firm did its due diligence before agreeing to buy the Israeli spyware firm last month, feeling confident that the company “operates with the highest degree of integrity and caution.”
The company has also issued vehement denials about its role in attacks on members of civil society, and has sought to burnish its credibility with a vigorous publicity campaign.
NSO’s efforts to counter the lawsuits have also reportedly included the use of undercover operatives to investigate researchers examining Pegasus, including two members of Citizen Lab. Israeli media reported last month that the operation was managed by the Israeli intelligence firm Black Cube, which has become infamous for “dirty ops” campaigns, including against women who had accused Harvey Weinstein of sexual misconduct.
In an emailed statement, an NSO spokesperson called Citizen Lab’s research the “latest non-scientific, non-data driven report” that builds on their “ongoing guesswork regarding NSO technology,” but the firm offered no evidence for that claim. “This group has accused NSO of every possible wrongdoing, when the truth of the matter is that our technology helps save lives,” the NSO spokesperson wrote.
Garcia isn’t buying what NSO Group and Novalpina Capital are selling to the media, researchers, and its investors.
“I think that calls into question the integrity of NSO Group and, in a way, their innocence, that they have not rushed to clarify any abuses or misuse of this technology,” says Garcia. “In our opinion, it’s an indication that they don’t really want this to be investigated fully.”
Nor do elements of the Attorney General’s Office apparently. As Garcia tells Fast Company, the agency has been dragging its feet in the investigation into the attempted Pegasus infections. FGR has spent, according to documents obtained by INAI, at least $40 million to acquire licenses to be used against at least 500 targets, but the office claims not to have used it.
In February, Mexico’s privacy watchdog offered more evidence: it said it had finally received Pegasus licensing contracts from 2016 to 2017 from the Attorney General’s Office. According to the contracts, the office spent $32 million on the software.
“They [went] to the courts to force the [current] investigator to do his job,” says Garcia. “It’s been a year and a half, and they [still] have not identified or interviewed anyone who was part of the Pegasus operation.”
Garcia says the Attorney General’s Office’s current prosecutor is likely to be replaced soon. The hope, he says, is that this new official will ramp up the investigations into attempted Pegasus infections of the phones and computers of journalists, activists, and other civilians. But he and other groups are calling for an independent panel of experts to oversee the investigation.
Griselda, he says, also intends to file a criminal complaint and join other Mexican plaintiffs in their ongoing suit against NSO.