NSO is an Israel cyberarms dealer, which buys or researches vulnerabilities in software and then weaponizes them; claiming that these cyberweapons will only be used by democratic governments and their police forces to attacks serious criminals and terrorists — a claim repeated by its competitors, such as Italy's Hacking Team and Gamma Group.
But NSO is just the latest of these dealers whose weapons were wielded against small, democratic NGOs agitating for peaceful reform — in this case, against activists in a coalition that advocated for a proposal to tax high-sugar sodas in Mexico.
The attacks were discovered by Citizen Lab (previously), who dryly observe "This case suggests that NSO's government-exclusive espionage tools may be being used by a government entity on behalf of commercial interests, and not for national security reasons or fighting crime."
NSO is known — thanks to leaked internal documents — to have several Mexican government customers. Mexico is Coca-Cola's largest per-capita consumer market and Mexico pledged $8.2B worth of projects in Mexico during the debate over the soda tax.
While we do not conclusively demonstrate that elements of the Mexican government participated in the Bitter Sweet operation, circumstantial evidence suggests that this is a strong possibility.
Only a government can purchase NSO's products: NSO Group explicitly limits the sales of its products to governments. Therefore, we can reasonably conclude that a government's NSO deployment was used in this attack.
The Mexican Government is a confirmed NSO User: The Mexican government reported that it signed a $ 20 million dollar deal with NSO Group in 2012. Thus, elements of the Mexican government likely had access to NSO products at the time of the Bitter Sweet operation.
The targets work on multiple domestic Mexican issues: The same infrastructure used for the Bitter Sweet operation (the unonoticias[.]net domain) was also used to target a Mexican journalist who wrote a story about government corruption involving the Mexican President's wife and a high-speed rail contractor, among other domestic targeting.
The targets of the Bitter Sweet operation work on issues related to soft drink consumption and parties outside Mexico may object to their work. A large multinational food and beverage company could conceivably have sufficient influence to encourage a different government that has purchased NSO to target Dr. Simon Barquera, Alejandro Calvillo, and Luis Encarnación. However, it is not clear that another government would be equally interested in all of the other targets we have identified.
Noisy targeting: The heavy handed targeting is also a factor suggesting that the Bitter Sweet operator is a Mexican governmental client: it is unlikely that a foreign country would use the NSO tool on Mexican soil so brazenly and so clearly risking discovery.
[John Scott-Railton, Bill Marczak, Claudio Guarnieri, and Masashi Crete-Nishihata/Citizen Lab]