Israeli company's spyware used to target corruption-fighting journalists and lawyers in Mexico

The NSO Group is an Israeli firm that describes itself as a "cyber warfare" company, dealing exclusively to governments, including the famously corrupt and dysfunctional government of Mexico. The NSO Group is presently for sale, with a $1 billion pricetag.

Earlier this year, NSO Group malware was used to target Mexican soda-tax activists agitating for curbs on the amount of sugar in Mexican soft drinks.

Now, Citizen Lab reports that the NSO Group's exploit framework was used in an extensive campaign against anti-corruption activists and lawyers, and was even implanted on a child's computer.

The NSO Group's weapons came disguised as legitimate communications, including messages from the Embassy of the United States of America to Mexico and AMBER Alerts about abducted children.

The timeline shows at least two periods of intense targeting that our collaborators have connected to key events in Mexican politics.


Period 1 (August 2015) During this period the Mexican President was officially exonerated for his role in the "Casa Blanca" scandal on which Carmen Aristegui had first reported, and Carlos Loret de Mola was questioning the government's role in extrajudicial killings.

Period 2 (April- July 2016): A range of key events concerning revelations of government involvement in human rights abuses and extra-judicial killings, and questions around official accounts happened during this time frame. Revelations of bribery and counter-lawsuits, and lawmaking around corruption and government accountability also occurred around this period.

Even more disturbing, we have determined that the minor child of at least one target was also sent upsetting messages with NSO exploit links, presumably in attempt to spy on the child's mother. In addition, at least one target was located within the United States during some of infection attempts.

The NSO Group, which is reportedly being offered for sale at a price of one billion dollars, claims that its products are restricted "to authorized government agencies." We have no conclusive evidence attributing these messages to specific government agencies in Mexico. However, circumstantial evidence suggests that one or more governmental of NSO's government customers in Mexico are the likely operators.

Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware

[John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and Ron Deibert/Citizen Lab]