Trending

A Hacked Newsroom Brings a Spyware Maker to U.S. Court

Roman Gressier, an American journalist working for the Salvadoran news outlet El Faro, spent the spring of 2021 in his small, dorm-like apartment outside the capital. He was twenty-six, and had recently moved to San Salvador to pursue his long-standing ambition of working for El Faro, one of Central America’s foremost news organizations. Breaking a string of stories documenting corruption and malfeasance in the administration of El Salvador’s populist President, Nayib Bukele, El Faro has become a leading source of accountability in Central American media—and a source of frustration to Bukele. The Salvadoran leader has tweeted diatribes against journalists, dismissing them as “mercenaries” and “fake news.” “El Faro (and friends) became Web sites with opposition content,” Bukele tweeted in Spanish. “If there was any journalism left there, it’s gone.” Gressier worked long hours, subsisting on pupusas and takeout from a nearby taqueria. He talked incessantly to colleagues and sources on his battered, Tiffany-blue-encased iPhone 11. “I don’t remember having a particularly good work-life balance,” he told me.

He wrote articles about the arrests of working-class Salvadorans attempting to flee to the U.S. and activists’ efforts to strengthen an anti-corruption commission. The work was scrupulous and at times frightening. “On one hand, everything was falling into place,” Gressier recalled. “And on the other, I did feel very strained and under the microscope, and like I was tiptoeing around, and there was a direct sense that I was being surveilled.” One story, which Gressier translated into English, covered the U.S. State Department’s decision to place Bukele’s chief cabinet minister on a list of corrupt officials. Around the time that story was published in El Faro, Gressier’s iPhone 11 was hacked for the first of at least four times, according to analysis conducted by the watchdog group Citizen Lab. His device was infected with Pegasus, spyware developed by the Israeli technology company NSO Group. Pegasus seizes control of a target’s phone, providing access to its photos, messages, and other data. It allows the software’s operator to turn on the device’s camera and microphone, and use it as a listening device. The infections can be effected using “zero click” exploits, which do not require the phone’s user to take any action, and can eliminate obvious evidence that the spyware was even installed.

Gressier is bisexual, and at the time this was known only to close friends and colleagues. In El Salvador, members of the L.G.B.T.Q. community sometimes face violent attacks, and pro-government trolls often dominate the discourse online. Gressier was alarmed at the possibility that his sexuality could be used against him. He remembered “panicking” on his computer, and on other devices, “figuring out how the hell to cordon off my personal information.”

Gressier is one of at least thirty-five journalists and civil-society members hacked with Pegasus in El Salvador between July, 2020, and November, 2021, according to the analysis by Citizen Lab, which was verified by Amnesty International. The hacking campaign comprised at least two hundred and sixty Pegasus attacks. Because it is more difficult to confirm Pegasus infections on Android phones, which predominate in El Salvador, experts said that the true number was likely far higher. “Their hacking was not only extensive but also intensive,” Paolo Nigro Herrero, of Access Now, a nonprofit group focussed on digital rights, told me. “Normally, people get hacked once or twice or three times in rare situations. But, in this case, we saw a really intensive use.”

Many of the targeted individuals—including Gressier, who now lives elsewhere in Central America—have been forced to flee El Salvador. In interviews conducted in the United States and Central America, more than a dozen members of the El Faro newsroom told me that the Pegasus hackings had impaired their ability to work as journalists and maintain sources’ trust. “It’s a shitty feeling,” Óscar Martínez, El Faro’s executive editor, whose phone was infected with Pegasus forty-two times between July, 2020, and October, 2021, told me. “Sources, they were very upset with me. And they have the right to be. They just trusted me. And I failed them.”

In a statement, an NSO spokesperson said that the watchdog groups “repeatedly recycle each other’s reports and knowingly release speculative, inaccurate and incomplete reports to the media, including to the New Yorker.” NSO claims that the groups’ analyses “rely on probabilities and circumstantial protocols rather than on actual forensics and evidence” and that “Citizen Lab and Amnesty are unable to differentiate between NSO’s tools and those of other cyber intelligence companies.”

In a lawsuit filed today in federal court in San Jose, Gressier will become the first U.S. citizen whose phone was infected by Pegasus to sue NSO Group for damages, according to lawyers representing him at the Knight First Amendment Institute at Columbia University. Gressier is one of fifteen El Faro employees who are plaintiffs in the suit. They allege that NSO’s development and use of Pegasus violate the federal Computer Fraud and Abuse Act, and, because of the location of Apple’s servers, a similar California statute. They also ask the court to order NSO to disclose where any stolen data is stored and to delete it. “This will be the first case brought by journalists who are the victims of Pegasus attacks against NSO Group specifically in the United States,” Carrie DeCell, an attorney with the Knight Institute, told me. “The story of the attacks against these reporters is just bone-chilling.” (In NSO’s statement, the spokesperson said that the company “is confident that its legal arguments, which are public record, will ultimately prevail in court.”)

Individuals who allege that they have been hacked have sued NSO in countries outside of the United States. In the U.K. in recent years, several plaintiffs have begun litigation against both NSO Group and the Saudi Arabian and Emirati governments, and suits announced this year in Hungary, Thailand, and France are ongoing. In 2019 and 2021 respectively, WhatsApp and Apple sued NSO in U.S. court, alleging that the Israeli company had abused their systems to hack users.

The attorneys representing Gressier and the other journalists said they hope that the new lawsuit will put pressure on international investors connected to NSO Group. In 2019, NSO took on a vast amount of debt as part of a leveraged-buyout deal in which a London-based private-equity firm, Novalpina, acquired a seventy-per-cent stake. The Financial Times reported that the creditors Credit Suisse and Jefferies, which were underwriters of an initial five-hundred-million-dollar loan that facilitated that buyout, as well as an American hedge fund, Senator, had urged NSO to sell more of its spyware, even amid mounting international condemnation. Credit Suisse, Jefferies, and Senator said that they are not major creditors to NSO and that they do not direct the firm’s operations. An American firm, BRG Asset Management, a subsidiary of Berkeley Research Group, currently manages the fund that owns a majority stake in NSO Group, though a source there told me that NSO in the past year “withdrew any pretence of co-operation” and that the two entities have “effectively no contact.” DeCell, the lawyer, said of the new lawsuit, “We hope it really deters any investors around the world, but particularly U.S. investors, from continuing to fund spyware manufacturers, whether it’s in an advisory capacity or they’re in more direct control.”

The lawyers also hope to clarify how existing laws apply to the digital threats to press freedom posed by the burgeoning, multi-billion-dollar spyware industry. “There’s very little case law. There are very few cases in U.S. courts that have raised these kinds of issues,” Jameel Jaffer, the executive director of the Knight Institute, told me. “We see this kind of targeting not as a problem only for the political dissident and the journalist and the human-rights activist but as a problem for human rights and democracy more broadly.”

NSO Group’s spyware, which was initially developed more than a decade ago, has now been used in dozens of countries around the world, including across Latin America. In 2020, Citizen Lab reported that the governments of Guatemala, Honduras, and El Salvador were likely customers of Circles, an affiliate of NSO Group that tracks and monitors cell-phone users by taking advantage of weaknesses in the design of phone networks. (In a 2020 response to the Business & Human Rights Resource Centre, NSO stated that “Circles is an independent company from NSO, affiliated to the same corporate grouping. Both NSO Group and Circles lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate.”) In Mexico, Pegasus appeared on the phones of people with ties to the journalist Javier Valdez Cárdenas, who was murdered after reporting on organized crime. As I reported in the magazine earlier this year, human-rights activists have linked the spyware to three hundred acts of physical violence worldwide.

NSO Group’s business is founded on secrecy; it has refused to publicly identify its clients. In the statement, the company said it sells its software only to “legitimate government agencies” for use in state intelligence and law-enforcement efforts, and maintained that its tools “have proven to save thousands of lives around the world.” It claimed that the firm “cannot know who the targets of its customers are.” Yet it cites its own “rigorous and unique compliance policies” and says it has “terminated contracts when misuse was found.”

Many of the Salvadoran journalists who were hacked told me that they believe that whoever deployed Pegasus against them is connected to the Bukele regime. Citizen Lab said that its findings point to the existence of an NSO client operating Pegasus in El Salvador, and reporters were often hacked as they worked on stories of importance to the Bukele regime. “We analyzed the exact time line,” Herrero, the Access Now investigator, recalled. “If somebody was reporting on corruption, then, boom, they got hacked seven days a week.” Carlos Martínez, an El Faro reporter and the brother of Óscar Martínez, the executive editor, told me, “It’s very clear for us that the Bukele government is trying to stop us, to stop our job and to destroy us as individuals and as an organization.”

The Bukele administration did not respond to repeated requests for comment. They have previously denied involvement, with a spokesperson telling the A.P., “El Salvador is no way associated with Pegasus and nor is a client of NSO Group.”

Born in Fort Wayne, Indiana, Gressier was brought up in the Church of Jesus Christ of Latter-day Saints, by an American mother and a French father. He maintains both citizenships. Slight, with light brown hair and blue eyes, he learned to speak fluent Spanish while proselytizing to Mexican and Central American immigrants in Washington state. Over time, he became increasingly interested in working in Central America itself. After his first year at Brigham Young University, which is supported by the church, he transferred to John Jay College of Criminal Justice at the City University of New York. After graduating, he worked at restaurants in the city and as a Spanish-language translator. In 2018, he broke with the church he was raised in. Initially, he struggled to find a sense of place and purpose. “I think my fallout with the Mormon church just created a big vacuum, an identity vacuum,” he told me.

Roman Gressier.Photograph by Matthew O’Neill

When he discovered El Faro’s extensive coverage of migrants, he felt a connection to his previous mission work. “I had broken bread for years with people that could very well have been like subjects of these stories,” he recalled. “It was an ‘Aha!’ moment of, ‘This speaks to me.’ It feels like this contributes something to these communities. And I want to be a part of that.” Gressier decided to attend the City University of New York’s graduate school of journalism. As part of the degree, he did an internship with the English edition of El Faro, and after graduating, in December, 2020, he asked for a job with the publication. He purchased a ticket to El Salvador before he’d received an offer. “It just felt like this is where I need to be right now,” he said.

When Gressier arrived in San Salvador, in January, 2021, staffers at El Faro were already concerned about surveillance. The year before, as several reporters prepared a story exposing the Bukele administration’s secret negotiations with members of the MS-13 criminal gang, one of their colleagues warned them that they were being surveilled. The person played audio of a private conversation between the Martínez brothers. “We were naïve at that time,” Óscar Martínez recalled. “There were a lot of signs, a lot of signals that we ignored.” Carlos Dada, El Faro’s co-founder and editor-in-chief, added, “For some years, we had high suspicions that we were being tapped.” In a running joke, the staff of El Faro admonished one another not to divulge sensitive details in newsroom meetings, lest Peter Dumas, the head of the country’s intelligence agency, overhear them.

Days after the first infection of Gressier’s phone, in May, 2021, his phone was hacked again. At the time, he had just published a column for The Baffler that documented the ouster, by Bukele’s party, of five Supreme Court magistrates and the Attorney General. He was also in the middle of a protracted process of applying to the Salvadoran government for a work permit, which included trips to both the Salvadoran police and to the United States. The second hack occurred only hours before he travelled to the U.S. The following month, his phone was hacked a third and fourth time.

By the time the final hacks occurred, in June, 2021, Gressier had begun to suspect that he was being surveilled, either in person, digitally, or both. On one occasion, he became convinced that a car was following him as he walked to a news conference at Central American University. On others, he saw a car and a motorcycle idling near his home that both sped away when he drew close. “I definitely felt uncomfortable after those, and stayed with a friend,” he said. “I felt like that apartment had become too ‘hot.’ ” Ultimately, he was denied a work permit, as was the Mexican journalist Daniel Lizárraga, who was an El Faro investigations editor. That June, amid uncertainty about his immigration status and fears of surveillance, Gressier boarded a bus out of El Salvador. “By the time I left, I was under the impression . . . that I was just being, like, old-fashioned tailed,” Gressier recalled. “I very keenly felt that.”

El Salvador, which spent the nineteen-eighties mired in a bloody civil war, has since suffered from gang violence and entrenched political corruption. Bukele, an iconoclastic mayor who campaigned for the Presidency in leather biker jackets and backward baseball caps, positioned himself as a bulwark against crime and corruption. Since winning in a landslide in 2019, at the age of thirty-seven, Bukele has become an increasingly brazen strongman, dismissing judicial rulings and stacking the country’s Supreme Court with loyalists who ruled that he could make an unconstitutional run for a second consecutive five-year term. After the U.S. placed the Supreme Court justices who backed Bukele’s reëlection bid on a list of corrupt actors and a senior American diplomat complained of a “decline in democracy” in El Salvador, Bukele changed his Twitter biography to “the coolest dictator in the world.”

Bukele is perhaps best known internationally for his embrace of cryptocurrency. One of Gressier’s stories last year was an investigation of Bukele’s apparent plan to create El Salvador’s own cryptocurrency. At that point, Bukele had already made the country the world’s first to adopt Bitcoin as a national currency, a move that has proven economically destabilizing and failed to gain popular support. But it has made Bukele a darling of the international crypto community, members of which have typically cast themselves as supporters of digital rights. “He has massive support from the crypto community, which is in general the kinds of people who care about Pegasus,” John Scott-Railton, of Citizen Lab, told me. “Everyone talks about Bitcoiners being liberation people, except when it comes to El Salvador.”

As Bukele has attacked journalists, El Salvador has fallen thirty places on Reporters Without Borders’ annual ranking of countries that respect press freedoms. In 2020, his administration accused El Faro of money laundering, without providing evidence. El Faro has denied this and has said that the allegation is part of a campaign to silence its reporting. “Ever since Bukele took office, in June, 2019, his harassment towards El Faro has been so big,” María Luz Nóchez, El Faro’s opinion editor, told me. “It’s not like previous governments have not followed members of El Faro before. But nothing like this.”

The first confirmations of the journalists’ fears came in the fall of 2021. That September, Xenia Oliva, a reporter at GatoEncerrado, a local news outlet, and Julia Gavarrete, who covers human-rights issues at El Faro, began exchanging messages about the peculiar behavior of their phones. The devices had been draining their batteries rapidly. Gavarrete’s was overheating and sometimes refusing to open the messaging app Signal. Oliva’s was blocking attempts to perform software updates, and once rebooted on its own. Gavarrete was especially suspicious: earlier that year, she had arranged, via text messages, a meeting with a source. When she arrived, she was greeted by military officers, who questioned her and her source and blocked them from entering a building. “That confirmed to me that they are reading our messages,” she told me.

Access Now’s digital-security help line connected the journalists to Citizen Lab, which tested their phones and confirmed that they had been infected with Pegasus. Gavarrete ultimately learned that two of her phones had been infected eighteen times, between February and September, 2021. The phones contained private exchanges with family members and doctors about her father’s struggle with colon cancer, from which he eventually died. “This obsessive spying and targeting that they did with us means that not only do they want to know about our work,” Gavarrete told me. “They want to know about our lives.”

After learning her phones had been hacked, Gavarrete called Óscar Martínez, the executive editor, and told him that they needed to speak in person. The two met at a Texaco station near Martínez’s home, in San Salvador, within view of the volcano in nearby El Boquerón national park. Hoping to avoid surveillance cameras, they sat on the ground in a parking lot behind the station. Gavarrete told Martínez to turn off his phone. “What’s going on?” he asked. She told him that phones belonging to her and Oliva had been infected with Pegasus. “Probably your phone and most of El Faro could be targeted as well,” she told him. “We need to move quick.”

Martínez alerted Dada, the editor-in-chief, and then convened an emergency meeting with senior members of the newsroom. In subsequent meetings, the journalists, speaking via video conferencing, agreed to work with Citizen Lab and Access Now to test roughly thirty phones used by other El Faro reporters for Pegasus infections. Amnesty International’s security lab then independently verified a sample of the findings. In the next several months, almost all the phones tested positive.

In late November, Apple sent emergency notifications to more than a dozen Salvadoran journalists and civil-society members, informing them that they may have been targeted in the hacking campaign. “ALERT: State-sponsored attackers may be targeting your iPhone,” the message read. “These attackers are likely targeting you individually because of who you are or what you do.”

Near the end of the year, the El Faro newsroom gathered to review a spreadsheet with reporters’ names and the dates their phones were infected. They noted the corresponding reporting that may have been compromised. “The general mood in the newsroom had been, yeah, of course, we’re being surveilled. We just don’t know how,” Gressier, who attended the meeting virtually, recalled. “And then this was just, like, all right, well, now we’re starting to get a trail of receipts.”

To ease the tension, the reporters jokingly ranked one another in terms of who had been surveilled most extensively. “You could see the small faces of people in the video call furiously texting jokes, like ‘Oh, I beat you. I’m more interesting than you,’ ” recalled Nelson Rauda Zablah, a reporter who covers national politics and cryptocurrency. But Zablah, like several of his colleagues, also recalled being afraid: “I was just wanting the meeting to end to start going into my agenda and my phone, see, where was I, what was I doing. And I spent, like, the whole afternoon, maybe way into night, doing that.” Gavarrete added, “Just the feeling that someone can break into your life, have this kind of software that can follow all your steps—it’s intimidating.”

Unlike many of his colleagues, Gressier hadn’t received the warning from Apple. “Maybe I’m in the clear,” he recalled thinking. When he saw the dates of the hackings, he realized that they coincided with the days he suspected that he was being surveilled. “The hacks sort of confirmed my gut suspicions,” he told me.

The reporters’ inquiries ultimately revealed a systematic campaign of espionage against targets throughout El Faro. Some of the targeted individuals were monitored dozens of times. “The person in charge of sales was hacked, people in management were hacked, and even the general manager—people who do not have roles in any way related to journalism were hacked,” Daniel Reyes, the chief technology officer, recalled. “It was astonishing.” In January, 2022, the reporters published their findings, undertaking the uncomfortable work of reporting on themselves. “We are journalists. We don’t expect to be the victims,” Gavarrete said. “We don’t expect to be the story.” Dada added, “When we finally published it, I realized what it meant for me personally. I had to take a shower because I felt so invaded and so dirty that people have been living with me without me knowing.”

In recent weeks, the El Faro journalists have grappled with the decision of whether to join what may prove to be protracted and bruising litigation. Several told me that they felt that the prospect of transparency was worth it. “What I really want to know is: Where is our information? Who has it?” Gavarrete told me. “Because, at some point, they are going to use it.”

This June, Gressier published a column in El Faro disclosing his sexuality, a difficult step in light of his Mormon upbringing. In the piece, he wrote that he had been motivated by “the possibility that my sexuality could be used as a weapon against me.” He now lives in another Central American country, and, like the other hacked El Faro journalists, still reports on the Salvadoran government’s abuses. Last month, in the living room of the apartment he shares with a roommate—and with both of our phones turned off—Gressier told me that he chose to join the suit against NSO Group in part because he was tired of the lack of accountability for the spyware attacks. “Part of the role of this type of spyware is also to intimidate,” he said. “It’s, like, we don’t only want to get information from you, we also want to let you know that nowhere is safe. And we also want you to feel corralled, and in a corner. We want you to feel like your sources aren’t safe.”

After our interview, he went to his bedroom, a tidy, austere room with a mattress and a narrow wooden desk from which he files his pieces. He was reporting a new story about the Bukele regime releasing gang leaders from prison in secret deals. He had repeatedly called a hospital where gang leaders were covertly taken, and received mostly hostility and hang-ups. Gressier kept trying. “Ready to play some cat and mouse?” he said. Then he turned on his phone and prepared to make another call. ♦

Read More

x