Cyber Security

Mexico’s Anti-Soda Activists Targeted By Government Hacking Program

A scientist and two advocates were targeted by powerful software that's usually only in law enforcement hands

Cyber Security
Mazatlan, Sinaloa, Mexico, North America — Getty Images/Lonely Planet Images
Feb 13, 2017 at 4:11 PM ET

Three of Mexico’s fiercest critics of the health dangers of sugary sodas — a scientist and two directors of nonprofits — have been targeted by an elite hacking program normally used by governments, a study has found.

The study, released Monday, was conducted by the University of Toronto’s Citizen Lab, which tracks the shadowy industry of companies that sell hacking software to the world’s governments. In most cases, such software would be illegal for anyone without a warrant to use, though Citizen Lab has previously found instances in which these programs were used against political dissidents.

The program found by Citizen Lab is created by NSO Group, a low-profile Israeli company with no public website. But internal emails and proposals leaked in 2016 to the New York Times detail its primary product, software called Pegasus. It can essentially own a phone — steal its texts, contacts, emails, locations, and even turn on its microphone to record its surroundings — and hardly leave a trace.

Citizen Lab found three targets who were willing to come forward with their experiences: Dr. Simón Barquera, a research scientist and fellow at the National Academy of Medicine and Mexican Academy of Science; Alejandro Calvillo, Director of El Poder del Consumidor, a public health nonprofit; and Luis Encarnación, coordinator of a coalition of over 40 groups that work to reduce obesity.

Each of the three men had recently publicly advocated the Mexican populace drink fewer sugary sodas. A 2014 tax on soda and other sugary drinks, a step taken to fight Mexico’s obesity epidemic, is projected to save 18,000 lives, though that tax remains a politically divisive issue fiercely opposed by the industry. 

As devastating as Pegasus can be once it infects a phone, there’s still the pesky matter of tricking an owner into installing it in the first place. In July 2016, the three men each began receiving strange texts, usually with a link attached to the end. Calvillo and Encarnación were both told they were mentioned in a popular news article.

Barquera, however, received an almost daily barrage of different texts, alleging, among other things, that he was being investigated for corruption, that he was caught cheating on his wife, that his wife was caught cheating on him, and that his daughter was in a dire accident. All had the goal of getting him to click on a link that would infect his device. 

Links in texts sent to all three men pointed to domains that Citizen Lab had previously identified as used to host Pegasus malware.

The source behind these attacks remains a mystery. NSO insists it only sells its products to government law enforcement offices. Mexico is a consumer, though a spokesperson for its embassy in Washington, D.C. told the New York Times that its surveillance capabilities  “are not used against journalists or activists” and that “all contracts with the federal government are done in accordance with the law.”