By Krishna Jha
Forensic investigations by Amnesty International’s Security Lab have come out with surprising revelations about continued and increasing use of Pegasus, a type of highly invasive spyware, developed by Israeli surveillance firm NSO Group. It has come amid an unprecedented crackdown by the Indian authorities on freedom of peaceful expression and assembly, which has had a chilling impact on civil society organizations, journalists, and activists.
“Journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” said Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab. Amnesty International, in partnership with The Washington Post, has unearthed shocking new details about the continued use of NSO Group’s highly invasive spyware Pegasus to target prominent journalists in India, including one who had previously been a victim of an attack using the same spyware.
Siddharth Varadarajan, Founding Editor of The Wire, was one who was among the journalists recently targeted with Pegasus spyware on their iPhones. Then there is Anand Mangnale, the South Asia Editor at The Organised Crime and Corruption Report Project (OCCRP), was also named in the Amnesty International’s report that dealt with the latest identified cases occurring in October 2023.
The use of Pegasus comes amid an unprecedented crackdown by the Indian authorities on freedom of peaceful expression and assembly, which has had a chilling impact on civil society organizations, journalists, and activists.
There is complete silence and no explanations despite repeated revelations. There has also been a lack of accountability about the use of Pegasus spyware in the country which only intensifies the sense of impunity over these human rights violations.
It is again Pegasus spyware activity on devices of Indian journalists reported by Apple in a notification globally to I-Phone users, a possible target for “state sponsored attackers”. In India, at least 20 journalists and opposition leaders have reportedly been cautioned about the threat.
It is the Amnesty International’s Security Lab that has undertaken a forensic analysis on the phones of individuals targeted all over the world. This lab has also identified an attacker-controlled email address used as part of the Pegasus attack on his device. The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2023.
In October, 2023, Apple issued a new round of threat notifications globally to iPhone users who may have been targeted by “state-sponsored attackers”. More than 20 journalists, and opposition politicians in India are reported to have received the notifications.
Amnesty International previously also documented how Siddharth Varadarajan had been targeted and infected with Pegasus spyware in 2018. His devices were later forensically analysed by a technical committee established by the Supreme Court of India in 2021 in the wake of the Pegasus Project revelations.
In 2022, the committee concluded its investigation, but the Supreme Court has not made the findings of the technical report public. The court noted, however, that the Indian authorities “did not cooperate” with the technical committee’s investigations.
The Modi government has never confirmed or denied using spyware, and it has refused to cooperate with a committee appointed by India’s Supreme Court to investigate whether it had. But two years ago, the Forbidden Stories journalism consortium, which included The Post and OCCRP, found that phones belonging to Indian journalists and political figures were infected with Pegasus, which grants attackers access to a device’s encrypted messages, camera and microphone.
In recent weeks, The Post, in collaboration with Amnesty, found fresh cases of infections among Indian journalists. Additional work by The Post and New York security firm iVerify found that opposition politicians had been targeted, adding to the evidence suggesting the Indian government’s use of powerful surveillance tools.
In addition, Amnesty showed The Post evidence it found in June that suggested a Pegasus customer was preparing to hack people in India. Amnesty asked that the evidence not be detailed to avoid teaching Pegasus users how to cover their tracks.
Siddharth Varadarajan was targeted again with Pegasus on October 16, 2023. The same attacker-controlled email address used in the Pegasus attack against Anand Mangnale was also identified on Siddharth Varadarajan’s phone, confirming that both journalists were targeted by the same Pegasus customer.
There are no indications that the Pegasus attack was successful in this case.
A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.
Reporters at The Washington Post reached out to NSO Group for their response to these latest findings.
The company said, “While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime. The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence.”
NSO Group states that it sells its products only to government intelligence and law enforcement agencies. Indian authorities have until today provided no clarity or transparency on whether they have procured or used the Pegasus spyware in India. (IPA Service)