Israeli cyberweapons company, NSO Group, whose Pegasus spyware was used to hack into the phones of at least 121 Indian citizens in 2019, has told a California court that the attacks were carried out by its government clients.
Pegasus, a spyware built by the NSO Group, was found to have infiltrated the phones of 1,400 individuals globally, including human rights activists, lawyers and activists in India. WhatsApp had sued the Israeli company in October 2019 for exploiting a vulnerability on its platform to carry out these remote surveillance attacks.
Responding to allegations by WhatsApp of the NSO Group’s involvement, the Israeli company has stated in its submission that “there is no dispute the alleged use of Pegasus to message 1400 foreign WhatsApp users in April and May 2019 was done by sovereign governments in foreign countries.”
The Quint has accessed a copy of the NSO Group’s court filings. While the filings do not specify who its client were, it has once again revived questions around the government’s knowledge of the breach into the phones of Indians using the spyware.
WhatsApp had described the Pegasus breach as a “cyber attack”. The Israeli company has strongly denied allegations that it controlled servers in the United States to implement the attack.
The company has stated that it only played “a tech-support role as the sovereigns’ agent” while the actual deployment of the spyware was carried out by the sovereign governments.
It also stated that WhatsApp’s theory “would punish people who offer goods and services to the government when the cause of action is based on the government’s use of the product.”
Electronics & IT Minister Ravi Shankar Prasad had told Parliament on 28 November, 2019, that there had been “no unauthorised interception” of citizens’ phones by the government.
While the Centre had sought clarifications from both, WhatsApp and the NSO Group, the answer to the question of who bought the Pegasus license and deployed the spyware remains unanswered.
However, Former home secretary GK Pillai had told The Quint on 1 November, that he is aware that Israeli tech firm NSO had been operating in India – and that it had sold spying software to private firms and individuals in the country.
Among the 121 Indian citizens who were victims of surveillance are Bhima Koregaon lawyer Nihal Singh Rathod, Elgar Parishad accused Anand Teltumbde, Bastar-based human rights lawyer Bela Bhatia, jailed activist Sudha Bharadwaj’s lawyer Shalini Gera, Gadchiroli-based lawyer Jagdish Meshram among others.
They had also written to the government on 7 November, seeking an answer from the government about whether it was aware of any contract between its ministries or any state government with the NSO group.
NSO Group’s Stance
In its latest submission in the Northern District court in California, the Pegasus-maker company has claimed that the “Court lacks subject matter jurisdiction because foreign sovereigns committed the acts Plaintiffs challenge, with NSO taking a tech-support role as the sovereigns’ agent.”
WhatsApp has alleged in new court filings that the Israeli company had controlled United States servers to deploy its spyware, Pegasus, in mobile phones of 1,400 individuals across the world, including over 121 Indians, The Guardian reported.
The NSO Group has maintained since the news of the spyware attack first broke that it sells licenses of its products only to governments, law enforcement agencies and state actors.
The company, in an email exchange had told The Quint on 1 November that it “is not able to disclose who is or is not a client” but in the same paragraph reiterated that its software products are sold to no entity but governments.
In response to a list of questions on whether it entered into an agreement with any Indian government agency, the NSO responded saying: “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies.”
The company's official response also stated two significant policy measures.
First, the company “considers any other use of our products than to prevent serious crime and terrorism a misuse” and such use as witnessed on Indian citizens, “is contractually prohibited.”
Second, NSO Group also specifically stated that “we take action if we detect any misuse.”
While the NSO group’s statement on the issue did not address the India incident specifically and instead highlighted the lawsuit against it by WhatsApp owner Facebook, the response provides clarity on the company’s stance on the ongoing ‘snoopgate controversy’.