At least two Indian journalists were found to have been targeted by the controversial Pegasus spyware in fresh instances of hacking, an investigation by Amnesty International revealed on Thursday, 28 December.
In a blog post, Amnesty said that the highly sophisticated spyware developed by Israeli firm NSO Group was allegedly used to target iPhones belonging to:
Siddharth Varadarajan, founding editor of The Wire
Anand Mangnale, the South Asia Editor of The Organised Crime and Corruption Report Project (OCCRP)
The forensic investigation was conducted by Amnesty International's Security Lab, with the most recent identified case of Pegasus hacking taking place in India in October 2023.
Interestingly, during the same month, Apple had stirred up a political row in the country by sending spyware threat alert notifications to a swath of Opposition leaders and journalists in the country.
The threat notification sent to over 20 Opposition leaders and journalists, including Vardarajan, had warned them that their devices may have been targeted by "State-sponsored attackers."
The incident had reignited fears of being targeted by Pegasus spyware, something that the Indian government hasn't expressly denied purchasing. Yet, the NSO Group that owns the spyware continues to maintain that Pegasus is only sold to "vetted law enforcement and intelligence agencies."
Pegasus Used To Target Indian Journos in 2023, Says Amnesty Report: Key Findings
1. What Are the Findings of the Amnesty Lab Report?
In June 2023, Amnesty International said that it conducted "a regular technical monitoring exercise" and saw "indications of renewed Pegasus spyware threats towards individuals in India."
After Apple issued threat alerts to certain iPhone users in India, Amnesty said that it undertook a forensic analysis of the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale.
"The Security Lab recovered evidence from Anand Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware," the blog post read.
A zero-click attack is a sophisticated, hacking technique that doesn't require the victim to click on any link in order for their device to get infected by malicious software, including spyware.
Mangnale's phone was reportedly running iOS 16.6, the latest version available at the time.
"The Security Lab also identified an attacker-controlled email address used as part of the Pegasus attack on his device. The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2023 and patched by Apple in iOS 16.6.1 (CVE-2023-41064)," as per the post.
Notably, Amnesty found that Varadarajan was targeted with Pegasus on 16 October 2023, by the same attacker-controlled email address used in the Pegasus attack against Mangnale, reportedly confirming that both journalists were targeted by the same Pegasus customer.
However, the investigation could not conclude whether the spyware had successfully compromised the two targeted devices.
Expand2. How Has the NSO Group Responded?
“While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime," the Israeli surveillance firm was quoted as saying by The Washington Post.
"The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence," the NSO Group said.
Meanwhile, amid the conflict in Gaza, the Israeli government has reportedly deployed Pegasus to help track those kidnapped and murdered by Hamas, Axios reported.
Expand3. What Else Has Amnesty International Said?
Ban Pegasus: Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, called on "all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality."
Release findings: The global non-profit also demanded that the findings of the Supreme Court Technical Committee Report on Pegasus use in India be immediately released.
"The Indian government should also conduct an immediate, independent, transparent, and impartial investigation into all cases of targeted surveillance, including into these latest revelations," Amnesty further said.
Disclose spyware contracts: "To ensure transparency, Indian authorities should also publicly disclose information about any previous, current or future contracts with private surveillance companies, including with NSO Group," the post read.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance."
Donncha Ó Cearbhaill, the head of Amnesty International’s Security LabExpand4. Pegasus Spyware in India: A Timeline
In 2019, WhatsApp reportedly informed the Union Ministry of Electronics and Information Technology that around 121 users in India may have been targeted by Pegasus spyware.
In 2021, a consortium of 16 news organisations published the Pegasus Project which found that among other targets worldwide, over 300 Indians including journalists, activists, politicians, bureaucrats, and businessmen had been potentially targeted by the NSO Group's Pegasus spyware that is only sold to sovereign states.
That same year, the Supreme Court set up a technical committee to probe the revelations of the Pegasus Project.
In 2022, the technical committee wrapped up its investigation and found that five of the devices it examined had been infected with malware. However, the committee did not conclusively say whether the malware found was Pegasus spyware or not.
That same year, OCCRP reported that the Intelligence Bureau got a shipment of hardware from NSO Group matching the description of equipment used to run the Pegasus system in 2017.
That same year, The New York Times reported that in 2017, the Indian and Israeli governments "had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion – with Pegasus and a missile system as the centrepieces."
In 2023, several prominent Opposition leaders claimed that they received a threat notification from Apple about State-sponsored attackers targeting their iPhones.
That same year, an internal forensic investigation by the OCCRP found that hackers had attempted to compromise Mangnale's phone with Pegasus spyware.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)
Expand
What Are the Findings of the Amnesty Lab Report?
In June 2023, Amnesty International said that it conducted "a regular technical monitoring exercise" and saw "indications of renewed Pegasus spyware threats towards individuals in India."
After Apple issued threat alerts to certain iPhone users in India, Amnesty said that it undertook a forensic analysis of the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale.
"The Security Lab recovered evidence from Anand Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware," the blog post read.
A zero-click attack is a sophisticated, hacking technique that doesn't require the victim to click on any link in order for their device to get infected by malicious software, including spyware.
Mangnale's phone was reportedly running iOS 16.6, the latest version available at the time.
"The Security Lab also identified an attacker-controlled email address used as part of the Pegasus attack on his device. The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2023 and patched by Apple in iOS 16.6.1 (CVE-2023-41064)," as per the post.
Notably, Amnesty found that Varadarajan was targeted with Pegasus on 16 October 2023, by the same attacker-controlled email address used in the Pegasus attack against Mangnale, reportedly confirming that both journalists were targeted by the same Pegasus customer.
However, the investigation could not conclude whether the spyware had successfully compromised the two targeted devices.
How Has the NSO Group Responded?
“While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime," the Israeli surveillance firm was quoted as saying by The Washington Post.
"The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence," the NSO Group said.
Meanwhile, amid the conflict in Gaza, the Israeli government has reportedly deployed Pegasus to help track those kidnapped and murdered by Hamas, Axios reported.
What Else Has Amnesty International Said?
Ban Pegasus: Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, called on "all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality."
Release findings: The global non-profit also demanded that the findings of the Supreme Court Technical Committee Report on Pegasus use in India be immediately released.
"The Indian government should also conduct an immediate, independent, transparent, and impartial investigation into all cases of targeted surveillance, including into these latest revelations," Amnesty further said.
Disclose spyware contracts: "To ensure transparency, Indian authorities should also publicly disclose information about any previous, current or future contracts with private surveillance companies, including with NSO Group," the post read.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance."Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab
Pegasus Spyware in India: A Timeline
In 2019, WhatsApp reportedly informed the Union Ministry of Electronics and Information Technology that around 121 users in India may have been targeted by Pegasus spyware.
In 2021, a consortium of 16 news organisations published the Pegasus Project which found that among other targets worldwide, over 300 Indians including journalists, activists, politicians, bureaucrats, and businessmen had been potentially targeted by the NSO Group's Pegasus spyware that is only sold to sovereign states.
That same year, the Supreme Court set up a technical committee to probe the revelations of the Pegasus Project.
In 2022, the technical committee wrapped up its investigation and found that five of the devices it examined had been infected with malware. However, the committee did not conclusively say whether the malware found was Pegasus spyware or not.
That same year, OCCRP reported that the Intelligence Bureau got a shipment of hardware from NSO Group matching the description of equipment used to run the Pegasus system in 2017.
That same year, The New York Times reported that in 2017, the Indian and Israeli governments "had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion – with Pegasus and a missile system as the centrepieces."
In 2023, several prominent Opposition leaders claimed that they received a threat notification from Apple about State-sponsored attackers targeting their iPhones.
That same year, an internal forensic investigation by the OCCRP found that hackers had attempted to compromise Mangnale's phone with Pegasus spyware.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)