A new forensic investigation by Amnesty International and The Washington Post has shown the use of the Israeli Pegasus spyware, likely by the Indian government, to surveil high-profile Indian journalists. A report detailing the findings was published on Thursday. Here is what we know.
What does the report say?
The report, published by Amnesty’s Security Lab, found continued use of the software to target high-profile Indian journalists including a journalist who had also previously been a victim of attacks of the same spyware.
Founding editor of The Wire, Siddharth Varadarajan, and South Asia editor at the Organized Crime and Corruption Report Project (OCCRP), Anand Mangnale, were among those recently targeted using Pegasus spyware on their iPhones. The latest attack was identified in October this year.
On October 31, Apple, the manufacturer of iPhones issued notifications to users worldwide who may have been targeted by “state-sponsored” attacks. Out of the users warned, over 20 were opposition leaders and journalists in India.
These included firebrand opposition legislator Mahua Moitra. Known for her sharp questions in parliament, Moitra was recently expelled over an allegation of misconduct after she had repeatedly raised questions about alleged benefits handed by the government to the Adani Group, a business house widely seen as close to Prime Minister Narendra Modi.
Received text & email from Apple warning me Govt trying to hack into my phone & email. @HMOIndia – get a life. Adani & PMO bullies – your fear makes me pity you. @priyankac19 – you, I , & 3 other INDIAns have got it so far . pic.twitter.com/2dPgv14xC0
— Mahua Moitra (@MahuaMoitra) October 31, 2023
Amnesty was able to find an attacker-controlled email address used to target Mangnale, who was working on a story about an alleged stock manipulation by a large multinational conglomerate in India at the time of the attack. It is currently unclear whether the attempted target succeeded in breaking into and compromising Mangnale’s phone.
The Washington Post article about the investigation said that Mangnale’s phone was attacked within 24 hours of reaching out to the tycoon Gautam Adani.
What a coincidence! Within 24 hours after @OCCRP sought comments from Adani for a story on his brother’s involvement in alleged violations of Indian securities law, Pegasus is planted in OCCRP journalist @FightAnand’s phone.
— Saurav Das (@SauravDassss) December 28, 2023
The same email address was used to target Varadarajan on October 16. There is also no indication as to whether this attack was successful so far.
These attacks come just months before India’s national elections, in which a broad coalition of opposition parties is taking on Modi’s Bharatiya Janata Party (BJP).
When has Pegasus been used to attack Indian journalists before?
Amnesty previously discovered that Varadarajan’s phone was targeted and infected by Pegasus in 2018. His devices were analysed by a committee established by the Indian Supreme Court in 2021. The investigation was concluded in 2022 and its findings were not publicised.
“The court noted, however, that the Indian authorities ‘did not cooperate; with the technical committee’s investigations,” said the Amnesty report.
In 2021, leaked documents showed that the spyware was used against over 1,000 Indian phone numbers as New Delhi was accused of using Pegasus to surveil journalists, opposition politicians and activists. This list was shared with news outlets by Amnesty and Paris-based journalism non-profit, Forbidden Stories.
What is Pegasus and how exactly does it work?
Pegasus is a spyware that was developed by Israeli cyber-arms and intelligence company – Niv, Shalev and Omri (NSO) Group Technologies. It was launched in August 2016. NSO claims that the spyware is only used by governments and official law enforcement agencies to help with rescue operations and curb criminal or terrorist activity.
If a phone is attacked by Pegasus, the phone can turn into a surveillance device, allowing Pegasus to access text messages, phone calls, photos and videos. It can also access the phone’s camera, location and microphone, recording audio or video without the phone’s owner knowing.
Early versions of the spyware targeted users through phishing attacks. This means a malicious link was sent to targets through emails or text messages. If the targets clicked on the link, the spyware would be installed on their phones.
However, the technology has advanced since then and now Pegasus can be installed without the target having to click a malicious link. Instead, it can infect a device through what are known as “zero-click” attacks. This is done by exploiting vulnerabilities in phones’ operating systems that even the developers are unaware of.
Encrypted applications such as WhatsApp are not only compromised but are now being used to infect devices with the spyware. In 2019, WhatsApp confirmed that its platform was used to send malware to more than 1,400 phones, including several Indian journalists and human rights activists.
Users would get a WhatsApp call and the software would be installed on their phone even if they didn’t pick up the call. On iPhones, the iMessage software has also been used.
Due to the rapid advancements in the technology, it has become harder to detect the presence of Pegasus through telltale signs. While it is unlikely for regular phones to be under threat, phones belonging to activists and high-profile journalists are under threat of being surveilled through the spyware.
Is India suppressing freedom of speech?
Many journalists’ bodies and rights groups have warned that press freedom has dwindled under the Modi government, with several journalists arrested.
India has fallen to 161st in the World Press Freedom Index from 150th last year, its lowest ever. The Modi government rejects this index and questions its methodology, arguing that India has a free press.
In early October, Indian police carried out raids against dozens of reporters, arresting Prabir Purkayastha, editor of the independent and critical NewsClick website. Many other reporters from NewsClick had their devices and homes searched.