By Aroon Deep, Anushka Jain, Aihik Sur and Karan HM

On Sunday Forbidden Stories and Affiliate News reported that several Indian activists, journalists and politicians were attacked between 2017 and 2019 by the NSO spyware Pegasus, which is only sold to nation states.

Why it matters: These revelations have significant surveillance and privacy implications. Although India has long been suspected of being a Pegasus buyer, the level and type of surveillance it has put in place and the targets it appears to have selected do not seem to be based on national security or national security concerns to indicate organized crime, for which surveillance is normally provided, sanctioned.

What is more, this appears to be the biggest government sponsored hacking reveal in India – intercepting calls and emails has an established legal process, but hacking devices by installing third-party malware does not. The Indian government did not categorically disputed spying on the individuals, however, citing surveillance laws and saying that “allegations about government surveillance of certain individuals have no concrete basis or truth.”

Read the joint coverage of the Pegasus Project by:

Who was affected by Pegasus? A long list

The 300 allegedly Verified Indian cell phone numbers include those of

  • Minister,
  • Opposition leader,
  • Journalists,
  • the legal community, including an incumbent Supreme Court judge
  • Business people,
  • Government officials,
  • Scientist,
  • Human rights activists and others.

According to a report by The cable, Between 2017 and 2019, 40 Indian journalists were listed as targets. The list includes journalists from almost every major media company.

  • Ritika Chopra (Senior Assistant Editor), Muzamil Jaleel (Cashmir Chief of Bureau), Sushant Singh (Former Associate Editor) of the Indian Express
  • Siddharth Vardarajan (Founding Editor), MK Venu (Founding Editor), Devirupa Mitra (Diplomatic Editor) of The Wire.
  • Rohini Singh, Swati Chaturvedi, and Prem Shankar Jha, who are contributors to The Wire, were also listed.
  • Shishir Gupta (Editor-in-Chief), Prashant Jha (Former Bureau Chief), Rahul Singh at Hindustan Times
  • Vijaita Singh from The Hindu
  • Paranjoy Guha Thakurta (Former EPW Editor)
  • SNM Abdi (Former outlook Journalist)
  • Sandeep Unnithan (Senior Correspondent) at India Today
  • Saikat Dutta (Former Senior Editor at Asia Times)
  • J. Gopikrishnan (former special correspondent for The Pioneer)
  • Smita Sharma (former reporter at The Tribune)
  • Iftikhar Ghilani (DNA reporter)
  • Santosh Bharatiya (former Lok Sabha MP and journalist)
  • Roopesh Kumar Singh (independent journalist)
  • Sanjay Shyam (journalist)
  • Jaspal Singh Heran (Editor of the Punjabi daily newspaper Rozana Pehredar)
  • Manoranjan Gupta (Editor-in-Chief of Frontier TV)

Of these, 8 journalists’ smartphones, underwent forensic analysis and showed that –

  • The smartphones from SNM Abidi, Sushant Singh, MK Venu, Siddharth Vardarajan and Paranjoy Guha Thakurta were infected with the Pegasus spyware.
  • Smita Sharma’s iPhone and Vijaita Singh’s Android phone showed evidence of an attempted hack, but no evidence of a successful completion.
  • Another mainstream newspaper editor’s iPhone was subject to analysis, but the report says no traces of Pegasus could be found, mainly because it was not the same device she was using during the period her name is in the List was mentioned.
  • SNM Abidis Phone was compromised in April, May, July, October and December 2019, but the method of attack has not been confirmed.
  • Sushant Singhs The iPhone was compromised from March to July 2021 by “what Amnesty International calls a zero-click exploit on the iMessage service”.
  • Paranjoy Guha Thakurtas Phone was compromised by Pegasus in April, May, June and July 2018, but the method was not identified.
  • MK Venus Phone was infected through a zero-click exploit in June 2021.
  • Siddharth Vardarajans Phone was compromised in April 2018; The method for this could not be determined.

Activists listed in connection with the Elgar Parishad case

According to The cable, at least nine numbers from eight activists, lawyers, and academics who participated in the Elgar Parishad Cases were listed in the database.

This contains-

  • Activist Rona Wilson
  • Professor Hany Babu
  • Activist Vernon Gonsalves
  • Academic and civil rights activist Anand Teltumbde
  • (AR) Prof. Shoma Sen
  • Journalist and human rights activist Gautam Navlakha
  • Lawyer Arun Ferreira
  • Academic and activist Sudha Bharadwaj

Numerous lawyers, relatives and friends of the arrested activists were also recorded in the database.

These include

  • The daughter of the writer Varavara Rao
  • Lawyer Surendra Gadling’s wife, Minal Gadling, and his lawyers Nihalsingh Rathod and Jagadish Meshram. This also includes one of his former customers Maruti Kurwatkar
  • Sudha Bharadwaj’s lawyer Shalini Gera
  • Anand Teltumbde’s friend, Jaison Cooper, a Kerala-based human rights activist
  • Lawyer Bela Bhatia, a scholar of the Naxalite Movement
  • Rupali Jadhav, one of the oldest members of the Kabir Kala Manch cultural group
  • The close associate and lawyer of the tribal rights activist Mahesh Raut, Lalsu Nagoti

The sixteen media organizations participating in the Pegasus project have said that further names of victims will be disclosed in subsequent stories.

How were they targeted?

The Amnesty Security Lab, which performed the forensic tests on some of the victims’ phones to find out how the Pegasus attack was carried out, also examined the iPhone of former Delhi University professor Syed Abdul Rahman Geelani, a The cable Report said. His research revealed that Geelani had received a series of bespoke text messages on his mobile phone. For example –

  • “United Nations launch online portal for the independence of Kashmir”
  • “Another incident showing how the Indian army librandu mercilessly beat Kashmiri youths to sing Pakistan Murdabad”

The Wire said it was unclear whether these SMS-based attacks worked, but Amnesty International’s security lab revealed that Geelani’s phone had been compromised by Pegasus in between February 2018 and January 2019, and then again from September 2019 to October 2019. “At least one of these attacks, Amnesty notes, was carried out by one Zero-click iMessage exploit“Added the report.

Amnesty International International’s security laboratory forensic investigation also provides details on this iPhone exploit as well as a look at several other methods that victims were attacked. These are the most important findings –

  • Zero-click exploits will remain functional until the latest available version of iOS (July 2021).
  • These zero-click attacks do not require any interaction from the target
  • It has been observed since May 2018 and continues to this day
  • The zero-click exploit was widespread in 2019 and returned in 2021. On the other hand, SMS messages with malicious links, which were a preferred tactic for NSO Group’s customers between 2016 and 2018, have become rarer

Amnesty Internationals Insight into the Telephones of Indian Journalists

iPhone XR with iOS 14.6: Amnesty Internationals Security laboratory said that there was evidence of a compromise iPhone XR of an Indian journalist with iOS 14.6 4 only on June 16, 2021. “Although we were unable to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones shows numerous iMessage push notifications just prior to the execution of Pegasus processes” said the lab.

iPhone 12 with iOS 14.6: Amnesty Security said an Indian journalist’s analysis of a fully patched iPhone 12 with iOS 14.6 also showed signs of success Compromise. “The latest discoveries show that NSO Group’s customers can now remotely compromise all newer iPhone models and iOS versions,” she added.

How were Pegasus network attacks discovered?

Amnesty International’s security laboratories announced that the panel’s investigation into Pegasus of the NSO Group following the discovery of the target of a Amnesty International employee. These findings were refined when the attacks on Moroccan human rights defenders were exposed and were further corroborated by a cyberattack on a Moroccan journalist in 2020.

What we knew before, a timeline:

  • May 2019: A report by the Financial Times revealed that attackers used a vulnerability in WhatsApp to target users’ phones. It adds that the malicious code was developed by a secret Israeli company called NSO Group.
  • September 2019: Whatsapp informed CERT-In that 121 Indian Pegasus users were attacked by the WhatsApp vulnerability, Add “the full extent of this attack may never be known ”.
  • October 2019:
    • Whatsapp sued the NSO Group for exploiting the now fixed vulnerability in the Northern District of California.
    • A few days later, in response to one RTI, the Home Office confirms or denies whether it purchased the Pegasus malware.
  • November 2019:
    • Whatsapp approved told The Indian Express that Pegasus was actually used to monitor journalists and human rights defenders in India.
    • In a parliamentary debatesaid then IT minister Ravi Shankar Prasad categorically: “And, sir, to the best of my knowledge, no unauthorized eavesdropping was done. “He also adds that it is a coincidence that critics of the Modi government were targeted.
  • June 2020: An Amnesty International and Citizen Laboratory detection revealed that at least 3 Indian human rights defenders, demanding the release of the 11 activists arrested in the Bhima Koregaon case were targeted with NSO Group’s Pegasus spyware in 2019.
  • September 2020: TThe Ministry of Electronics and Information Technology (MEITY) categorically denies that “the government or one of its agencies has access to the data and voice messages distributed via WhatsApp”. That was a first since it is normally veiled on this subject, or at least on the subject of buying the Israeli spyware.

Also read: