Phones of two serving union ministers, three opposition leaders, one constitutional authority, current and former heads of security organisations, administrators, and 40 senior journalists and activists from India were allegedly bugged using an Israeli spy software called Pegasus and put on surveillance, according to an expose by a global consortium of media organisations, including India’s The Wire.
The first reports published late Sunday only released names of journalists allegedly targeted in India. The list includes Sushant Singh when he worked with The Indian Express, Hindustan Times group executive editor Shishir Gupta, its editorial page editor Prashant Jha, defense correspondent Rahul Singh and a reporter in HT’s sister paper, Mint.
Other journalists include Ritika Chopra (who covers education and the Election Commission) and Muzammil Jaleel (who writes on Kashmir) of The Indian Express, Sandeep Unnithan (who covers defense and the Indian military) of India Today, Manoj Gupta (editor investigations and security affairs) at TV18, and Vijaita Singh, who covers the home ministry at The Hindu.
The Wire founder-editors Siddharth Varadarajan and M.K. Venu are also on the list.
According to the reports, a leaked database of thousands of telephone numbers believed to have been listed by multiple government clients of an Israeli surveillance technology firm includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists, and others.
Forensic tests conducted as part of this project, the reports say, revealed clear signs of targeting by Pegasus spyware in 37 phones, of which 10 are Indian.
The leaked database was accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International and shared with Le Monde, The Guardian, Washington Post, Die Zeit, Suddeutsche Zeitung, The Wire in India, and 10 other Mexican, Arab, and European news organisations as part of a collaborative investigation called the ‘Pegasus Project’.
A majority of the numbers identified in the list were geographically concentrated in 10 country clusters: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, the reports say.
The Ministry of Electronics and Information and Technology rejected the reports of surveillance of journalists, ANI reported.
“The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever. Similar claims were made regarding the use of Pegasus on WhatsApp by the Indian State. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court”, ANI quoted the government as having said in its response.
Not the first time
This isn’t the first time that Pegasus has courted controversy in India.
In September 2018, The Citizen Lab, a Canadian organisation, published a comprehensive report identifying 45 countries, including India, where the spyware was being used.
According to the report, Pegasus and WhatsApp hacks were used in India by a group calling themselves Ganges to target journalists and activists. The targeting by the Ganges had “political themes”.
In October 2019, WhatsApp also revealed that journalists and human rights activists in India have been targets of surveillance by operators using Pegasus. This disclosure was followed by a lawsuit filed by WhatsApp in a US Federal Court in San Francisco, in which it alleged that the Israeli NSO Group, which owns Pegasus, targeted some 1,400 WhatsApp users with the spy software.
Indian journalists and activists who were allegedly snooped on included Bela Bhatia, a human rights activist and lawyer based in Bastar; Shalini Gera, another human rights lawyer based in Bastar, and Degree Prasad Chauhan, a tribal and Dalit rights activist based in Raigarh.
Following the revelations, questions about a possible meeting between representatives of NSO and the Chhattisgarh Police surfaced on 2 November 2019.
The Congress government in Chhattisgarh set up a three-member committee to look into it. However, in January 2020, the government said that “no evidence linking any government official to the snooping was found”. The government also said there was no evidence found regarding a presentation done by NSO in Chhattisgarh.
What is Pegasus?
Pegasus is software produced by the Israeli surveillance firm, the NSO Group. Pegasus sends a malware link to the target user and once the user clicks on it, the code that allows the surveillance is installed on the person’s phone.
According to Citizen’s Lab, once Pegasus is installed and the phone is exploited, the attacker has complete access to the target user’s phone.
It then begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
The use of Pegasus’s software to spy, first emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.