New Delhi: An investigation by Amnesty International, in partnership with The Washington Post, has suggested the Indian government has repeatedly used the Pegasus spyware to target prominent journalists in India. In response, the government has described the report as “half facts, fully embellished”.
The report published Thursday said that the organisations had “unearthed shocking new details about the continued use of NSO Group’s highly invasive spyware Pegasus to target prominent journalists in India, including one who had previously been a victim of an attack using the same spyware.”
This report comes about two months after several prominent Indian opposition politicians said they had received alerts from US-headquartered technology giant Apple, warning of possible “state-sponsored” attacks on their Apple devices.
Apple, in response, had then said that it does “not attribute the threat notifications to any specific state-sponsored attacker” while stressing that the state-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time.
According to the report published in The Washington Post, Indian officials asked Apple to withdraw the warnings and say it had made a mistake.
“After a heated discussion, the company’s India office said the most it could do was put to out a public statement that emphasised certain caveats that Apple had already listed on its tech support page about the warnings,” the report said. It alleged that the company’s India MD, Virat Bhatia, told others that the company was under intense pressure from the government. Other Apple executives stressed the need to stand firm.
Meanwhile, reacting to the report, Minister of State for Electronics and IT Rajeev Chandrasekhar in a post on X (formerly Twitter) Thursday, said, “This story is half facts, fully embellished… Left out of the story is Apple’s response on Oct 31… Apple does not attribute the threat notifications to any specific state-sponsored attacker.”
He added, “@GoI_MeitY ‘s & my response to this incident has been consistent and clear from the incident — That it is for Apple to explain if their devices are vulnerable and what triggered these notifications… Apple was asked to join the enquiry with @IndianCERT and meetings have been held and enquiry is ongoing.”
Rebutting @washingtonpost 's terrible story telling is tiresome, but someone has to do it.
➡️This story is half facts, fully embellished 😅
➡️Left out of the story is Apples response on Oct 31- day of threat notifications
“Apple does not attribute the threat notifications to… https://t.co/6XhRC8QVBu
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) December 28, 2023
ThePrint reached Chandrasekhar for comment via text message and also called the office of Union Minister for Electronics and IT Ashwini Vaishnaw, who is currently travelling. This report will be updated when responses are received. An email has also been sent to Apple for comment, and the company’s response is awaited.
Also Read: Pegasus: Phones of 40 journalists from Indian Express, Hindu, HT & Wire tapped, says report
What the report said
The report said that forensic investigations by Amnesty International’s Security Lab confirmed that two journalists — Siddharth Varadarajan, founding editor of The Wire, and Anand Mangnale, the South Asia editor at the Organised Crime and Corruption Report Project (OCCRP) — were targeted with Pegasus spyware on their iPhones, with the latest identified case occurring in October.
“Our investigation confirms that the devices of both individuals were targeted with NSO Group’s Pegasus spyware between August and October 2023,” it said, adding that this is not the first time Amnesty International has found evidence of unlawful targeted surveillance against civil society in India.
Donncha Ó Cearbhaill, head of Amnesty International’s security lab, said in the report, “Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression, including imprisonment under draconian laws, smear campaigns, harassment, and intimidation.”
“Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India, which only intensifies the sense of impunity over these human rights violations,” he added.
Amnesty International’s Security Lab, the report said, undertook a forensic analysis on the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale. It found traces of Pegasus spyware activity on devices owned by both Indian journalists.
“The Security Lab recovered evidence from Anand Mangnale’s device of a zero-click exploit, which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware. The phone was running iOS 16.6, the latest version available at the time,” it said.
“Zero-click exploit” refers to malicious software that enables spyware to be installed on a device without requiring any user action from the target, such as clicking on a link.
The report further alleged that the attempted targeting of Mangnale’s phone happened at a time when he was working on a story about alleged stock manipulation by a large multinational conglomerate in India.
According to the report published by The Washington Post, this is a reference to the Adani Group, which has denied involvement in any hacking effort. The Washington Post also reached out to NSO Group for its response to these latest findings.
According to the report, the company said: “While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that licence our technologies for the sole purpose of fighting terror and major crime. The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence.”
According to the NSO Group, it sells its products only to government intelligence and law enforcement agencies.
“Indian authorities have until today provided no clarity or transparency on whether they have procured or used the Pegasus spyware in India,” the report said.
(Edited by Richa Mishra)
Also Read: Pegasus scandal shows how lawless India’s ‘lawful interception’ has become