Pegasus Used To Target Indian Journos in 2023, Says Amnesty Report: Key Findings

At least two Indian journalists were found to have been targeted by the controversial Pegasus spyware in fresh instances of hacking, an investigation by Amnesty International revealed on Thursday, 28 December.

In a blog post, Amnesty said that the highly sophisticated spyware developed by Israeli firm NSO Group was allegedly used to target iPhones belonging to:

• Siddharth Varadarajan, founding editor of The Wire

• Anand Mangnale, the South Asia Editor of The Organised Crime and Corruption Report Project (OCCRP)

The forensic investigation was conducted by Amnesty International's Security Lab, with the most recent identified case of Pegasus hacking taking place in India in October 2023.

The threat notification sent to over 20 Opposition leaders and journalists, including Vardarajan, had warned them that their devices may have been targeted by "State-sponsored attackers."

The incident had reignited fears of being targeted by Pegasus spyware, something that the Indian government hasn't expressly denied purchasing. Yet, the NSO Group that owns the spyware continues to maintain that Pegasus is only sold to "vetted law enforcement and intelligence agencies."

In June 2023, Amnesty International said that it conducted "a regular technical monitoring exercise" and saw "indications of renewed Pegasus spyware threats towards individuals in India."

After Apple issued threat alerts to certain iPhone users in India, Amnesty said that it undertook a forensic analysis of the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale.

A zero-click attack is a sophisticated, hacking technique that doesn't require the victim to click on any link in order for their device to get infected by malicious software, including spyware.

Mangnale's phone was reportedly running iOS 16.6, the latest version available at the time.

"The Security Lab also identified an attacker-controlled email address used as part of the Pegasus attack on his device. The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2023 and patched by Apple in iOS 16.6.1 (CVE-2023-41064)," as per the post.

However, the investigation could not conclude whether the spyware had successfully compromised the two targeted devices.

“While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime," the Israeli surveillance firm was quoted as saying by The Washington Post.

"The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence," the NSO Group said.

Meanwhile, amid the conflict in Gaza, the Israeli government has reportedly deployed Pegasus to help track those kidnapped and murdered by Hamas, Axios reported.

Ban Pegasus: Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, called on "all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality."

Release findings: The global non-profit also demanded that the findings of the Supreme Court Technical Committee Report on Pegasus use in India be immediately released.

Disclose spyware contracts: "To ensure transparency, Indian authorities should also publicly disclose information about any previous, current or future contracts with private surveillance companies, including with NSO Group," the post read.

In 2019, WhatsApp reportedly informed the Union Ministry of Electronics and Information Technology that around 121 users in India may have been targeted by Pegasus spyware.

In 2021, a consortium of 16 news organisations published the Pegasus Project which found that among other targets worldwide, over 300 Indians including journalists, activists, politicians, bureaucrats, and businessmen had been potentially targeted by the NSO Group's Pegasus spyware that is only sold to sovereign states.

• That same year, the Supreme Court set up a technical committee to probe the revelations of the Pegasus Project.

In 2022, the technical committee wrapped up its investigation and found that five of the devices it examined had been infected with malware. However, the committee did not conclusively say whether the malware found was Pegasus spyware or not.

• That same year, OCCRP reported that the Intelligence Bureau got a shipment of hardware from NSO Group matching the description of equipment used to run the Pegasus system in 2017.

• That same year, The New York Times reported that in 2017, the Indian and Israeli governments "had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion – with Pegasus and a missile system as the centrepieces."

In 2023, several prominent Opposition leaders claimed that they received a threat notification from Apple about State-sponsored attackers targeting their iPhones.

• That same year, an internal forensic investigation by the OCCRP found that hackers had attempted to compromise Mangnale's phone with Pegasus spyware.