Pegasus Spyware Used to Spy on 40 Indian Journalists. Who Should Be Under the Line of Fire?

Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device

Strictly speaking, Spyware is the term given to a category of software which aims to steal personal or organisational information. It is done by performing a set of operations without appropriate user permissions, sometimes even covertly. General actions a spyware performs include advertising, collection of personal information and changing user configuration settings of the computer. A Spyware is generally classified into adware, tracking cookies, system monitors and Trojans. The most common way for a spyware to get into the computer is through freeware and shareware as a bundled hidden component. Once a spyware gets successfully installed, it starts sending the data from that computer in the background to some other place.

Pegasus – The Most Powerful Spyware Ever Developed

Pegasus is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met.

Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems. The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.

Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.

In 2019 WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones by exploiting a zero-day vulnerability. Simply by placing a WhatsApp call to a target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call. More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.

Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection, has been improved by research conducted by Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab.

“Things are becoming a lot more complicated for the targets to notice,” said Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks.

For companies such as NSO, exploiting software that is either installed on devices by default, such as iMessage, or is very widely used, such as WhatsApp, is especially attractive, because it dramatically increases the number of mobile phones Pegasus can successfully attack.

As the technical partner of the Pegasus project, an international consortium of media organisations including the Guardian, Amnesty’s lab has discovered traces of successful attacks by Pegasus customers on iPhones running up-to-date versions of Apple’s iOS. The attacks were carried out as recently as July 2021.

Pegasus Attack on India Journalists

The phone numbers of over 40 Indian journalists appear on a leaked list of potential targets for surveillance, and forensic tests have confirmed that some of them were successfully snooped upon by an unidentified agency using Pegasus spyware, The Wire can confirm.

The leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu and Indian Express.

Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack.

Of equal importance is how the results of the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours. In some cases, including forensic tests conducted for two India numbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus infection is just seconds.

Two founding editors of The Wire are on this list, as is its diplomatic editor and two of its regular contributors, including Rohini Singh. Singh’s number appears after she filed back-to-back reports on the business affairs of home minister Amit Shah’s son, Jay Shah, and Nikhil Merchant, a businessman who is close to Prime Minister Narendra Modi, and while she was investigating the dealings of a prominent minister, Piyush Goyal, with businessman Ajay Piramal.

The number of former Indian Express journalist Sushant Singh appears on the list in mid-2018, at a time when he was working on an investigation into the controversial Rafale aircraft deal with France, besides other stories. Digital forensics conducted on Singh’s current phone showed signs of Pegasus infection earlier this year.

While the Narendra Modi government has not so far issued a categorical denial that Pegasus is officially being used, it has been dismissive of allegations that Pegasus might have been used to conduct illegal surveillance of targets in India.

On Saturday, the Ministry of Electronics and Information Technology reiterated this stand in a response to a questionnaire about individual targets sent by Pegasus Project partners.

Independent forensic analysis conducted by Amnesty International’s Security Lab on a small worldwide cross-section of the smartphones of the people on the leaked list threw up traces of Pegasus spyware infection in over half the cases. Among the 13 iPhones examined in India, nine showed evidence of being targeted, of which seven were successfully infected with Pegasus. Among nine Androids tested, one showed evidence of targeting while 8 were inconclusive, mainly because Android logs do not provide the kind of detail Amnesty’s team needs to confirm the presence of Pegasus.

List of Confirmed Names on the Spyware Attack List:

  1. Shishir Gupta, Hindustan Times
  2. Prashant Jha, Hindustan Times
  3. Rahul Singh, Hindustan Times
  4. Aurangzeb Naqshbandi, Hindustan Times
  5. Saikat Dutta, former Hindustan Times
  6. Vijaita Singh, The Hindu
  7. Muzamil Jaleel, The Indian Express
  8. Ritika Chopra, The Indian Express
  9. Sushant Singh, former The Indian Express
  10. Sandeep Unnithan, India Today
  11. Siddharth Varadarajan, co-founder of The Wire
  12. Swati Chaturvedi, The Wire
  13. Devirupa Mitra, The Wire
  14. Rohini Singh, The Wire
  15. M.K. Venu, The Wire
  16. J Gopikrishnan, The Pioneer
  17. Paranjoy Guha Thakurta, journalist and adviser, NewsClick
  18. Manoranjana Gupta, editor-in-chief, Frontier TV
  19. Shabir Hussein Buchh, independent journalist
  20. Iftikar Gilani, journalist covering J&K
  21. Smita Sharma, independent journalist and news anchor
  22. Prem Shankar Jha, Indian economist, journalist 
  23. Santosh Bhartiya, journalist and ex MP
  24. Deepak Gidwani, independent journalist
  25. Bhupinder Singh Sajjan, Punjabi journalist
  26. Jaspal Singh Heran, Punjabi Journalist
  27. Hassan Babar Nehru, lawyer and activist in J&K
  28. Umar Khalid, JNU scholar, currently in jail under UAPA
  29. Thirumurugan Gandhi, activist arrested under UAPA
  30. Rona Wilson, activist arrested under UAPA
  31. Rupali Jadhav, arrested under UAPA
  32. Degree Prasad Chouhan, activist
  33. Laxman Pant, activist

Please note that while the list had 40 names, some of the people did not consent to their names being shared publicly.

The Digpu News Bottomline

Privacy in India has been a consistently debated topic since forever but more since the K.Puttaswamy judgement by the Supreme Court of India. Though the Apex court held privacy to be an indispensable right in a Democracy, the governments stance with respect to the same has been contemptuous in many ways. Be it by way of the Aadhar – Mobile Number seeding issue, or the Social Media Code.

Now when a spyware that is sold only to governments, has been used for spying on journalists who are critical of the government, one fails to understand why the Narendra Modi led BJP Government has not yet made any statement regarding the issue. Is the central government really complacent in the attack? If not, what are they going to do about an attack on the sovereignty of the country?

Leave a Reply

Your email address will not be published.

Back to top button