The Wire news website’s editor Siddharth Varadarajan and another journalist in India were targeted with Pegasus spyware this year, the nonprofit Amnesty International’s Security Lab was able to determine after testing their devices, it announced on Thursday. The journalists had received an alert from Apple that they were being targeted by “state-sponsored hacking,” following which they provided their phones to Amnesty for testing. NSO Group, the Pegasus spyware’s developer, only sells its technology to governments. India’s Intelligence Bureau imported hardware from NSO Group in 2017, trade data shows.
Separately, the Washington Post reported that after the security alerts went out in October, government officials put ‘pressure’ on Apple to offer ‘alternative’ explanations to the public on why these warnings were sent to Opposition leaders and journalists. Union Ministers and Apple had made a series of misleading and unsubstantiated statements when these alerts went out, such as that these messages had gone out in 150 countries, when no other countries’ citizens — or ruling party lawmakers — had reported receiving a warning that week.
The Pegasus spyware, which the Union government has not categorically denied buying or using, allows attackers to extract all the contents of smartphones by leveraging software weaknesses that are known to a select few hackers, and sold for millions of dollars. These so-called ‘zero day exploits’ allow attackers to access all the data on even phones whose software has been fully updated, and access real-time camera and microphone data. Such technology, privacy activists argue, is an unconstitutional form of surveillance. Dozens of Opposition leaders, journalists and activists were targeted by Pegasus until 2021, according to the Forbidden Stories collective, which reported on a leak of the spyware’s global targets.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance,” said Donncha Ó Cearbhaill, head of the Security Lab that uncovered the infections.
“The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2021 and patched by Apple in iOS 16.6.1 (CVE-2023-41064),” Amnesty said in a statement, referring to a vulnerability that Apple patched through a software update in September.
The Union government refused to cooperate in a Supreme Court-ordered investigation into the 2021 Pegasus revelations. Both Mr. Varadarajan and Anand Mangnale, South Asia Editor at the Organised Crime and Corruption Report Project (OCCRP), had spyware that logs show infected their phones this year. The OCCRP had reported last year that the Intelligence Bureau (IB) obtained Pegasus, citing trade data that The Hindu was later able to verify, and interviews with unnamed IB officers. Ten months later, Mr. Mangnale’s phone was infected, Amnesty found. The day before, he told the Washington Post, he had sent queries to the Adani group for an investigative story OCCRP was working on about the corporate group.
Mr. Varadarajan’s phone was found to be infected on October 16. Both men received alerts from Apple in October saying that their phones had been targeted by “state-sponsored attackers”. The Union government said it was investigating these alerts, which were sent to numerous Opposition Members of Parliament as well.
The Union government was reportedly looking for Pegasus alternatives after the NSO Group’s activities came under global scrutiny, but the spyware’s continued use after the furore has only emerged now. The Defence Intelligence Agency’s Signal Intelligence Directorate has purchased equipment from Cognyte, a company that has been sued in the United States on similar snooping grounds, The Hindu had reported in April.
