The phone numbers of over 40 Indian journalists appeared on a leaked list of potential targets for surveillance, and forensic tests have confirmed that some of them were successfully snooped upon by an unidentified agency using Pegasus spyware, a private Israeli firm, reports The Wire.
Forensic tests conducted as part of this project on a small cross-section of phones associated with these numbers revealed clear signs of targeting by Pegasus spyware in 37 phones, of which 10 are Indian.
Indian ministers, government officials, and Opposition leaders also figure in the list of people whose phones may have been compromised by the spyware, claimed The Wire.
The leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu, and Indian Express.
The leaked database was accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International and shared with The Wire, Le Monde, The Guardian, Washington Post Die Zeit, Suddeutsche Zeitung, and 10 other Mexican, Arab and European news organisations as part of a collaborative investigation called the ‘Pegasus Project’.
Information Minister Fawad Chaudhry tweeted: “Extremely concerned on news reports emerging from @guardiannews that Indian Govt used Israeli software to spy on Journalists, political opponents, and politicians, unethical policies of #ModiGovt have dangerously polarised India and the region… more details are emerging.”
The Pegasus Project, a consortium of news organisations that analysed this list, has reason to believe that the data is indicative of potential targets identified in advance of surveillance attempts. The presence of a phone number in the data does alone not reveal whether a device was infected with Pegasus or subject to an attempted hack – technical examination of the phone’s data is needed for that.
The important factor is how the results of the forensic analysis threw up shows the sequential connection between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours. In some cases, including forensic tests conducted for two India numbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus infection is just seconds.
Pegasus is sold by the Israeli company, NSO Group, which says it only offers its spyware to “vetted governments”. The company refuses to make its list of customers public but the presence of Pegasus infections in India, and the range of persons that may have been selected for targeting, strongly indicate that the agency operating the spyware on Indian numbers is an official Indian one.
NSO disputes the claim that the leaked list is linked in any way to the functioning of its spyware. In a letter to The Wire and Pegasus Project partners, the company initially said it had “good reason to believe” that the leaked data was “not a list of numbers targeted by governments using Pegasus”, but instead, maybe part of “a larger list of numbers that might have been used by NSO Group customers for other purposes”.
However, the forensic testing of targeted phones has confirmed the use of Pegasus spyware against some of the Indian numbers on this list and has also established that this highly obstructive form of surveillance – technically illegal under Indian law as it involves hacking – is still being used to spy on journalists and others.
A majority of the numbers identified in the list were geographically concentrated in 10 country clusters: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates.