On Thursday, Amnesty International disclosed the detection of Pegasus spyware, designed exclusively for government use, on the smartphones of two Indian journalists.
Siddharth Varadarajan, editor of The Wire news website, and another journalist sought Amnesty’s assistance after receiving “state-sponsored attacker” alerts from Apple in October. Amnesty’s Security Lab confirmed the presence of Pegasus spyware on their devices through comprehensive testing.
The developer of Pegasus, NSO Group, exclusively supplies its technology to government agencies. Trade data from 2017 indicates that NSO Group was a source of hardware imports for India’s Intelligence Bureau. The Washington Post previously reported that government officials pressured Apple to conceal information about the spyware, providing alternative explanations for the security alerts received by opposition leaders and journalists in October.
Despite Union Ministers and Apple making false claims, including the assertion that similar messages were sent to 150 countries, the targeted journalists, including Varadarajan, were singled out for their work. Donncha Ó Cearbhaill, head of Amnesty’s Security Lab, emphasized that targeting journalists in this manner constitutes an unlawful invasion of privacy and a violation of the right to freedom of expression.
The Pegasus spyware, which the Union government has not officially denied purchasing, exploits software vulnerabilities to allow hackers to extract all data from compromised devices, selling the information for substantial sums. These “zero day exploits” provide hackers access to data on phones, even those with up-to-date software, along with real-time camera and microphone data, leading privacy activists to deem this form of surveillance unconstitutional.
The Forbidden Stories group report in 2021 revealed that Pegasus had targeted numerous opposition leaders, journalists, and activists until that year. Amnesty confirmed that the recovered samples matched NSO Group’s BLASTPASS exploit, identified by Citizen Lab in September 2021 and subsequently patched by Apple in iOS 16.6.1.
Despite a Supreme Court order for an investigation into Pegasus-related revelations in 2021, the Union government declined to participate. This year, Pegasus spyware was detected on the phones of both Varadarajan and Anand Mangnale, South Asia Editor for the Organised Crime and Corruption Report Project (OCCRP). The OCCRP had previously claimed that the Intelligence Bureau (IB) had acquired Pegasus, based on interviews with unidentified IB agents and confirmed trade data.
Amnesty discovered that Mangnale’s phone had been compromised ten months later, revealing a possible connection to his inquiries with the Adani group for an OCCRP investigative report. On October 16, Varadarajan’s phone was identified as the target of a spyware attack, triggering Apple alerts to both journalists and several Members of Parliament in the Opposition.
Amidst international criticism of NSO Group’s operations, reports suggest the Union government is exploring alternatives to Pegasus. However, the continued use of the spyware post-controversy has only recently come to light. In April, the Signal Intelligence Directorate of the Defence Intelligence Agency purchased technology from Cognyte, a company facing similar allegations of spying in the United States.