Amnesty International on Thursday announced that it has found the presence of Pegasus spyware, sold only to governments, on two Indian journalists’ phones.
The Wire news website editor Siddharth Varadarajan and another journalist approached the organisation after they received “state-sponsored attacker” alerts from Apple in October.
The Security Lab of Amnesty was able to discover after testing their devices that they were targeted by Pegasus spyware.
The Pegasus spyware’s developer, NSO Group, only provides government agencies with its technology. Trade data indicates that in 2017, NSO Group was the source of hardware imports for India’s Intelligence Bureau.
The Washington Post has earlier revealed that government representatives pressed Apple to hide the information about spyware and provide the public with alternative reasons for why opposition leaders and journalists received security alerts in October.
Following the release of notifications, Union Ministers and Apple made a number of false claims, including the assertion that the same kind of messages were sent to 150 countries, despite the fact that neither members of the ruling party nor citizens of any other nation had reported receiving a warning that week.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance,” said Donncha Ó Cearbhaill, head of the Security Lab that uncovered the infections.
The Pegasus spyware, which the Union government has not officially denied purchasing, uses software flaws to enable hackers to retrieve all the data from devices to be sold for millions of dollars.
These so-called “zero day exploits” provide hackers access to all data on phones, including those with up-to-date software, as well as real-time camera and microphone data. Privacy activists contend that this type of equipment is an unconstitutional means of monitoring.
Pegasus was targeting dozens of opposition leaders, journalists, and activists until 2021, according to the ‘Forbidden Stories’ group report, which released information about a global target leak.
“The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2021 and patched by Apple in iOS 16.6.1 (CVE-2023-41064),” Amnesty said in a statement, referring to a loophole contained in Apple software update of September.
In 2021 the Supreme Court ordered an investigation on Pegasus related revelations, but the Union government refused to participate.
This year, spyware has been detected on the phones of both Varadarajan and Anand Mangnale, the South Asia Editor for the Organised Crime and Corruption Report Project (OCCRP).
The OCCRP had claimed last year that the Intelligence Bureau (IB) had acquired Pegasus, based on interviews with unidentified IB agents and trade data that The Hindu was subsequently able to confirm.
Amnesty discovered that Mangnale’s phone had been compromised ten months later. He informed the Washington Post that the previous day, he had contacted the Adani group with inquiries regarding the corporate group for an OCCRP investigative report.
On October 16, the phone of Varadarajan was discovered to be subjected to spyware attack. Apple sent alerts to both men stating that “state-sponsored attackers” had attacked their phones.
These alerts were sent to many Members of Parliament in the Opposition as well, and the Union administration declared that it was looking into them.
As the NSO Group’s operations came under international criticism, the Union government has been reportedly searching for Pegasus substitutes.
However, the spyware’s continued use following the controversy has just now come to light. In April, the Signal Intelligence Directorate of the Defence Intelligence Agency had bought technology from Cognyte, a company that has been sued in the US on identical grounds related to spying.
