India: Report reveals continued use of Pegasus spyware to target high-profile journalists
"India: Damning new forensic investigation reveals repeated use of Pegasus spyware to target high-profile journalists", 28 December 2023
Amnesty International, in partnership with The Washington Post, has unearthed shocking new details about the continued use of NSO Group’s highly invasive spyware Pegasus to target prominent journalists in India, including one who had previously been a victim of an attack using the same spyware.
Forensic investigations by Amnesty International’s Security Lab confirmed that Siddharth Varadarajan, Founding Editor of The Wire, and Anand Mangnale, the South Asia Editor at The Organised Crime and Corruption Report Project (OCCRP), were among the journalists recently targeted with Pegasus spyware on their iPhones, with the latest identified case occurring in October 2023.
The use of Pegasus, a type of highly invasive spyware, developed by Israeli surveillance firm NSO Group, comes amid an unprecedented crackdown by the Indian authorities on freedom of peaceful expression and assembly, which has had a chilling impact on civil society organizations, journalists, and activists.
Forensic evidence reveals Pegasus activity
Amnesty International’s Security Lab first observed indications of renewed Pegasus spyware threats towards individuals in India during a regular technical monitoring exercise in June 2023...
In October 2023, Apple issued a new round of threat notifications globally to iPhone users who may have been targeted by “state-sponsored attackers”. More than 20 journalists, and opposition politicians in India were reported to have received the notifications.
As a result, Amnesty International’s Security Lab undertook a forensic analysis on the phones of individuals around the world who received these notifications, including Siddharth Varadarajan and Anand Mangnale. It found traces of Pegasus spyware activity on devices owned by both Indian journalists.
The attempted targeting of Anand Mangnale’s phone happened at a time when he was working on a story about an alleged stock manipulation by a large multinational conglomerate in India.
A more detailed technical analysis of the exploit and accompanying forensic evidence is available on the Amnesty Tech Security Lab website.
A history of spyware abuse
Siddharth Varadarajan was targeted again with Pegasus on 16 October 2023. The same attacker-controlled email address used in the Pegasus attack against Anand Mangnale was also identified on Siddharth Varadarajan’s phone, confirming that both journalists were targeted by the same Pegasus customer.
There are no indications that the Pegasus attack was successful in this case.
Reporters at The Washington Post reached out to NSO Group for their response to these latest findings.
The company said, “While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime. The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes. The company has no visibility to the targets, nor to the collected intelligence.”
NSO Group states that it sells its products only to government intelligence and law enforcement agencies. Indian authorities have until today provided no clarity or transparency on whether they have procured or used the Pegasus spyware in India.
“Amnesty International is calling on all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality,” said Donncha Ó Cearbhaill.
The organization is also calling for the findings of the Supreme Court Technical Committee Report on Pegasus use in India to be immediately released. The Indian government should also conduct an immediate, independent, transparent, and impartial investigation into all cases of targeted surveillance, including into these latest revelations.
To ensure transparency, Indian authorities should also publicly disclose information about any previous, current or future contracts with private surveillance companies, including with NSO Group.”