Around 300 phones belonging to Indian journalists, government officials, rights activists and a wide cross-section of businessmen are believed to have been targeted by Pegasus spyware made by Israeli company NSO which says it sells only to “vetted governments”.
The Indian numbers targeted were revealed after a joint global-scale investigation conducted by Indian website The Wire, The Washington Post, The Guardian, Le Monde, Die Zeit and 12 other Arab, Mexican and European news organisations.
The news organisations were given a leaked database of numbers by Paris-based media non-profit Forbidden Stories and Amnesty International.
The global investigation examined 37 phones of which 10 were Indian to confirm that they had been targeted by spyware.
Soon after the story broke simultaneously around the world, Indian journalist Swati Chaturvedi, whose phone is believed to have been tapped, tweeted: “Dear @PMOIndia why did your government put me on an intrusive surveillance list? For committing a crime of doing investigative journalism. Why was Pegasus software introduced on my phone? Pegasus is sold only to governments.”
The government has denied any link with the spyware and said, “We have nothing to fear and the government has nothing to hide. We will reply to any query. The news article proves nothing. In fact, previous attempts to link Pegasus with the government have failed," the government said.
The Wire said that the leaked database had numbers of over 40 journalists, three opposition leaders, serving government ministers, current and formers officials of security organisations and “scores of businesspersons”. The Wire itself was heavily targeted.
Forensic analysis was carried out on 37 phones globally including 10 from India. Amongst the phones analysed were those belonging to The Wire Editor Siddharth Varadarajan and co-founder Paranjoy Guha Thakurta.
“You feel violated. This is an incredible intrusion and journalists should not have to deal with this,” Varadarajan told The Guardian. The forensic analysis is essential to prove that the phones have been infected with Pegasus Spyware. For technical reasons it is easier to analyse if Pegasus software has been used in iPhones than in Android ones.
The phone of another journalist, Sushant Singh, who had worked on an investigation into the Rafale deal, was also subjected to forensic analysis and appeared to have had spyware installed on it. Singh told The Wire: “It is a violation of privacy…..Secondly, it compromises a journalist’s ability to report on matters of grave national importance.
Other Indian journalists whose names appear on the list that dates back to 2016 include Shishir Gupta, executive editor of the Hindustan Times; former editorial page editor Prashant Jha; defence correspondent Rahul Singh and Aurangazeb Naqshbandi who covered the Congress.
In addition to these names, other leading journalists who appear to have been under surveillance include Muzamil Jaleel who writes on Kashmir, India Today defence writer Sandeep Unnithan and Vijaita Singh who writes on the Home Ministry for The Hindu. Singh’s phone contained traces of an attempted Pegasus infection, according to The Wire.
One phone number on the Pegasus Projects database was earlier registered in the name of a sitting Supreme Court judge, The Wire said. However, it said the judge had given up the number at some point in the last few years.
Most of the numbers on the Pegasus database came from 10 countries including India, Azerbaijan, Kazakhstan, Hungary, Saudi Arabia, UAE, Bahrain, Morocco, Mexico and Rwanda.
Pegasus initially hit the headlines around the world in 2019 after it was reported that 1,400 phones had been targeted using the software. Whatsapp filed a suit against the NSO Group which created the software.
Rumours had been circulating all Sunday that a major story was about to break and Rajya Sabha MP Subramanian Swamy tweeted, “Strong rumour that this evening Washington Post & London Guardian are publishing a report exposing the hiring of an Israeli firm Pegasus, for tapping phones of Modi’s Cabinet Ministers, RSS leaders, SC judges & journalists.”
At an international level, more chillingly, the former fiancée of murdered Saudi journalist and dissident Jamal Khashoggi was found to have been tapped. Two other Turkish officials inquiring into the Khashoggi murder were also tapped.
The Pegasus database contains more than 50,000 potential global surveillance targets. NSO insists it only offers its spyware to governments for use in tracking terrorists and big-time criminals. The hacking software known as Pegasus is employed to infect iPhones and Android phones to extract messages, photographs, emails, record calls and activate microphones. The malware can be put on a smartphone by clicking on a malicious link or through an app vulnerability.
The NSO Group refuses to divulge the list of its customers. It denied in a statement “false claims” about the actions of its customers but promised to “investigation all credible claims of misuse and take appropriate action.” It called the report of 50,000 potential surveillance targets “exaggerated”.
The telephone numbers on the list were printed without names but the investigation managed to identify over 1,000 people in more than 50 nations. They included 189 journalists globally, including those working at the Financial Times, The New York Times and CNN. There were also more than 600 politicians and government officials, including cabinet ministers, diplomats and military figures, and 85 human rights activists.
The Indian government said in its written statement there has been “no unauthorised interception” by government agencies. It said the country is a “robust democracy” committed to ensuring “the right to privacy of all its citizens.” However, the occupations of the people to whom the Indian numbers belonged suggested that an official Indian agency would have been behind any attempt to place them on the list, The Wire said. The Indian Telegraph Act and Information Technology Act lays out strict procedures that must be followed for lawful interception.