A joint investigation by human rights group Amnesty International and US newspaper The Washington Post has found that Pegasus spyware was used to hack the mobile phones of two Indian journalists in August and October.
The Post’s report, published on Wednesday, also quotes unnamed sources at Apple claiming that the Narendra Modi government had pressured the company to play down its alert to customers that their iPhones had been targeted by “State-sponsored
attackers”.
In October, several Opposition politicians, journalists and at least one academic had received such alerts from Apple. Apple didn’t reveal who these attackers were or which State they worked for. Although the Centre said the matter would be probed, it also made light of the Opposition’s claims of illegal surveillance.
The Post’s report, titled “India targets Apple over its phone hacking notifications”, says: “As soon as journalists and Opposition politicians shared their warnings from Apple, BJP officials scrambled to contain the fallout.
“Senior Modi administration officials called Apple India’s managing director, Virat Bhatia, after the news broke, said two people with knowledge of the matter. One of the people said Indian officials asked Apple to withdraw the warnings and say it had made a mistake. After a heated discussion, the company’s India office said the most it could do was put out a public statement that emphasised certain caveats that Apple had already listed on its tech support page about the warnings.”
Responding to questions from The Post about whether the government had exerted pressure on Apple, the ministry of electronics and IT said in a statement: “We have instituted technical investigation in the reported matter. So far, Apple has cooperated fully in the investigation process.”
Reports had as far back as 2019 alleged that the Israeli spyware Pegasus — sold only to governments — had been used against Opposition politicians, journalists, activists and even a judge in India.
Amnesty’s report, titled “India: Damning new forensic investigation reveals repeated use of Pegasus spyware to target high-profile journalists” and released on Thursday, says: “Forensic investigations by Amnesty International’s Security Lab confirmed that Siddharth Varadarajan, Founding Editor of The Wire, and Anand Mangnale, the South Asia Editor at The Organised Crime and Corruption Report Project (OCCRP), were among the journalists recently targeted with Pegasus spyware on their iPhones, with the latest identified case occurring in October 2023.”
It adds: “Amnesty International has previously documented how Siddharth Varadarajan was targeted and infected with Pegasus spyware in 2018. His devices were later forensically analysed by a technical committee established by the Supreme Court of India in 2021 in the wake of the Pegasus Project revelations.
“In 2022, the committee concluded its investigation, but the Supreme Court has not made the findings of the technical report public. The court noted, however, that the Indian authorities ‘did not cooperate’ with the technical committee’s investigations.
“Siddharth Varadarajan was targeted again with Pegasus on 16 October 2023. The same attacker-controlled email address used in the Pegasus attack against Anand Mangnale was also identified on Siddharth Varadarajan’s phone, confirming that both journalists were targeted by the same Pegasus customer. There are no indications that the Pegasus attack was successful in this case.”
The Post’s report too says: “On Aug. 23, the OCCRP emailed Adani seeking comment for a story it would publish a week later alleging that his brother was part of a group that had secretly traded hundreds of millions of dollars worth of the Adani Group conglomerate’s public stock, possibly in violation of Indian securities law.
“A forensic analysis of Mangnale’s phone, conducted by Amnesty International and shared with The Washington Post, found that within 24 hours of that inquiry, an attacker infiltrated the device and planted Pegasus, the notorious spyware that was developed by Israeli company NSO Group and that NSO says is sold only to governments.
“A spokeswoman for Adani denied that the magnate was involved in any hacking effort and accused OCCRP of conducting a ‘smear campaign’ against the Adani Group.”
Amnesty has called upon “all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality”.
Last year, The New York Times and the OCCRP had reported that the Indian government had bought the Pegasus spyware from Israeli company NSO.
The Union junior minister for electronics and IT, Rajeev Chandrasekhar, responded to The Post’s report on X saying: “This story is half facts, fully embellished. Left out of the story is Apples response on Oct 31 — day of threat notifications.
“Apple does not attribute the threat notifications to any specific state-sponsored attacker. State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.
“It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behaviour to evade detection in the future.”
He added: “@GoI_MeitY’s & my response to this incident has been consistent and clear from the incident - That it is for Apple to explain if their devices are vulnerable and what triggered these notifications. Apple was asked to join the enquiry wth @IndianCERT and meetings have been held and enquiry is ongoing. Those are the facts. Rest of story is creative imagination & clickbaiting at work masquerading as journalism.”