Amnesty International, in partnership with The Washington Post, has claimed to have unearthed new details about the alleged use of the Israeli NSO Group’s highly invasive spyware Pegasus to target prominent journalists in India, including one who had previously been a victim of an attack using the same spyware.
Forensic investigations by Amnesty International’s Security Lab claim that Siddharth Varadarajan, founding editor of The Wire, and Anand Mangnale, the South Asia Editor at The Organised Crime and Corruption Report Project (OCCRP), were among the journalists allegedly targeted with Pegasus spyware on their iPhones, with the latest identified case in October 2023.
Pegasus is a highly invasive spyware, developed by Israeli surveillance firm NSO Group.
“Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
“Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which intensifies the sense of impunity over these human rights violations,” Cearbhaill said.
Forensic evidence
Amnesty International said its Security Lab first observed indications of renewed Pegasus spyware threats towards individuals in India during a regular technical monitoring exercise in June 2023, a number of months after media reported that the Indian government was seeking to procure a new commercial spyware system.
In October 2023, Apple issued a new round of threat notifications globally to iPhone users who may have been targeted by “state-sponsored attackers”. More than 20 journalists, and opposition politicians in India, were reported to have received the notifications.
Amnesty International’s Security Lab undertook a forensic analysis on the phones of individuals around the world who received these notifications, including Siddharth Varadarajan and Anand Mangnale. It claimed it found traces of Pegasus spyware activity on devices owned by both Indian journalists.
The Security Lab said it recovered evidence from Anand Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware. The phone was running iOS 16.6, the latest version available at the time.
A zero-click exploit refers to malicious software that enables spyware to be installed on a device without requiring any user action from the target, such as clicking on a link.
The Security Lab said it also identified an attacker-controlled email address used as part of the Pegasus attack on his device. Anand Mangnale’s phone was vulnerable to this zero-click exploit at the time of the attack. It is currently unclear if the exploit attempt resulted in a successful compromise of his device.
The attempted targeting of Anand Mangnale’s phone happened at a time when he was working on a story about an alleged stock manipulation by a large multinational conglomerate in India.
A history of spyware abuse
Amnesty International said it has previously documented how Siddharth Varadarajan was targeted and infected with Pegasus spyware in 2018. His devices were later forensically analyzed by a technical committee established by the Supreme Court of India in 2021 in the wake of the Pegasus Project revelations.
In 2022, the committee concluded its investigation, but the Supreme Court has not made the findings of the technical report public. The court noted, however, that the Indian authorities “did not cooperate” with the technical committee’s investigations.
Siddharth Varadarajan was targeted again with Pegasus on 16 October 2023. The same attacker-controlled email address used in the Pegasus attack against Anand Mangnale was also identified on Siddharth Varadarajan’s phone, confirming that both journalists were targeted by the same Pegasus customer, Amnesty said.
There are no indications that the Pegasus attack was successful in this case.
“Targeting journalists solely for doing their work amounts to an unlawful attack on their privacy and violates their right to freedom of expression. All states, including India, have an obligation to protect human rights by protecting people from unlawful surveillance,” said Donncha Ó Cearbhaill.
Reporters at The Washington Post reached out to NSO Group for their response to these latest findings but had not received any response at the time of publication.
NSO Group states that it sells its products only to government intelligence and law enforcement agencies. Indian authorities have until today provided no clarity or transparency on whether they have procured or used the Pegasus spyware in India.
“Amnesty International is calling on all countries, including India, to ban the use and export of highly invasive spyware, which cannot be independently audited or limited in its functionality,” said Donncha Ó Cearbhaill.
The organization called for the findings of the Supreme Court Technical Committee Report on Pegasus use in India to be immediately released.
