New Delhi: In the midst of the heated West Bengal assembly election, the phone of poll strategist Prashant Kishor was broken into using NSO Group’s Pegasus spyware, according to digital forensics conducted by Amnesty International’s Security Lab and shared with The Wire.
In addition, the mobile number of Abhishek Banerjee, the powerful Trinamool Congress MP who is nephew of West Bengal chief minister Mamata Banerjee and a key party strategist, was also selected as a potential target for surveillance by a government client of NSO Group, an investigation of leaked data by The Wire and its media partners on the Pegasus Project has shown. Also on the list is Banerjee’s personal secretary.
Their phones, and the phone of a close aide to Kishor, were not immediately available for forensic investigation, making it impossible to say definitively whether an attempt to hack them was made.
Since NSO insists that only “vetted governments” can purchase Pegasus, the targeting of Kishor – who was working as an advisor to West Bengal chief minister Mamata Banerjee – is the first iron-clad piece of evidence that this deadly spyware is being used in India by an as yet unidentified agency to gather political information from rivals of the ruling Bharatiya Janata Party.
“If thé use of such methods during Bengal elections are taken as test case then it is quite clear that such things hardly have any impact on the electoral outcome,” Kishor told The Wire. “Having said so, there is no denying that those who would did so were looking to take undue advantage of their position of power with the help of illegal snooping.”
Kishor’s current or one-time role as a key political advisor and strategist for a range of opposition parties, including the DMK in Tamil Nadu and the Congress in Punjab, besides the TMC, means the agency targeting him is also interested in gathering information about the government’s political opponents in different parts of the country.
The forensic examination of his current phone also show that what appear to be unsuccessful attempts to initiate a Pegasus attack were made on Kishor’s phone in 2018, just months prior to the general elections of 2019. This was at a time when there was considerable speculation over who Kishor and his much-in-demand election consultancy organisation, I-Pac, would be assisting in the elections. The full extent of Pegasus’s deployment against him that year was not visible forensically as only those traces from 2018 which came into his current iPhone via backup – he no longer uses the device that was targeted then – were visible.
Pegasus is classified as a military grade export by the Israeli authorities, and the Modi government has never denied it is a customer when asked. This makes it reasonable to surmise that the entity which used the spyware to hack into the phone of Kishor is an Indian agency.
Amnesty’s forensic analysis found traces of infection on Kishor’s phone on April 28, just a day before the last phase of polling in the eight-phase assembly election in West Bengal.
Traces of Pegasus on Kishor’s phone were also detected in 14 days in June 2021 and 12 days in July 2021, including July 13, the day when he met Congress leaders Rahul Gandhi and Priyanka Gandhi in Delhi. In fact, a hack of Kishor’s phone occurred even on the date that The Wire met him and AI helped conduct forensic analysis on it.
When it comes to Amnesty International’s detective work, smartphone forensics is an ever-evolving process. Its researchers become better equipped to analyse the fingerprints left behind by Pegasus as they learn more about the malicious spyware’s infection methods. Due to that, while evidence of infection may only be detected on a few days in a specific month, that doesn’t mean the spyware was not active on other days.
While it is not clear what exactly the person or entity behind the attack chose to do after infecting Kishor’s phone, Pegasus has long been documented as being both sophisticated and deadly: it can record a target’s calls, copy all their messages or even secretly audio record or film them.
In Prashant Kishor’s case, the forensic results show that least one attack (in July 2021) was likely done through what is called a zero-click iMessage exploit. He didn’t have to fall prey to a phishing email masquerading as a sleazy pornographic service, or click on funny link in a SMS for free Payback points, all of which are signs of older or more simple attempts to attack a phone.
Instead, the forensic results show, a vulnerability in Apple’s messaging system likely allowed the unknown Pegasus operator to deliver a malicious payload onto the phone without having to interact with the election strategist at all.
Amnesty International’s technical research is a key part of the ‘Pegasus Project’ – an international investigation conducted by a consortium of news organisations including The Wire, The Guardian, The Washington Post and Paris-based media non-profit Forbidden Stories, which reviewed records of thousands of numbers that the NSO Group’s clients had selected for potential surveillance.
While these records by themselves only indicate that a person is a possible candidate for surveillance – and not evidence of a successful hack in and of itself – forensic analysis conducted by AI’s Security Lab has helped to partially corroborate the authenticity of the leaked data.
Security researcher Claudio Guarnieri, who runs Amnesty International’s Berlin-based digital security lab, and his team look for the evidential breadcrumbs that Pegasus leaves behind after a successful infection.
The methodology that AI’s security lab used for the Pegasus Project was peer-reviewed and endorsed by experts at Citizen Lab at the University of Toronto – a digital security research organisation that has used novel techniques to expose how governments around the world use the NSO Group’s software to hack phones.
In 2019, Citizen Lab helped lay the ground work for WhatsApp’s landmark suit against the Tel Aviv-based maker of spyware.
(Additional reporting by Ajoy Ashirwad Mahaprashasta)