New Delhi: Amnesty International’s Security Lab says it has detected evidence that Pegasus spyware was used by an unknown government agency to compromise the mobile phones of two journalists in India, Siddharth Varadarajan of The Wire and Anand Mangnale of the Oraganised Crime and Corruption Reporting Project.
Amnesty released its findings on December 28 as part of its partnership on a wider investigation by the Washington Post.
This is the second time Varadarajan has been targeted with the Israeli made spyware. As The Wire reported in 2021 as part of an investigation by a worldwide media consortium known as the ‘Pegasus Project’, his phone was among several other journalists, opposition politicians and human rights defenders on whose devices Amnesty’s Security Lab found Pegasus. The presence of the spyware on Magnale’s phone is especially concerning as the trigger for his selection as a target appears to be his investigation into the business affairs of the Adani group. As the Washington Post reports,
“On Aug. 23, the OCCRP emailed Adani seeking comment for a story it would publish a week later alleging that his brother was part of a group that had secretly traded hundreds of millions of dollars worth of the Adani Group conglomerate’s public stock, possibly in violation of Indian securities law. A forensic analysis of Mangnale’s phone, conducted by Amnesty International and shared with The Washington Post, found that within 24 hours of that inquiry, an attacker infiltrated the device and planted Pegasus, the notorious spyware that was developed by Israeli company NSO Group and that NSO says is sold only to governments.”
“Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.
Amnesty said its Security Lab “first observed indications of renewed Pegasus spyware threats towards individuals in India during a regular technical monitoring exercise in June 2023, a number of months after media reported that the Indian government was seeking to procure a new commercial spyware system.”
When Apple issued threat notifications globally to iPhone users who may have been targeted by “state-sponsored attackers”, Varadarajan, Mangnale and a number of other journalists and opposition politicians in India received the notifications. Among those who went public at the time were Mahua Moitra of the Trinamool Congress, a prominent critic of the Adani group, and Ravi Nair, a journalist with OCCRP who was working on an Adani story with Mangnale.
When Amnesty International’s Security Lab undertook a forensic analysis on the phones of Varadarajan and Mangnale, the press release said, it “found traces of Pegasus spyware activity on devices owned by both Indian journalists”:
“The Security Lab recovered evidence from Anand Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware. The phone was running iOS 16.6, the latest version available at the time.
“A zero-click exploit refers to malicious software that enables spyware to be installed on a device without requiring any user action from the target, such as clicking on a link.
“The Security Lab also identified an attacker-controlled email address used as part of the Pegasus attack on his device. The recovered samples are consistent with the NSO Group’s BLASTPASS exploit, publicly identified by Citizen Lab in September 2023 and patched by Apple in iOS 16.6.1 (CVE-2023-41064).
“Anand Mangnale’s phone was vulnerable to this zero-click exploit at the time of the attack. It is currently unclear if the exploit attempt resulted in a successful compromise of his device.”
As for Varadarajan’s phone, Amnesty’s forensic report notes:
“The Security Lab reviewed forensic records from Siddharth Varadarajan’s iPhone 11 and identified traces which confirms that his phone was also target with NSO Group’s Pegasus spyware in October 2023.
“HomeKit logs from Siddharth Varadarajan iPhone show that the was also targeted by the same Pegasus attacker email account used to target Anand Mangnale. The recovered HomeKit logs show that the [email protected] Apple account interacted with his device’s HomeKit service on 16 October 2023 around 14:36:09 UTC. At the time his phone was running iOS version 16.6.1 which was not vulnerable to the BLASTPAST attack.”
The Washington Post reported that iVerify, a New York security firm it engaged to test the phones of some of the Indian politicians on the list of those who received a spyware alert from Apple, found tell-tale footprints of targetting:
“IVerify examined Moitra’s phone backup and confirmed that she had received an Apple warning. It also saw urgent crash reports that, together with other digital records, suggested the device had been hacked. The company also found a threat notification and suspicious activity on the phone of Praveen Chakravarty, head of the opposition Indian National Congress party’s data analytics department.”
This renewed evidence of Pegasus being used against journalists in India comes more than a year after the Supreme Court noted that the technical committee it had appointed to probe allegations of illegal surveillance found evidence of “malware’ in as many as five mobile phones which it tested. The then chief justice of India, N.V. Ramana, had also said that that Narendra Modi government had refused to cooperate with the committee – despite being asked by the court to do so.
Though the technical committee was created in the face of the government’s refusal to confirm or deny its purchase and use of Pegasus, the Supreme Court has not held the government in contempt and has also not taken any further action on the findings it has. The committee’s report itself was not made public, citing privacy concerns, though some of the journalists who had submitted their devices for testing had said they had no objection to the committee’s report being released.
Pressure on Apple
The Washington Post story also documents the Modi government’s attempts to control the narrative soon after Apple’s October notiications were issued, which included putting pressure on the company’s executives in India to themselves downplay the significance of the warning they had just issued to iPhone users.