The Citizen Lab, a Canadian organization published a complete report in September 2018, identifying 45 countries, including India, where the spyware was being used. According to the report, Pegasus and WhatsApp hacks were used in India by a group calling themselves Ganges to target journalists and activists. The targeting by the Ganges had “political themes”.
In October 2019, WhatsApp also revealed that journalists and human rights activists in India have been targets of scrutiny by operators using Pegasus. This revelation was followed by a lawsuit that was filed by WhatsApp in a US Federal Court in San Francisco, in which it suspected that the Israeli NSO Group, which owns Pegasus, targeted some 1,400 WhatsApp users with the spy software.
Indian journalists and activists who were spied on included Bela Bhatia, a human rights activist and lawyer based in Bastar; Shalini Gera, another human rights lawyer based in Bastar, and Degree Prasad Chauhan, a tribal and Dalit rights activist based in Raigarh. Out of these, Amnesty found evidence that the phones of Sushant Singh, Thakurta, Abdi, Varadarajan and Venu were compromised with Pegasus spyware.
For Smita Sharma, the analysis found evidence of a hacking attempt through a vulnerability in Apple’s iMessage system, but nothing to indicate that her phone was successfully infected. Vijaita Singh’s Android phone also showed evidence of an attempted hack, but no evidence of a successful compromise was detected. While the results do not indicate what the attacker did using Pegasus, it comes to a few key conclusions for the following people:
S.N.M. Abdi’s Phone was compromised by Pegasus during the months of April 2019, May 2019, July 2019, October 2019 and December 2019. Amnesty was not able to verify the attack vector. Sushant Singh’s Phone was compromised by Pegasus from March 2021 to July 2021, through what Amnesty International calls a zero-click exploit in the iMessage service. The attack is referred to as ‘zero-click’, because it does not require the victims to take any action (such as clicking on a malicious link in an SMS or e-mail) for the infection to occur.
Paranjoy Guha Thakurta’s phone was compromised by Pegasus during parts of April 2018, May 2018, June 2018 and July 2018. Amnesty was not able to identify the attack vector that the spyware used to infiltrate the phone. M.K. Venu Analysts at Amnesty found that the phone was infected with Pegasus as recently as June 2021, through what they called a zero-click iMessage to exploit.
Siddharth Varadarajan’s phone was compromised by Pegasus during parts of April 2018. Digital forensics could not determine the manner in which the spyware infected the phone. Digital forensic analysis was also conducted for the iPhone of a senior editor at a mainstream Indian newspaper, but no traces of Pegasus were found — primarily because it was not the same device being used by the journalist when her number showed up on the list.
The Wire reached out to a number of other journalists, both at mainstream publications and otherwise, to ask whether they would be open to participating in forensic analysis. They refused, citing a number of reasons including a lack of support from their management or their inability to trust the underlying process. Two journalists whose phone numbers appear in the leaked records obtained by the Pegasus Project are among those who received messages from WhatsApp in 2019 that their phones were compromised.
Of that group, records show that former Lok Sabha MP and veteran journalist Santosh Bharatiya was also marked on the list in early 2019. The former parliamentarian, who early in his career worked as a journalist, publicly stated that he too had received a message from WhatsApp.
The leaked data also throws up the numbers of journalists who work far away from Lutyens’ Delhi and the national glare. This includes northeast-based editor in chief of Frontier TV Manoranjana Gupta, Bihar-based Sanjay Shyam and Jaspal Singh Heran. Heran is editor-in-chief of the Ludhiana-based Punjabi daily Rozana Pehredar. The newspaper has reporters in every district of Punjab, is read widely and has a sizable impact on the narrative in the state. The octogenarian told the Pegasus Project that due to his newspapers’ critical reportage; he has had run-ins with all governments over the years and has been at the receiving end of several legal notices.
Roopesh Kumar Singh is an independent journalist based in Jharkhand’s Ramgarh and three phone numbers belonging to him are part of the leaked data. The leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu and Indian Express.
The Pegasus Project, a consortium of news organisations that analysed this list, has reason to believe that the data is indicative of potential targets identified in advance of surveillance attempts. The presence of a phone number in the data does alone not reveal whether a device was infected with Pegasus or subject to an attempted hack – technical examination of the phone’s data is needed for that. Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack.
Pegasus is sold by the Israeli company, NSO Group, which says it only offers its spyware to “vetted governments”. The company refuses to make its list of customers public but the presence of Pegasus infections in India, and the range of persons that may have been selected for targeting, strongly indicate that the agency operating the spyware on Indian numbers is an official Indian one.
Two founding editors of The Wire are on this list, as is its diplomatic editor and two of its regular contributors, including Rohini Singh. Singh’s number appears after she filed back-to-back reports on the business affairs of home minister Amit Shah’s son, Jay Shah, and Nikhil Merchant, a businessman who is close to Prime Minister Narendra Modi, and while she was investigating the dealings of a prominent minister, Piyush Goyal, with businessman Ajay Piramal.
Founded in 2010, the NSO Group is best known for having created Pegasus, which allows those operating it to remotely hack into smartphones and gain access to their contents and functions, including the microphone and camera. The company has always insisted Pegasus is not sold to private entities or even to any and every government. In fact, in its letter to The Wire and its media partners, NSO reiterated that it sells its spyware only to “vetted governments”.