An investigation by an international media consortium has revealed that more than 50,000 phone numbers from across the world are believed to have been targeted for hacking through the spyware called Pegasus, which is only sold to government agencies by the Israeli NSO Group. Over 300 verified phone numbers — including those of two serving ministers, over 40 journalists, three opposition leaders and one sitting judge, besides scores of business persons and activists in India — could have been targeted for hacking through Pegasus, the global media consortium has reported.
The report was published by The Wire and 16 other international publications, including Washington Post, The Guardian and Le Monde, who are media partners to an investigation conducted by a Paris-based media non-profit organisation Forbidden Stories and rights group Amnesty International into a leaked list of more than 50,000 phone numbers from across the world that are believed to have been the target of surveillance through Pegasus software.
From the list of more than 50,000 cellphone numbers obtained by the Forbidden Stories and Amnesty International and shared with the 16 news organisations, journalists were able to identify more than 1,000 individuals in 50 countries who were allegedly selected by NSO clients for potential surveillance.
This includes 189 journalists, more than 600 politicians and government officials, at least 65 business executives, 85 human rights activists, and several heads of state, according to The Washington Post, a consortium member. The journalists work for organisations including The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde, and The Financial Times.
The source of the leak and how it was authenticated – were not disclosed. While a phone number's presence in the data does not mean an attempt was made to hack a device, the consortium said it believed the data indicated potential targets of NSO's government clients. The Post said it identified 37 hacked smartphones on the list. The Guardian, another consortium member, reported that Amnesty had found traces of Pegasus spyware on the cellphones of 15 journalists who let their phones be examined after discovering their contact number was in the leaked data.
The most numbers on the list, 15,000, were from Mexico-based phones, with a large share in the Middle East. NSO Group's spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan, and Pakistan.
Amnesty also reported that its forensic researchers had determined that NSO Group's flagship Pegasus spyware was successfully installed on the phone of Post journalist Jamal Khashoggi's fiancee, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.
The Wire reported that forensic tests conducted, as part of the media investigation project, on a small cross-section of phones associated with these numbers revealed clear signs of targeting by Pegasus spyware in 37 phones, of which 10 are Indian. The Wire said the Indian phone numbers found in the database include 40 journalists, three major opposition figures, one constitutional authority, two serving ministers in the Narendra Modi government, current and former heads and officials of security organisations, and scores of businesspersons, as well as a sitting judge.
A majority of the numbers identified in the list were geographically concentrated in 10 country clusters: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
The leaked data includes the contact numbers of top journalists at big media houses like the Hindustan Times, India Today, Network18, The Hindu and Indian Express, The Wire said.
Those who were targeted include The Wire’s founder-editors Siddharth Varadarajan and MK Venu, diplomatic editor Devirupa Mitra, and other The Wire journalists like Rohini Singh, columnist Prem Shankar Jha, and journalist Swati Chaturvedi. The list also includes The Hindu’s Vijaita Singh, Indian Express’s Ritika Chopra and Muzamil Jaleel, India Today’s Sandeep Unnithan and TV18’s Manoj Gupta. Further, national security reporter Saikat Datta, senior journalist and former editor of Economic and Political Weekly Paranjoy Guha Thakurta, former TV18 anchor Smita Sharma, former Outlook journalist SNM Abdi and ex-DNA reporter Iftikhar Gilani were also part of the list, The Wire reported.
I was targeted through the Pegasus spyware after my Jay Shah and Nikhil Merchant stories and while researching my story on @PiyushGoyal’s shady dealings. I would urge the government to stop reading my conversations and instead read my stories and try to get it’s house in order!
— Rohini Singh (@rohini_sgh) July 18, 2021
Through exchanges with @FbdnStories learnt my phone was snooping target in 2018-2019 when I was with The Tribune.Though my phone remained uncompromised. Snooping may be an old political tool,but it never was or Is right. Cannot be legitimised in a democracy. My remarks #Pegasus pic.twitter.com/G7zK3oZ9mO
— Smita Sharma (@Smita_Sharma) July 19, 2021
The mobile phone of a former Delhi University professor was also allegedly targeted, while the database also included at least nine numbers belonging to eight activists, lawyers and academics arrested between June 2018 and October 2020 for their supposed role in the Elgar Parishad case.
The Wire, however, added that the mere presence of a phone number in the leaked data does alone not reveal whether a device was infected. "Indeed, it is not possible to know whether their phones were targeted by Pegasus spyware... without digital forensic analysis," it said.
Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously controls the smartphone's microphones and cameras. In the case of journalists, that lets hackers spy on reporters' communications with sources. The programme is designed to bypass detection and mask its activity. NSO Group's methods to infect its victims have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called 'zero-click' option.
Pegasus had surfaced in the Indian news media in 2019 when it was found that activists and lawyers, who represented those arrested in the Bhima Koregaon case, were among those who were targets of ‘state-of-the-art-
WhatsApp had then alleged that Pegasus could send a link to a victim’s phone and can get installed on the phone even without the victim taking any action, like clicking on it or opening the message. In the case of May 2019, users received a missed video call on WhatsApp. The moment the phone rang, without users needing to answer that call, the malware was allegedly installed on the victim’s phone.
Once it gets into a particular phone, Pegasus can access passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. It can even turn on the microphone and the camera and use the GPS function on the phone to track a target’s location and movements.
The government has dismissed allegations of any kind of surveillance on its part on specific people, saying it "has no concrete basis or truth associated with it whatsoever".
Asserting that "India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right", the government dismissed the media report as an attempt to play "the role of an investigator, prosecutor as well as jury."
Responding to the reports, the government referred to its reply given to the media consortium and said similar claims were made in the past as well regarding the use of Pegasus on WhatsApp by India and those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
"This news report, thus, also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions," the government said.
It further said that there is a well-established procedure through which "lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States" and the procedure ensures that any interception, monitoring or decryption of any information through any computer resource is done as per a due process of law.
The government, in its response, said India is committed to ensuring the right to privacy to all its citizens as a fundamental right and for that, it has also introduced the Personal Data Protection Bill, 2019 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, to protect the personal data of individuals and to empower users of social media platforms.
The commitment to free speech as a fundamental right is the cornerstone of India's democratic system, it said.
"We have always strived to attain an informed citizenry with an emphasis on a culture of open dialogue. However, the questionnaire sent to the Government of India indicates that the story being crafted is one that is not only bereft of facts but also founded in preconceived conclusions," it said, referring to the queries it had received from the media consortium.
"It seems you are trying to play the role of an investigator, prosecutor as well as jury. Considering the fact that answers to the queries posed have already been in the public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organizations involved," the government said in its response to the global media collective that worked on 'Project Pegasus'.
Government of India’s response to inquiries on the ‘Pegasus Project’ media report. pic.twitter.com/F4AxPZ8876
— ANI (@ANI) July 18, 2021
The report came just a day before the start of the Monsoon Session of Parliament and could see the matter being raised in the two houses, Lok Sabha and Rajya Sabha, beginning on Monday, July 19. Some opposition leaders are also expected to give notices for adjournment or debate on this issue.
ANI has reported that CPI Rajya Sabha MP Binoy Viswam has submitted a suspension of business notice under Rule 267 over the revelations that have emerged.
(With agency inputs)