Contrary to the Union government’s claim last year that the allegations of illegal surveillance in the country were 'sensationalist and lacked substance', the Organised Crime and Corruption Reporting Project (OCCRP) has reportedly found that a hardware shipment made to India’s Intelligence Bureau (IB) matched the specifications in a Pegasus spyware brochure. As per a report released by the OCCRP on October 20, Thursday, import documents show that the country’s main domestic intelligence agency had “bought hardware from the Israeli spyware firm NSO Group”, which “matched the description of equipment used elsewhere to deploy the company’s flagship Pegasus software.”
The finding by Sharad Vyas and Jurre van Bergen of the OCCRP follows a report by the New York Times in January this year, which had alleged that the Indian government purchased Pegasus spyware in 2017 as part of a major arms deal with Israel. Pegasus is a military-grade programme known to infect a targeted device with surveillance software, all the while remaining covert and undetected. It can capture keystrokes, intercept communications, track the device, and use the camera and microphone to spy on the user. What's different about Pegasus from other spyware is it has 'write' capabilities — not only can it spy on targets, but can also plant material on the target's device.
Pegasus is known to have been used against journalists, activists, and political dissidents according to the Pegasus Project, an international consortium of media organisations who worked to uncover who might have fallen victim to Pegasus. The Pegasus Project’s investigation in India had revealed that a number of phones of prominent journalists and senior politicians — including Congress party leader Rahul Gandhi — had potentially been infected by the malware.
In July last year, Union Minister of Information Technology Ashwini Vaishnaw dismissed these reports in the Lok Sabha, alleging that they were part of an “attempt to malign Indian democracy." Later in October 2021, the Supreme Court set up a committee to probe the Pegasus snooping allegations.
The committee formed by the court subsequently submitted its report in August this year, stating that it had found malware in five out of the 29 devices submitted, but there was no conclusive evidence that it was Pegasus. It also noted that the Union government did not cooperate with its probe. However the committee’s report was not made public, apart from an annex recommending legal reforms related to cybersecurity and privacy.
The OCCRP’s report is primarily based on the import data it reviewed, which reportedly shows that the New Delhi-based IB received a shipment of hardware from NSO in Israel in April 2017, matching the description of equipment used elsewhere to run the Pegasus software. The shipment reportedly carried equipment worth $315,000, and was delivered by air.
“The consignment included Dell computer servers, Cisco network equipment, and ‘uninterruptible power supply’ batteries, which provide power in case of outages, according to a bill of lading obtained through a global trade data platform that draws on national customs documents,” the report says.
According to the OCCRP, the timing of the shipment and its description (it was marked as “for Defence and Military Use”) matched the account given in the January report by the New York Times, which stated, “Pegasus and a missile system had been centrepieces of a major 2017 arms deal between Israel and India." The conclusion of that deal was announced on April 6 that year by Israel Aerospace Industries, which was contracted to supply missile defence systems, a week and a half before the customs documents show the shipment took place, the report said.
The OCCRP has maintained that it is not possible to say conclusively whether the imported hardware was used for Pegasus. However, it points out that the specifications of the shipment resemble those laid out in a brochure for Pegasus spyware, as submitted to a United States court in a lawsuit filed against NSO Group by Meta, the parent company of Facebook and WhatsApp, in 2019. “The brochure — which notes that necessary hardware is supplied with the system upon deployment — outlines the need for two computer racks, network equipment, servers, network cables, and batteries to keep the servers running in case of outages. This hardware is needed to run the Pegasus platform and store data extracted from mobile phones,” the OCCRP says in its report.
Besides, Mexican news outlet Aristegui Noticias had formerly reported on a contract for Pegasus between a Mexican company and NSO Group. The specifications of the shipment resemble those outlined in this contract too, the report says, adding that documents from the Meta lawsuit also show similar hardware shipments made to Ghana, another NSO Group customer.
The OCCRP report also adds that while the NSO Group and India’s IB did not respond to their questions, “two intelligence officials — a senior officer and a contractor — also told OCCRP that Pegasus had been purchased by the government in 2017.” The report also notes that India’s National Security Adviser Ajit Doval had reportedly visited Israel in late February 2017, ahead of a historic visit by Indian Prime Minister Narendra Modi to Israel which took place in July that year.
Responding to OCCRP’s findings, Etienne Maynier, a security researcher at Amnesty International, said that the findings “provide strong and alarming evidence of surveillance transfers with Indian authorities." Asking India’s Supreme Court to make its committee’s report on the use of the spyware in the country public “immediately and without further delay”, he said, “All the victims of Pegasus spyware abuse in India deserve transparency, and the Indian authorities should come clean on their relationship with NSO.”
Meanwhile, CPI(M) General Secretary Sitaram Yechury took to Twitter to react to the OCCRP report. “Pegasus has been used to hack phones and snoop upon Opposition parties, Election Commissioners, members of the judiciary, lawyers and journalists. At least now the Modi government should come clean. The truth cannot be hidden for long,” he wrote in a tweet.