In what could trigger a stormy start to the Monsoon session of Parliament commencing Monday, a global collaborative investigative project has revealed that Israeli company NSO Group’s Pegasus spyware targeted over 300 mobile phone numbers in India including that of two serving Ministers in the Narendra Modi government, three Opposition leaders, one constitutional authority, several journalists and business persons.
The Wire, a digital news platform, which is part of the collaboration, reported Sunday that the leaked global database of 50,000 telephone numbers, was first accessed by French non-profit Forbidden Stories and Amnesty International, and then shared with 16 media partners: The Guardian, Washington Post, Le Monde, Suddeutsche Zeitung, and 11 other Arab and European organisations.
The Indian list of 300 “verified” numbers includes those used by “ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”, it said. The Guardian, however, said the presence of a phone number in the database was not a confirmation of whether the corresponding device was infected with Pegasus or was subject to an attempted hack.
“…the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts,” it reported.
The NSO Group describes its customers as 60 intelligence, military and law- enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations, said The Washington Post. Responding to an earlier lawsuit by WhatsApp in California, NSO Group had said that Pegasus was used by sovereign governments in foreign countries.
In response to the development, the government said: “The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever. In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian state. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court. This news report, thus, also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.”
The Indian Express had in 2019 reported that Facebook-owned WhatsApp had confirmed use of Pegasus to target journalists and human right activists in India. WhatsApp had made the disclosure in a lawsuit it had filed in a US court in San Francisco.
In this, it had alleged that the NSO Group targeted around 1,400 WhatsApp users with Pegasus. Among those then targeted in India were several human rights activists and lawyers working in tribal areas, an Elgar Parishad case accused, a Bhima Koregaon case lawyer, a Dalit activist, journalists reporting on defence and strategy, and a Delhi University lecturer.
However, WhatsApp was one of the attack vectors used to infiltrate the mobile phones of selected targets using Pegasus. Other known vectors include SMS and iPhone’s iMessage service in addition to unknown vulnerabilities that a Pegasus user might exploit to install the spyware.
Once the spyware is installed, Pegasus can potentially harvest most of the data on the device including SMS, emails, WhatsApp chats, call logs, GPS data, contact lists and transmit it back to the attacker. It can also activate functionalities such as camera, microphone, call recording, etc to provide surveillance capabilities to the client.
According to the NSO Group, as reported by The Wire, the leaked database is “not a list of numbers targeted by governments using Pegasus” and that it had “good reason to believe” the leaked data “may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”.
Additionally, the NSO Group disputed that Pegasus was used to target 50,000 persons, suggesting that the scale of targeting across all government clients was around 5,000 a year.
In its previous statements, even though the government did not clearly admit to or deny buying or using NSO Group’s Pegasus to conduct surveillance, the Israeli firm, in its response to WhatsApp’s lawsuit in California had noted: “…there is no dispute that alleged use of Pegasus to message 1,400 foreign WhatsApp users in April and May 2019 was done by sovereign governments in foreign countries”.
“NSO is a highly-regulated enterprise that provides government agencies an essential tool to monitor terrorists and criminals, analogous to companies that supply the US military with aircraft, weapons and cyber-intelligence tools,” it added.
In a written response to the Parliament in November 2019, then Minister of State for Home Affairs G Kishan Reddy had said: “Section 69 of the Information Technology Act, 2000 empowers the Central Government or a State Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence”.
He had added that the Central government has authorised 10 agencies to intercept communications. These are Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North East and Assam only), and Commissioner of Police, Delhi.