NEW DELHI — A powerful surveillance tool licensed only to governments was used to infiltrate mobile phones belonging to at least seven people in India and was active on some of their devices as recently as this month.
The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.
The confirmed infections of seven phones represent a tiny fraction of what may be a vast surveillance net in Modi’s India
Hundreds of Indian phone numbers appeared on a list that included some selected for surveillance by clients of NSO Group, an Israeli firm. The list contained numbers for Rahul Gandhi, India’s main opposition leader; Ashok Lavasa, a key election official considered an obstacle to the ruling party; and M. Hari Menon, the local head of the Bill and Melinda Gates Foundation.
Others included on the list were journalists, activists, opposition politicians, senior officials, business executives, public health experts, Tibetan exiles and foreign diplomats. A group of Modi critics accused of plotting to overthrow the government also appeared on the list.
The spyware that infiltrated seven of the analyzed phones is called Pegasus. It secretly unlocks the contents of a target’s mobile phone and transforms it into a listening device. NSO says it licenses the tool exclusively to government agencies to combat terrorism and other serious crimes.
In India, use of the spyware appears to have gone well beyond those objectives. Five of the phones infiltrated in India belonged to journalists and one to a high-profile political adviser working for Modi’s opponents.
More than 1,000 phone numbers in India appeared on the list, according to a months-long collaborative investigation by The Washington Post and 16 media partners in 10 countries. The consortium verified the identities of the people associated with more than 300 of the numbers in India.
It is not known how many of the phones on the list were actually targeted for surveillance or how many attempts were successful. Forensic analyses performed on 22 smartphones in India whose numbers appeared on the list showed that 10 were targeted with Pegasus, seven of them successfully. Eight of the 12 inconclusive results involved Android phones, which do not log the information needed for the method used to uncover infection.
Sushant Singh, an Indian journalist whose phone number first appeared on the list in 2018, reported extensively on a controversial purchase of fighter jets from France by the Modi government. Pegasus was active on Singh’s iPhone as recently as this month, a forensic analysis showed.
The targeting of journalists creates “an environment of fear and intimidation” where “democracy eventually stands weakened,” Singh said.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to the list of thousands of phone numbers worldwide and shared it with The Post and other outlets. Forbidden Stories oversaw the investigation, called the Pegasus Project, and Amnesty’s International’s Security Lab provided forensic analyses and technical support but had no editorial input.
It is not clear how many of the mobile phones on the worldwide list were ultimately infected by spyware. In all, Amnesty’s Security Lab examined 67 phones where attacks were suspected. Thirty-seven phones showed traces of Pegasus activity: 23 were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive. Half of them were Android devices, which do not store the types of data needed by Amnesty to indicate infection.
How Pegasus works
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.
Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.
Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.
The numbers from India and to a lesser extent Pakistan that appeared on the list offer a portrait of an NSO client’s priorities in the region. The records included at least one number once used by Pakistani Prime Minister Imran Khan, as well as hundreds of others in the country. Khan did not respond to a request for comment.
Yet there were many more Indian numbers on the list. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, has found evidence that 10 countries represented on the list, including India, have been clients of NSO, according to Bill Marczak, a senior research fellow.
India has neither confirmed nor denied that it obtained Pegasus spyware. In 2019, WhatsApp said it had uncovered a vulnerability through which more than 1,400 of its users worldwide were targeted using Pegasus, a group that included people in India. In a parliamentary debate later that year, then-Indian law minister Ravi Shankar Prasad repeatedly declined to answer questions about whether the country had bought the tool. Prasad said that no “unauthorized” surveillance had occurred.
In response to detailed questions, a statement from India’s Ministry of Electronics and Information Technology said the claim of government surveillance of specific people “has no concrete basis or truth associated with it whatsoever.”
The government did not respond to questions about whether it is an NSO Group client. The statement said that “any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.”
In lengthy responses, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities. It added that its technologies have helped prevent terrorist attacks and bombings and broken up rings that trafficked in drugs, sex and children.
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations,” the company said.
More than 30 Indian journalists appeared on the list. Those whose phones were compromised, forensic analysis showed, included Siddharth Varadarajan and M.K. Venu, two co-founders of the Wire, an Indian digital media outlet and a partner in the Pegasus Project.
Another person successfully targeted with Pegasus software was Prashant Kishor, an influential campaign strategist who once worked for Modi but this year helped defeat his party in a crucial state election. Kishor’s phone was compromised as recently as July 14, a forensic analysis showed. He said the apparent surveillance was “really disappointing.” Those responsible “were looking to take undue advantage of their position of power with the help of illegal snooping,” Kishor said.
Some of the Indian numbers on the list belonged to people who could be viewed as legitimate targets of inquiry by Indian law enforcement or intelligence services, including some belonging to people connected to ongoing criminal investigations.
Yet the numbers also included people who did not appear to have had run-ins with law enforcement authorities. In addition to the journalists, there were opposition politicians, activists, several public health experts and business executives. Some were government critics, while others seemed to be allies.
Two ministers in Modi’s government — Ashwini Vaishnaw, the new minister for information technology, and Prahlad Singh Patel, a junior minister for water resources — were among those whose phone numbers appeared on the list. Vaishnaw and Patel did not respond to requests for comment.
One of the most prominent people on the list was Rahul Gandhi, a leading opposition figure and the great-grandson of India’s first prime minister. When numbers used by Gandhi were added to the list in 2018, he was Modi’s chief rival in upcoming national elections.
Those selected included not only Gandhi but some of his staff members and friends. Alankar Sawai and Sachin Rao, two of his close advisers, were among those whose numbers appeared on the list, as were several of Gandhi’s personal friends. Sawai and Rao did not answer requests for comment.
Gandhi responded with a statement. “Targeted surveillance of the type you describe, whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India is illegal and deplorable,” he said. “If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”
Another person who was an impediment to Modi’s ambitions was also on the list: Ashok Lavasa, a senior official who was in line to lead the powerful Election Commission of India. Lavasa determined that Modi repeatedly violated election guidelines during the 2019 national campaign. He later resigned from the commission. Lavasa declined to comment.
Others had nothing to do with politics. Several people working in India’s health sector are represented on the list, among them Gagandeep Kang, a virologist, and two employees of the U.S. Centers for Disease Control and Prevention based in Delhi.
In 2018, Kang was helping with aspects of the response to an outbreak of the deadly Nipah virus in the southern Indian state of Kerala. She urged Indian health officials to share blood samples of those infected with a global initiative to develop vaccines against future pandemics, an effort that was ultimately fruitless. Kang struggled to imagine why she would be deemed a target of surveillance. “I lead a very, very boring life,” she said.
M. Hari Menon, the India country head for the Bill and Melinda Gates Foundation, as well as at least one other foundation employee were added to the list in mid-2019. It was a period when the foundation was extending a significant honor to Modi: In September, the prime minister was named a “global goalkeeper” at an annual ceremony in New York for his work on sanitation. Menon did not respond to a request for comment.
Proximity to India’s top officials was also common among some on the list. In 2019, a woman made an explosive complaint against the chief justice of India’s Supreme Court, accusing him of sexual harassment. After she rebuffed his advances, she said, she was dismissed from her job at the court. The justice denied the allegations.
After the woman’s accusations went public, family members said they received anonymous threats. At least 11 phone numbers used by the woman, her husband and two other family members were also on the list of those apparently selected for potential surveillance. The justice is now a member of Parliament with the ruling party.
The breadth of the potential targets in India raises legal questions. The Indian government has the power to “surveil, monitor and decrypt” communications, but hacking is a crime in India.
Lawyers looking to represent people whose phones have been hacked by Pegasus face an imposing hurdle: How can they challenge the legality of a tool that the government has never acknowledged using?
Legal surveillance requests in India are granted by a senior official in the Home Ministry, both at the federal and state levels. They are reviewed by a small committee of civil servants, and there is no oversight by the courts unless there is a challenge in a specific case. Only a minority of surveillance requests are rejected, said G.K. Pillai, former home secretary.
The federal government alone was approving as many as 9,000 telephone interception requests a month in 2014, according to an official reply to the Software Freedom Law Center.
Shashi Tharoor, a member of Parliament who chairs the committee on information technology and belongs to the opposition Congress Party, said hacking is against the law in India, except if the government “invokes a national security exception, which, to my knowledge, they have not done.” Surveillance using a spyware tool like Pegasus “would be illegal unless those who have done it can demonstrate otherwise.”
Michael Safi of the Guardian contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.