The Washington PostDemocracy Dies in Darkness

Phone of Indian activist jailed on terrorism charges was infected with Pegasus spyware, new analysis finds

Delhi-based activist Rona Wilson, center, campaigned for the rights of those incarcerated in India for their political ideology. (Pratham Gokhale/Hindustan Times/Getty Images)

NEW DELHI — A smartphone belonging to jailed Indian activist Rona Wilson was infiltrated using NSO Group’s Pegasus spyware before his arrest, according to a new forensic analysis by Amnesty International’s Security Lab that reignites questions about the use of malware attacks against dissidents and government critics in India.

The analysis by Amnesty showed that two backups of an iPhone 6s belonging to Wilson, who has been in jail on terrorism charges since June 2018, had digital traces showing infection by the Pegasus surveillance tool, which its developer, the Israeli cybersecurity firm NSO Group, has said has been licensed only to government agencies. The analysis expands the findings reported by The Washington Post and a global media consortium in July that the tool has been deployed against a wide range of targets around the world, including human rights activists and journalists.

The Indian government has neither confirmed nor denied that it is an NSO Group client.

The phone backups were provided to Amnesty at the request of Wilson’s defense team by Arsenal Consulting, a U.S. digital forensics firm that examined an electronic copy of Wilson’s laptop provided by his lawyers. Amnesty’s new finding raises further questions about the Indian government’s case against Wilson, a Delhi-based activist who campaigned for the rights of those incarcerated for their political ideology. In February, Arsenal said Wilson’s computer had been hacked by an unknown attacker and that malicious software was used to plant documents that are cited in the charging documents as evidence against him.

Arsenal has worked on the case on a pro-bono basis.

The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.

Vijayanta Goyal Arya, a spokeswoman for the National Investigation Agency, the anti-terrorism authority overseeing the case, said that the charging documents have been filed “based on prosecutable evidence” and that the “forensic reports have been submitted to the court.” She declined to comment on the new forensic findings but said the agency seeks reports from labs recognized by the courts.

An NSO Group representative responded to a request for comment with a statement: “Without addressing specific countries and customers, the allegations raised in this inquiry are not clear. Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in an attempt to overthrow a (democratically-elected) government, this would not be considered a misuse of such tools by any means.”

Etienne Maynier, a technologist at Amnesty International, called the presence of Pegasus on Wilson’s phone “very worrying.”

“What we need is an independent investigation into who is at the origin of this attack and responsible for this abuse,” said Maynier. Legislation should prevent this kind of “unlawful surveillance” against human rights defenders, he said.

The Pegasus Project news investigation revealed that hundreds of numbers from India appeared on the global list of more than 50,000 phone numbers, which included some numbers selected for surveillance by NSO’s clients.

The list included numbers for Rahul Gandhi, India’s main opposition leader, and his aides; Ashok Lavasa, an election commissioner who ruled that Prime Minister Narendra Modi violated campaign guidelines in 2019; and more than 30 journalists.

Officials at the Ministry of Electronics and Information Technology declined to comment on the matter.

The phone numbers used by Wilson and seven other co-defendants were added to the list that included those selected for surveillance before their arrests. Three of the numbers were added in 2017, well before the event that police said precipitated the investigation: a commemoration of a 200-year-old battle held on Jan. 1, 2018, during which one person died in clashes near a village known as Bhima Koregaon.

An earlier examination by Amnesty confirmed the presence of Pegasus on a phone belonging to S.A.R Geelani, who headed the Committee for the Release of Political Prisoners, the organization with which Wilson worked. Geelani, who died in 2019, was not a defendant in the Bhima Koregaon case.

Amnesty’s analysis of two electronic copies of Wilson’s phone backups revealed that his phone was first compromised using Pegasus spyware in July 2017. The traces of infection appear again in early 2018, according to Amnesty.

Wilson received at least 15 SMS messages with malicious links in a span of six months, the last of which was delivered four months before his arrest in June 2018, according to Maynier. Some were disguised as links to sign petitions on human rights causes, and others were advertisements.

Invisible surveillance: How spyware is secretly hacking smartphones

The charging documents claim that Wilson and more than a dozen other activists were associated with a banned guerrilla group of Maoists in central India that aims to overthrow the government. The activists deny the charges.

The activists have been charged under a stringent anti-terrorism law that critics say Modi’s government has used increasingly against dissidents.

The trial in the Bhima Koregaon case has yet to begin. Those in jail include a prominent academic specializing in India’s caste structure, a discriminatory Hindu system based on birth; a lawyer who fought cases of tribal youths accused of being Maoists; and singers who wrote songs parodying Modi and his government.

In July, one of the defendants, Stan Swamy, an 84-year-old Jesuit priest suffering from Parkinson’s, died of ill health at a hospital after nearly eight months in jail. This month, Sudha Bharadwaj, a lawyer and trade unionist, became the first imprisoned activist in the case to be released on statutory bail after spending more than three years in jail.

The forensic analysis of Wilson’s phone backup was confirmed in a separate examination by Arsenal Consulting at the request of the defense team.

In February, The Washington Post was first to report that a forensic analysis showed Wilson’s laptop had been subject to a sophisticated malware attack in 2016, nearly two years before his arrest, in which an unknown hacker planted evidence, including a letter purportedly written by Wilson to a Maoist leader where he urged the group to assassinate Modi. A subsequent forensic analysis by Arsenal revealed that at least 30 incriminating documents recovered from Wilson’s device by the police had been planted.

A similar hack was perpetrated on a second co-defendant by the same attacker, according to Arsenal. Forensic experts based in North America reviewed the Arsenal reports at the request of The Post and said Arsenal’s conclusions were sound.

Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus and other spyware, has found evidence that India has been a client of NSO, according to Bill Marczak, a senior research fellow.

Since the publication of the project, several countries have ordered an internal investigation into the use of Pegasus. In India, the Supreme Court established a committee of experts overseen by a retired judge to investigate the findings.

The NSO Group has come under fire globally over the project’s findings. The U.S. Department of Commerce last month blacklisted the company, barring it from receiving American technologies.

Biden administration blacklists NSO Group over Pegasus spyware

Although NSO Group has denied the findings of the Pegasus Project news investigation, it has acknowledged problems with a client and said it suspended the contract when abuse of the spyware surfaced. The company vowed to investigate other allegations of misuse.

Wilson, 50, has spent more than 1,200 days in jail awaiting trial. Sanjay Kak, a filmmaker and writer who worked with Wilson on a few citizen campaigns for the release of political prisoners, called him a “quintessential self-effacing figure.”

“Ironically, he’s now at the other end of the very machine that he worked against,” Kak said.

Read more:

They were accused of plotting to overthrow the Modi government. The evidence was planted, a new report says.

Evidence found on a second Indian activist’s computer was planted, report says

Indian activists jailed on terrorism charges were on list with surveillance targets