An epic-sized phone-hacking scandal

The TLDR: Paris-based media non-profit Forbidden Stories and Amnesty International accessed a global database of more than 50,000 phone numbers—which may have been targeted by a powerful spyware tool called Pegasus. In India, these include phones of 40 journalists, three opposition leaders, serving government ministers, current and former officials of security organisations and businesspersons. We look at who was targeted and how Pegasus works.

What happened here, exactly?

• The two NGOs—Forbidden Stories and Amnesty International—accessed a global database of phone numbers, stripped of names. 
• The purpose of the database is still unclear: “The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.” 
• But the organisations shared these numbers with key media organisations around the world who helped identify the owners of these numbers. 
• Amnesty’s Security Lab conducted forensic analysis on 67 smartphones, of which 23 were successfully infected and 14 showed signs of attempted hacking.
• In India, the larger list included numbers of 40 journalists at leading media publications—including Hindustan Times, India Today and Indian Express. 
• Overall, at least 300 Indian numbers were on the list—including those of two cabinet ministers, three Opposition leaders, and several business persons.
• And at least ten Indian phones were subjected to forensic analysis. A key target: The Wire. Phones of two founding editors, diplomatic editor and two regular contributors showed signs of attempted or successful hack. 

Point to note: Here’s the big picture on who this global database included:

“[R]eporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.”

A bit of recent history to note: Back in 2019, WhatsApp informed more than two dozen Indians that their phones had been targeted by spyware. A Canadian-based NGO Citizen Lab confirmed that the tool used was none other than Pegasus. The targets included activists, journalists, human rights lawyers, and some of the accused in the Bhima Koregaon case.

So what is this Pegasus?

The spyware tool is made by an Israeli company called NSO which sells spyware like Pegasus to governments to help them catch terrorists and criminals—or so it claims. The secretive firm operated entirely under the radar until 2016, when its product was detected on the iPhone of a human-rights activist now in prison in the UAE. The company primarily built its reputation on the ability to crack Apple’s rigorous privacy measures. Also this:

“NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations.”

Most of the numbers came from 10 countries including India, Azerbaijan, Kazakhstan, Hungary, Saudi Arabia, UAE, Bahrain, Morocco, Mexico and Rwanda. So not parts of the world known for their commitment to democracy—and all of them are known clients of the NSO.

The WhatsApp lawsuit: In 2019, the company sued NSO in San Francisco, accusing it of targeting 1,400 of its users—including “100 journalists, prominent female leaders, several people who had been targeted with unsuccessful assassination attempts, political dissidents and human rights activists — as well as their families.” NSO has thus far failed to shut down the lawsuit.

Point to note: As the Financial Times reports, “Through Pegasus, Israel has acquired a major presence—official or not—in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates.” The Middle East accounts for more than half the revenue of this billion-dollar company. 

The NSO response: to the latest revelation was to “firmly deny” the “false claims,” dismissing the media coverage as a kind of “conspiracy theory” peddling a “salacious narrative.” It made clear that it does not operate the technology it sells, and has shut down several customer relationships where it has detected misuse of data. In sum, it claims to be the ‘good guy’:

“The fact is, NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings… Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

FYI: in its response to WhatsApp’s users, NSO acknowledged that its software was used to access its users' data.

Ok, but what does Pegasus actually do?

Login

Complaints, suggestions or just wanna say hi? Talk to us at talktous@splainer.in