The TLDR: Paris-based media non-profit Forbidden Stories and Amnesty International accessed a global database of more than 50,000 phone numbers—which may have been targeted by a powerful spyware tool called Pegasus. In India, these include phones of 40 journalists, three opposition leaders, serving government ministers, current and former officials of security organisations and businesspersons. We look at who was targeted and how Pegasus works.

What happened here, exactly?

• The two NGOs—Forbidden Stories and Amnesty International—accessed a global database of phone numbers, stripped of names. 
• The purpose of the database is still unclear: “The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled.” 
• But the organisations shared these numbers with key media organisations around the world who helped identify the owners of these numbers. 
• Amnesty’s Security Lab conducted forensic analysis on 67 smartphones, of which 23 were successfully infected and 14 showed signs of attempted hacking.
• In India, the larger list included numbers of 40 journalists at leading media publications—including Hindustan Times, India Today and Indian Express. 
• Overall, at least 300 Indian numbers were on the list—including those of two cabinet ministers, three Opposition leaders, and several business persons.
• And at least ten Indian phones were subjected to forensic analysis. A key target: The Wire. Phones of two founding editors, diplomatic editor and two regular contributors showed signs of attempted or successful hack. 

Point to note: Here’s the big picture on who this global database included:

“[R]eporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.”

A bit of recent history to note: Back in 2019, WhatsApp informed more than two dozen Indians that their phones had been targeted by spyware. A Canadian-based NGO Citizen Lab confirmed that the tool used was none other than Pegasus. The targets included activists, journalists, human rights lawyers, and some of the accused in the Bhima Koregaon case.

So what is this Pegasus?

The spyware tool is made by an Israeli company called NSO which sells spyware like Pegasus to governments to help them catch terrorists and criminals—or so it claims. The secretive firm operated entirely under the radar until 2016, when its product was detected on the iPhone of a human-rights activist now in prison in the UAE. The company primarily built its reputation on the ability to crack Apple’s rigorous privacy measures. Also this:

“NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations.”

Most of the numbers came from 10 countries including India, Azerbaijan, Kazakhstan, Hungary, Saudi Arabia, UAE, Bahrain, Morocco, Mexico and Rwanda. So not parts of the world known for their commitment to democracy—and all of them are known clients of the NSO.

The WhatsApp lawsuit: In 2019, the company sued NSO in San Francisco, accusing it of targeting 1,400 of its users—including “100 journalists, prominent female leaders, several people who had been targeted with unsuccessful assassination attempts, political dissidents and human rights activists — as well as their families.” NSO has thus far failed to shut down the lawsuit.

Point to note: As the Financial Times reports, “Through Pegasus, Israel has acquired a major presence—official or not—in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates.” The Middle East accounts for more than half the revenue of this billion-dollar company. 

The NSO response: to the latest revelation was to “firmly deny” the “false claims,” dismissing the media coverage as a kind of “conspiracy theory” peddling a “salacious narrative.” It made clear that it does not operate the technology it sells, and has shut down several customer relationships where it has detected misuse of data. In sum, it claims to be the ‘good guy’:

“The fact is, NSO Group’s technologies have helped prevent terror attacks, gun violence, car explosions and suicide bombings… Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

FYI: in its response to WhatsApp’s lawsuit, NSO acknowledged that its software was used to access its users' data.

Ok, but what does Pegasus actually do?

It is one of the world’s most powerful types of spyware. Earlier versions relied on a user clicking on a malicious link either via text message or email. It now specialises in “zero click” attacks that don’t require you to do anything. For example, in 2019, it was revealed that Pegasus could infiltrate your phone using a simple missed call on WhatsApp—which didn’t even require you to answer that call. More recently, the tool has been exploiting vulnerabilities in Apple’s iMessage software—even its Photos and Music apps:

“For companies such as NSO, exploiting software that is either installed on devices by default, such as iMessage, or is very widely used, such as WhatsApp, is especially attractive, because it dramatically increases the number of mobile phones Pegasus can successfully attack.”

What it does: Once installed, Pegasus has access to absolutely everything on your phone:

“Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met.”

More importantly, experts note, the attackers obtain so-called “root” or administrative privileges—which allows them to do more than what the owner of the device can do.

Does the government have any response?

That’s a good question since NSO only sells its software to governments and their intelligence agencies. Here’s what the government said to The Guardian:

“[T]he questionnaire sent to the government of India indicates that the story being crafted is one that is not only bereft of facts but also founded in preconceived conclusions. It seems you are trying to play the role of an investigator, prosecutor as well as jury…

 

India’s minister of electronics and IT has also spoken in detail, including in the parliament, that there has been no unauthorised interception by government agencies. It is important to note that government agencies have a well-established protocol for interception, which includes sanction and supervision from highly ranked officials in central and state governments, for clear stated reasons only in national interest.”

In fact, the government has repeatedly ducked directly answering whether it has purchased or used Pegasus. When pressed in Parliament in 2019, then IT Minister Ravi Shankar Prasad merely reiterated the same line about established procedures for surveillance.

The bottomline: As long as we have weak laws that do little to curb our governments’ ability to spy on its citizens, there will always be a long line of customers for Pegasus.

Reading list

The Washington Post has the best long read on the global project, and its findings. As one of the selected media partners for Amnesty, The Wire has the most details on the Indian targets. The Guardian does an excellent job of explaining how Pegasus works. Financial Times has the best profile on NSO—but is behind a paywall. The Wire and Scroll have more on the WhatsApp targeting of Indian citizens back in 2019. Wired offers an in-depth analysis of the WhatsApp lawsuit. Times of Israel has more on how the Israeli government pushed Pegasus on Middle East countries.