Narendra Modi’s government has been accused of treason and “unforgivable sacrilege” by the political opposition in India following a series of reports by the Pegasus project revealing several journalists, activists and an opposition election strategist had their phone numbers included in a data leak of more than 50,000 numbers that, since 2016, are believed to have been selected as those of persons of interests by government clients of NSO Group.
The stories, published in the Guardian and in partner media outlets around the world on Sunday and Monday, revealed details of hundreds of verified Indian phone numbers that appear in leaked records of numbers.
They include two phone numbers belonging to India’s most prominent political opposition figure, Rahul Gandhi, who led the Congress party to defeat in the 2019 elections. The leaked records show his number was selected as a possible target the year before and in the months after the vote.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
It is not possible to say whether a phone in the leaked data was infiltrated or successfully hacked without forensic analysis. But the investigation confirmed infections by NSO Group’s surveillance software Pegasus, or signs of potential targeting, on phones linked to 10 Indian numbers and on an additional 27 phones around the world.
The surveillance software, which India has never confirmed using, is licensed only to national governments. Analysis of the phone numbers selected for possible surveillance by the NSO client in question indicates that it was predominately used to target Indian numbers including those of critics of the Modi government.
In a statement, Congress accused the Modi government of being the “deployer and executor” of a “spying racket”.
“This is clearly treason and total abdication of national security by the Modi government, more so when the foreign company could possibly have access to this data,” said the Congress statement, which labelled Modi’s ruling Bharatiya Janata party (BJP) government as the “Bharatiya Jasoos [spy] party”.
“This is an unforgivable sacrilege and negation of constitutional oath by the home minister and the prime minister,” it added.
Traces of Pegasus – software with the ability to breach a phone, access its contents and turn it into a portable surveillance device – were found on the device of Prashant Kishor, an election strategist who clashed with Modi’s party during a state vote in April. Analysis of his phone showed he had been hacked using Pegasus as recently as the morning of the forensic examination.
Kishor told NDTV on Monday: “We used to suspect snooping but never realised hacking, that too from 2017 to 2021. Although I changed my handset five times, as the evidence suggests, hacking continues.”
Priyanka Gandhi, the general secretary of the Congress and sister to Rahul Gandhi, called the leaks “abhorrent” and an “affront to democracy”.
“If true, the Modi government seems to have launched a grave and sinister attack on the right to privacy – constitutionally guaranteed to Indian citizens as a Fundamental Right,” she said on Twitter.
The Pegasus project leaks prompted multiple denials from high-level figures in the Modi government, who sought to discredit the reports as coming from those with an “anti-India agenda”.
Speaking in parliament, India’s IT minister, Ashwini Vaishnaw – whose own phone numbers were identified as targets in 2017, before he entered parliament – said the project’s claims about Indian surveillance were an “attempt to malign Indian democracy and its well-established institutions”.
“In the past, similar claims were made regarding the use of Pegasus on WhatsApp. Those reports had no factual basis and were denied by all parties,” Vaishnaw said, to heckling from the opposition benches.
He added: “The presence of a number on the list does not amount to snooping ... there is no factual basis to suggest that use of the data somehow amounts to surveillance”
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”, and has disputed that the data includes details of those its clients sought to target. In statements issued through its lawyers, NSO said it would “continue to investigate all credible claims of misuse and take appropriate action”.
Citing NSO’s denial, Vaishnaw said the list of countries published as using Pegasus was “incorrect” and that “any form of illegal surveillance was not possible” in India because of a rigorous process of bureaucratic checks and balances.
India’s home minister, Amit Shah, Modi’s closest political ally, accused “global organisations which do not like India to progress” of being behind the reports of possible surveillance of Indian politicians, journalists, activists and government critics.
“This is a report by the disrupters for the obstructers,” said Shah in a statement. “Disrupters are global organisations which do not like India to progress. Obstructers are political players in India who do not want India to progress. People of India are very good at understanding this chronology and connection.”
In a press conference, the former IT minister Ravi Shankar Prasad alleged that only India was being “targeted” for the use of Pegasus when 40 nations were using it, according to NSO. The Pegasus project is reporting on apparent abuse of the software by at least 10 countries.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Prasad accused Amnesty International, which had access to the leaked data, of having “an anti-India agenda”. He also accused the opposition Congress party of a role in the story because “they are losing power” and questioned whether the allegations were “some kind of revenge for the way India handled Covid?”
Many of those in India whose numbers appeared in the leaked data called for NSO to revoke the Indian government’s licence for Pegasus software due to “violations”. The software is only supposed to be used to investigate criminal activity or terrorism.
“Pegasus is a cyber-weapon, a controlled defence export from Israel under 2007 Act as per Wassenaar [Arrangement], with strict EUMA,” said Sushant Singh, an Indian journalist whose phone was examined by Amnesty’s Security Lab, the technical partner to the project.
It found proof that his phone had been compromised using Pegasus. “That [weapon] has been used in India against its own citizens,” he said. “Imagine if a fighter jet or missile of same category was used against Indians similarly. That’s it.”
