The story so far: The Washington Post and human rights non-profit Amnesty International have alleged that the spyware instance known as Pegasus continues to be in use, on this occasion targeting journalists in India. Based on newfound data from the latter organisation’s Security Lab, the two organisations have said the phones of founding editor of the online news portal The Wire, Siddharth Varadarajan, and South Asia editor of the Organised Crime and Corruption Report Project (OCCRP) Anand Mangnale were infected with the spyware. The alleged incursion was identified in October 2023 following a forensic analysis, and after phone-maker Apple had issued security notifications to its users, including certain Members of Parliament, that their iPhones were being targeted by “state-sponsored attackers”.
What has Amnesty International alleged?
After Apple issued a security notification to certain iPhone users, including MPs, in October, researchers at Amnesty International’s Security Lab analysed the allegedly infected devices, including those belonging to Mr. Varadarajan and Mr. Mangnale. At the end of their examination, they reported finding traces of Pegasus’s activity on their respective devices.
Security Lab concluded that a message to facilitate a “zero-click exploit” had been sent to Mr. Mangnale’s phone over his iPhone’s iMessage app on August 23. (iMessage is an iPhone app to send/receive SMSes as well as chat with other iPhone users.) Once received, the message was designed to covertly install Pegasus on the device.
“The attempted targeting of Anand Mangnale’s phone happened at a time when he was working on a story about an alleged stock manipulation by a large multinational conglomerate in India,” an Amnesty report stated.
Mr. Varadarajan was allegedly targeted with Pegasus on October 16. According to Amnesty researchers’ analysis, the attacker had used the same email address to target both Mr. Varadarajan and Mr. Mangnale: firstname.lastname@example.org.
What is a zero-click exploit?
A zero-click exploit is malicious software that allows spyware to be installed on a device without the device owner’s consent. More importantly, it doesn’t require the device owner to perform any actions to initiate or complete the installation. To compare, regular apps may require a user to click ‘install’, ‘confirm’, etc. to complete an installation.
The specific exploit allegedly in use on the two devices is called “BLASTPAST” (previously identified as “BLASTPASS”). It plays out in two phases. In the first, the attack attempts to establish a link with the Apple HomeKit – which gives users a way to control multiple smart devices – on the target’s device. In the second, some malicious content is sent via the iMessage app to the target. According to Amnesty, the purpose of the first phase – the ‘outreach’ – could be to determine how the device can be exploited or to keep it in sight for further exploitation in the future. The second phase is the one that delivers the full spyware “payload”.
According to Amnesty, the purpose of the first phase – the ‘outreach’ – could be to determine how the device can be exploited or to keep it in sight for further exploitation in future. The second phase is the one that delivers the full spyware “payload”.
“The two-stage attack process seen in this case is similar to the previous PWNYOURHOME Pegasus attack vector described by Citizen Lab and independently observed by the Security Lab,” Amnesty’s report observed.
Mr. Mangnale’s phone was vulnerable to the exploit at the time of the alleged attack. Mr. Varadarajan’s was not, however, because by then Apple had rolled out its 16.6.1 security update to tackle such intrusions. In both cases, however, evidence has reportedly not been found for Pegasus successfully ‘infecting’ the devices.
How has Pegasus’s maker responded?
The Washington Post quoted a statement from the Israeli company NSO, which makes and distributes Pegasus, as saying that while NSO can’t comment on specific customers, it “[stresses] again that all of them are vetted law enforcement and intelligence agencies that licence our technologies for the sole purpose of fighting terror and major crime”.
The statement reportedly added that the company’s policies and contracts provide mechanisms to avoid targeting journalists, lawyers, and human rights defenders or political dissidents who aren’t involved in terror or serious crimes. “The company has no visibility to the targets, nor to the collected intelligence,” NSO stated.
What all has happened until now?
In July 2021, an international collaboration of journalists – including in The Wire in India, The Guardian in the U.K., and The Washington Post in the U.S. – called ‘Pegasus Project’ reported that at least 40 journalists, Cabinet ministers, and holders of constitutional positions in India were possibly surveilled using Pegasus. Their reports were based on a database of some 50,000 phone numbers that Parisian non-profit Forbidden Stories and Amnesty International had unearthed. These numbers had reportedly been of interest to clients of the NSO Group.
In October that year, the Supreme Court put together a committee to examine these reports’ allegations. The committee submitted its report in August 2022; its findings have yet to be made public. The committee noted nonetheless that the Indian government “did not cooperate” with its mission.
In the wake of the ‘Pegasus Project’ revelations, activists filed several petitions with the Supreme Court alleging a mass surveillance exercise by the government to muzzle free speech and democratic dissent. In response, the apex court asked the Centre to file a detailed affidavit vis-a-vis its use of Pegasus. The Centre refused to comply, however, contending that such a public affidavit would compromise the country’s national security.