AN ANATOMY OF THE PEGASUS SPYWARE

 

The story so far

In a series of startling revelations by The Wire, Pegasus, the Israeli Spyware was found to have been used to potentially target hundreds of cell phone devices in India.

The leaked database was found by Forbidden Stories, a Paris based organization and Amnesty International, and it was shared with several news agencies across the world including The Wire. The database contains a list of thousands of potential targets of Pegasus from around the world. The Security Lab at Amnesty International provided the forensic analysis and technical support for the project.

The consortium has confirmed that there were clear signs of targeting by Pegasus in 10 Indian numbers and on 27 additional phones around the world. It must be noted that the consortium has not claimed or asserted that all the numbers in the leaked database have had infiltration attempts or were spied upon using the Pegasus software.

This is not the first time that Pegasus has been linked with the attack on journalists and human rights activists in India. The issue had cropped up once before in 2019 as well. On May 17, 2019, CERT.in issued a Vulnerability Note about a “Buffer Overflow Vulnerability in WhatsApp.” The note said that an attacker could exploit the said vulnerability to target a user’s phone number, could access information on the system and compromise it. Subsequently, on September 5, 2019, WhatsApp wrote a letter to CERT-In, conveying information in respect of an incident that had occurred in May, 2019 wherein the devices of 121 users in India “may have been attempted to be reached“. CERT-In reportedly sought more details from WhatsApp in relation to the said incident. Subsequently in November, 2019, a group of 19 lawyers and activists wrote a letter to the Central Government, mentioning that they had been targeted by Pegasus and further asking if the tax payers’ money had been put to use for conducting surveillance of such nature.

 

List of People who are targets/potential targets

There are two categories of people in the story that is still developing. First, the ones whose names/numbers have appeared on a leaked database containing “potential” or actual targets for surveillance by NSO’s Pegasus software. Second, the individual whose cell phone devices have undergone a forensic examination and the devices were found to have been compromised with the presence of the Pegasus spyware:

• Some of the prominent individuals whose names have appeared in the list as potential targets:

1. Rahul Gandhi (Opposition Leader of the Congress Party)
2. Abhishek Banerjee (Member of Parliament from West Bengal and National Secretary, Trinamool Congress)
3. Prahlad Singh Patel (Union MoS Jal Shakti)
4. Ashok Lavasa (Former Election Commissioner)
5. Ashwini Vaishnaw (Union Minister for IT and Railways)
6. Gagandeep Kang (Virologist)
7. Jagdeep Chokkhar (Head, Association for Democratic Reforms)
8. Sachin Rao, (Member, Congress Working Committee)
9. Pravin Togadia (Former International Working President, VHP)
10. M. Hari Menon (India Head, Bill and Melinda Gates Foundation)
11. Two employees of the U.S. Centers for Disease Control and Prevention, Delhi

 

• Some of the prominent individuals whose devices were found to have traces/presence of the Pegasus spyware:

1. Prashant Kishore (Election Strategist)
2. Late Syed Abdul Rahman Geelani (DU Professor and Human Rights Activist)
3. Siddhartha Varadarajan (The Wire)
4. MK Venu (The Wire)
5. Sushant Singh (Journalist)

 

What is Pegasus

Pegasus is a surveillance software or a spyware which is used to infiltrate mobile devices and then snoop on device owners by transferring data without knowledge or permission of the owner. The malware can be used on both Android and iOS devices but it has majorly been found to be present on iOS devices.

 

How does Pegasus work?

As soon as the spyware is installed on a mobile device, it starts getting in touch with the “command and control servers” of the operator. It can then follow instructions and send private data available on the mobile device which includes text messages, event schedules, contacts, passwords, voice calls on messaging apps, location data etc. The spyware also has the potential to turn on the phone camera and microphone, and spy on an individual’s calls and activities.

One of the prominent features of Pegasus is the “Zero Click attacks”. The Zero-Click infection means that the individual is not even required to open a link for them to be attacked with the malware. It gets installed by a missed call or a message. After the installation on a mobile device is complete, Pegasus can use some bypassing techniques in order to read encrypted messages on encrypted messaging apps such as Signal, WhatsApp and Telegram etc.

As reported by Forbidden Stories, NSO initially boasted about the unique offerings of Pegasus. The world at that time was dominated by malware links sent through attachments in emails. Pegasus then had the unique feature of “Zero-Click attacks” to offer which would contain malware links which were specifically designed or custom made for the target. When the targeted individual clicked on the said link, the phone would get automatically infected. Not only is the method of operation of the spyware scary, its presence on a mobile device is also difficult to ascertain.

 

The NSO Group

The NSO Group is an Israel based company which is engaged in the business of building and selling surveillance softwares. The firm has consistently maintained that it only sells the spyware to government agencies and it does not retain any data.

Approval for export of spyware:

Coupled with the high level of its invasiveness and the high potential for its misuse, Pegasus and other similar spyware tools are required to obtain an export license from the Israeli Ministry of Defense. Since all of this is shrouded in extreme secrecy, it is difficult to ascertain whether or not all the necessary protocols are being followed in the process of seeking the said approval.

 

Position taken by the NSO group on Pegasus spyware

• On sale of Pegasus: NSO has maintained that it only sells the surveillance software to government entities.
• On the leaks and the attacks: In the context of veracity of claims on the story, a lawyer engaged by the NSO group has stated that the “NSO Group had reason to believe that the records of thousands of phone numbers that the Pegasus Project’s media partners examined were not a list of Pegasus targets of various governments, but instead was part of a larger list of numbers that might have been used by NSO Group customers for other purposes.”  In a written response addressed to Forbidden Stories and its media partners, the NSO group wrote that the reporting by the Consortium was “based on wrong assumptions and uncorroborated theories” and reiterated that the company was on a life-saving mission”
• On modus operandi: NSO has maintained that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.

 

Court cases against the NSO Group

1. Lawsuit in the United States: WhatsApp filed a case against the NSO Group in a federal court in San Francisco, alleging that the company had used WhatsApp’s servers to hack into the mobile devices of 1400 individuals. WhatsApp has submitted in its court filings that NSO had gained “unauthorized Access” to its servers which it did by reverse-engineering the app and escaping the security elements of the app. In December, 2020, Microsoft, Google, Cisco and a couple of other big tech companies filed an amicus brief in the case, supporting the position taken by WhatsApp in the Trial.
2. Lawsuit in Israel: Amnesty International had filed a case against NSO, claiming that the export license granted to the NSO group must be cancelled owing to the human rights violations that occurred due to the use of Pegasus. The Tel Aviv District Court judge however found that Amnesty did not have enough evidence to support its allegation that a human rights activist’s phone was hacked or an attempt for such hacking had been done by NSO. The judge further said that the Israel’s Defence Ministry has enough safeguards in place to ensure the protection of human rights which are present in its export licensing process. After the dismissal of the case, the Israel Branch of Amnesty International called the court “a rubber stamp to the Defence Ministry’s impunity to human rights violations.”

 

NSO’s Transparency Report

In June, 2021 the NSO Group published its Transparency Report detailing the steps taken by the company to ensure that its technology was not being misused by its clients. A copy of the Report can be found here. The report claims that various steps are being taken by the company to “mitigate the risks of human rights violations”. The report was criticized by Amnesty International. Danna Ingleton (Deputy Director, Amnesty Tech) issued a statement terming “NSO Group’s latest report – which reads more like a sales brochure, is yet another missed opportunity“.

 

Past Instances of Pegasus and spying around the world

Following is a list of some incidents from around the world where the Pegasus malware was used to spy on journalists and activists:

1. December, 2020, Citizen Lab published a report detailing how government had used the Pegasus software to spy on or hack the phones of 36 Al Jazeera journalists.
2. In 2018, after the killing of Saudi Journalist and critique Jamal Khashoggi, Omar Abdulaziz, another dissident approached the court in Israel by way of filing a lawsuit, claiming that the NSO Group had licensed Pegasus to the Saudi government, which the government used to spy on him.
3. In Oct, 2019, WhatsApp filed a case suing NSO, claiming that the software operated by the firm had been used to attack its users. WhatsApp has requested the Department of Justice in the United States to launch an investigation.
4. In July, 2017, Carmen Aristegui who is a Mexican journalist and the founder of the online news outlet Airstegui Noticias, learned that she had been a target of Pegasus.

 

Position taken by the Indian Government on Pegasus

On different occasions, the Indian Government has been questioned on the Pegasus issue. Following is a list of responses which we have received from the government:

1. On 19.07.2021, when the Pegasus issue was raised in Parliament, Mr. Ashwini Vaishnav, the Minister for Communications, Electronics & Information Technology and Railways, dismissed reports about the use of Pegasus for spying on journalists, activists and opposition leaders. He said without a technical analysis, it was not possible to say whether or not there had been an attempted hack. He further gave the following statement on the floor of the Parliament:

“In India there is a well-established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States,” the government added. “The requests for these lawful interceptions of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act ,1885 and section 69 of the Information Technology (Amendment) Act, 2000.“

 

2. On 17.07.2021, in response to the questionnaire which was sent to the MeitY by the consortium of journalists, the ministry said that the questions had already been answered. “Considering the fact that answers to the queries posed have already been in the public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organisations involved“.

 

3. On 11.12.2019, In response to Unstarred Question No. 3686 which was asked in the Lok Sabha by Shri Anumula Revanth Reddy, the Hon’ble Minister for Electronics & Information Technology gave the following response:

“Government  had  been  informed  by  WhatsApp  of  a  vulnerability  affecting  some  WhatsApp  mobile  users’  devices  through  a  spyware  namely  Pegasus.  According to  WhatsApp, this spyware was developed by  an  Israel based company NSO Group and that it  had  developed  and  used  Pegasus  spyware  to  attempt  to  reach  mobile  phones  of  a  possible  number  of  1400  users  globally  that  includes  121  users  from  India.  Some  statements  have  appeared  based  on  reports  in  media,  regarding  breach  of  privacy  of  Indian  citizens  on  WhatsApp.  These  attempts  to  malign  the  Government  of  India  for  the  reported  breach  are  completely  misleading.    The  Government  is  committed  to  protect  the  fundamental  rights  of  citizens, including the right to privacy. The Government operates strictly as per provisions of  law and laid down protocols. There are adequate safeguards to ensure that no innocent citizen  is harassed or his privacy breached“

 

4. On 28.11.2019, Shri Ravi Shankar Prasad, the then Minister for Electronics and Information Technology and Communications while being questioned on the Pegasus issue on the floor of the Rajya Sabha, gave an evasive response. When asked whether the Government of India had sought the services of Pegasus malware, the Minister said: “no unauthorized interception has been done, to the best of my knowledge”. When asked whether there had been any transaction between the Indian Government and the NSO, the minister said: ” I have very specifically stated that the security agencies responsible follow a particular procedure. If there is any violation of particular procedure, we take action, tough action and also impose penalty“. Despite repeated questions on the issue, the minister failed to give a clear answer, affirming or denying the existence of a transaction or a deal between the Indian government and NSO.[2]

 

5. On 20.11.2019, in response to a question asked in the Lok Sabha by Shri Asaduddin Owaisi on the Pegasus attack and the alleged use and purchase of the Pegasus spyware by Government agencies, the Minister of Electronics and Information Technology Shri Ravi Shankar Prasad gave the following response:

“Some  statements  have  appeared,  based  on  reports  in  media,  regarding  this.  These  attempts to malign the Government of India for the reported breach are completely  misleading.    The  Government  is  committed  to  protect  the  fundamental  rights  of  citizens,  including the right to privacy. The Government operates strictly as per provisions of law and  laid down protocols. There are adequate provisions in the Information Technology (IT) Act,  2000 to deal with hacking, spyware etc.”

 

Conclusion

For years, the spyware/surveillance software industry has operated discreetly, occasionally being exposed for their wrongs committed against human rights activists, journalists and researchers. The surveillance industry has claimed that it is trying to help governments fight crime and terrorism but the products developed by these companies are often used by state agencies and security establishments for curbing dissent and for attacking journalists and human rights activists. The scale of misuse and human rights violations across the world which have been facilitated by Pegasus is quite staggering. Governments around the world must rise to the occasion to address this problem and they must collaborate and restrict the sale of surveillance tools and technologies.

It is disheartening to see that the same issue has surfaced yet again in India and begs the same questions which have remained unanswered and unaddressed by the Indian Government. The NSO group has maintained and officially declared that the surveillance software or spyware it sells are only sold to law enforcement or intelligence agencies and it does not sell them to private players. If that is the case, the Central Government through the ministry of home affairs and/or the Ministry of electronics and information technology, must come clean and issue a statement clarifying its relationship with NSO and whether or not it had used Pegasus on Indian citizens.

As citizens who are open to these vulnerabilities without adequate accountability from the government, we need to start pushing for a surveillance reform and the need for a judicial oversight in our surveillance framework. As of now everything is done by the Executive, including the review or the interception Orders. There is a critical need for judicial oversight of all interception Orders like there is in the United Kingdom. The surveillance orders must be reviewed and approved by a judge before it can be enforced.