New Delhi: Amnesty International’s Security Lab says it has detected evidence that Pegasus spyware was used by an unknown government agency to compromise the mobile phones of two journalists in India, Siddharth Varadarajan of The Wire and Anand Mangnale of the Oraganised Crime and Corruption Reporting Project.

Amnesty released its findings on December 28 as part of its partnership on a wider investigation by the Washington Post.

“On Aug. 23, the OCCRP emailed Adani seeking comment for a story it would publish a week later alleging that his brother was part of a group that had secretly traded hundreds of millions of dollars worth of the Adani Group conglomerate’s public stock, possibly in violation of Indian securities law. A forensic analysis of Mangnale’s phone, conducted by Amnesty International and shared with The Washington Post, found that within 24 hours of that inquiry, an attacker infiltrated the device and planted Pegasus, the notorious spyware that was developed by Israeli company NSO Group and that NSO says is sold only to governments.”

Amnesty said its Security Lab “first observed indications of renewed Pegasus spyware threats towards individuals in India during a regular technical monitoring exercise in June 2023, a number of months after media reported that the Indian government was seeking to procure a new commercial spyware system.”

When Amnesty International’s Security Lab undertook a forensic analysis on the phones of Varadarajan and Mangnale, the press release said, it “found traces of Pegasus spyware activity on devices owned by both Indian journalists”:

“The Security Lab recovered evidence from Anand Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware. The phone was running iOS 16.6, the latest version available at the time.

“A zero-click exploit refers to malicious software that enables spyware to be installed on a device without requiring any user action from the target, such as clicking on a link.

“Anand Mangnale’s phone was vulnerable to this zero-click exploit at the time of the attack. It is currently unclear if the exploit attempt resulted in a successful compromise of his device.”

As for Varadarajan’s phone, Amnesty’s forensic report notes:

“The Security Lab reviewed forensic records from Siddharth Varadarajan’s iPhone 11 and identified traces which confirms that his phone was also target with NSO Group’s Pegasus spyware in October 2023.

The Washington Post reported that iVerify, a New York security firm it engaged to test the phones of some of the Indian politicians on the list of those who received a spyware alert from Apple, found tell-tale footprints of targetting:

“IVerify examined Moitra’s phone backup and confirmed that she had received an Apple warning. It also saw urgent crash reports that, together with other digital records, suggested the device had been hacked. The company also found a threat notification and suspicious activity on the phone of Praveen Chakravarty, head of the opposition Indian National Congress party’s data analytics department.”

This renewed evidence of Pegasus being used against journalists in India comes more than a year after the Supreme Court noted that the technical committee it had appointed to probe allegations of illegal surveillance found evidence of “malware’ in as many as five mobile phones which it tested. The then chief justice of India, N.V. Ramana, had also said that that Narendra Modi government had refused to cooperate with the committee – despite being asked by the court to do so.

Pressure on Apple

The Washington Post story also documents the Modi government’s attempts to control the narrative soon after Apple’s October notiications were issued, which included putting pressure on the company’s executives in India to themselves downplay the significance of the warning they had just issued to iPhone users.