Pegasus Spyware: Snoop List Has 40 Indian Journalists

New Delhi: The phone numbers of over 40 Indian journalists appear on a leaked list of potential targets for surveillance, and forensic tests have confirmed that some of them were successfully snooped upon by an unidentified agency using Pegasus spyware, The Wire can confirm.

The leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu and Indian Express.

The Pegasus Project, a consortium of news organisations that analysed this list, has reason to believe that the data is indicative of potential targets identified in advance of surveillance attempts. The presence of a phone number in the data does alone not reveal whether a device was infected with Pegasus or subject to an attempted hack – technical examination of the phone’s data is needed for that.

Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack.

Of equal importance is how the results the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours. In some cases, including forensic tests conducted for two India numbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus infection is just seconds.

Pegasus is sold by the Israeli company, NSO Group, which says it only offers its spyware to “vetted governments”. The company refuses to make its list of customers public but the presence of Pegasus infections in India, and the range of persons that may have been selected for targeting, strongly indicate that the agency operating the spyware on Indian numbers is an official Indian one.

Two founding editors of The Wire are on this list, as is its diplomatic editor and two of its regular contributors, including Rohini Singh. Singh’s number appears after she filed back-to-back reports on the business affairs of home minister Amit Shah’s son, Jay Shah, and Nikhil Merchant, a businessman who is close to Prime Minister Narendra Modi, and while she was investigating the dealings of a prominent minister, Piyush Goyal, with businessman Ajay Piramal.

The number of former Indian Express journalist Sushant Singh appears on the list in mid-2018, at a time when he was working on an investigation into the controversial Rafale aircraft deal with France, besides other stories. Digital forensics conducted on Singh’s current phone showed signs of Pegasus infection earlier this year.

Leaked data, NSO disputes purpose

The France-based media non-profit, Forbidden Stories, and Amnesty International first had access to this leaked list which they shared with The Wire and 15 other news organisations worldwide as part of a lengthy collaborative investigation called the Pegasus Project.

Working together, these news organisations – which include The Guardian, The Washington Post, Le Monde and Suddeutsche Zeitung – were able to independently identify the owners of over 1,571 numbers across at least 10 countries, and forensically examine a small cross-section of phones associated with these numbers to test for the presence of Pegasus.

NSO disputes the claim that the leaked list is linked in any way to the functioning of its spyware. In a letter to The Wire and Pegasus Project partners, the company initially said it had “good reason to believe” that the leaked data was “not a list of numbers targeted by governments using Pegasus”, but instead, may be part of “a larger list of numbers that might have been used by NSO Group customers for other purposes”.

However, the forensic testing of targeted phones has confirmed the use of Pegasus spyware against some of the Indian numbers on this list and has also established that this highly intrusive form of surveillance – technically illegal under Indian law as it involves hacking – is still being used to spy on journalists and others.

Pegasus and India

Founded in 2010, the NSO Group is best known for having created Pegasus, which allows those operating it to remotely hack into smartphones and gain access to their contents and functions, including the microphone and camera. The company has always insisted Pegasus is not sold to private entities or even to any and every government. In fact, in its letter to The Wire and its media partners, NSO reiterated that it sells its spyware only to “vetted governments”.

NSO will not confirm whether the Indian government is a customer but the presence of Pegasus infections in the phones of journalists and others in India and the nature of the targets selected for a potential hack suggests that one or more official agencies here are actively using the spyware. This inference must be drawn because Pegasus can only be used by a client of NSO and NSO has only “vetted governments” as clients.

While the Narendra Modi government has not so far issued a categorical denial that Pegasus is officially being used, it has been dismissive of allegations that Pegasus might have been used to conduct illegal surveillance of targets in India.

On Saturday, the Ministry of Electronics and Information Technology reiterated this stand in a response to a questionnaire about individual targets sent by Pegasus Project partners.

Independent forensic analysis conducted by Amnesty International’s Security Lab on a small worldwide cross-section of the smartphones of the people on the leaked list threw up traces of Pegasus spyware infection in over half the cases. Among the 13 iPhones examined in India, nine showed evidence of being targeted, of which seven were successfully infected with Pegasus. Among nine Androids tested, one showed evidence of targeting while 8 were inconclusive, mainly because Android logs do not provide the kind of detail Amnesty’s team needs to confirm the presence of Pegasus.

Specific digital forensics conducted by AI ‘s Security Lab found traces of Pegasus spyware on the mobile phones of six Indian journalists who agreed to have their phones examined after discovering their number was in the leaked data.

The list of journalists to emerge from the Pegasus Project’s reporting cannot be considered exhaustive list or even a representative sample of reporters subject to official snooping as it is limited to an analysis of one leaked dataset over a narrow time period and covering only one potential vector of surveillance, i.e. Pegasus.

Delhi journalists dominate list of persons of interest

A good chunk of the journalists who appear in the records are based out of the national capital and work with prominent organisations.

For instance, the leaked data shows that at least four current employees and one former employee of the Hindustan Times group were of potential interest to the Indian Pegasus client – executive editor Shishir Gupta, editorial page editor and former bureau chief Prashant Jha, defence correspondent Rahul Singh, a former political reporter who covered the Congress Aurangazeb Naqshbandi, and a reporter in HT’s sister paper, Mint.

Other prominent media houses also had at least one journalist whose phone number appears in the leaked records. This includes Ritika Chopra (who covers education and the Election Commission) and Muzamil Jaleel (who writes on Kashmir) of the Indian Express, Sandeep Unnithan (who covers defence and the Indian military) of India Today, Manoj Gupta (editor investigations and security affairs) at TV18, and Vijaita Singh, who covers the home ministry for The Hindu and whose phone contained traces of an attempted Pegasus infection.

The Pegasus Project is withholding the names of some of those targeted because they have either moved on to other jobs or have other other reasons not to be identified.

At The Wire, those targeted were founder-editors Siddharth Varadarajan and M.K. Venu, for whom specific forensic analysis showed evidence of their phones being infected by Pegasus. The number of Devirupa Mitra, The Wire’s diplomatic editor, also appears in the records.

Apart from Rohini Singh, the phone number of another regular contributor to The Wire – senior columnist Prem Shankar Jha, who writes mainly on political and security matters – also appears in the records, as does freelance journalist Swati Chaturvedi, who was also writing for The Wire at the time she was selected.

“Given the abandon with which this government is abusing the Indian constitution to incarcerate its staunchest defenders, I am torn between considering this a threat and a compliment,” Jha said, when informed about his selection as a target for surveillance.

“My job is to continue [doing] stories… News doesn’t stop, stories should be told as they are, without suppressing the facts or with any embellishment,” The Hindu’s Vijaita Singh told The Wire, adding that it would not be “appropriate to hazard a guess” on why anyone would view her as a potential target for surveillance.

“Whatever information we gather is in the newspaper the following day.”

“Unfortunately,” said Rohini Singh, “surveillance is seen as something that a powerful government would do… It’s not even criticised as much by many journalists in mainstream media and I think that’s the unfortunate part.”

“My investigative book on the BJP’s secret digital army exposed the Modi government attacking citizens in a democracy… I take Modi’s illegal surveillance as a compliment to the investigative journalism I do,” said Chaturvedi.

“I did not know about this,” Jaleel told The Wire. “But if you have it from reliable sources, it is a matter of serious concern.”

Another journalist that finds mention on the list is J. Gopikrishnan, an investigative reporter with The Pioneer, credited with having broken the 2G telecom scam. “Being a journalist, I contact many people and [there are] many [who] want to know who all I contact,” he told The Wire.

Several senior journalists who have left mainstream organisations also appear in the leaked data as individuals who were selected.

This includes: former national security reporter Saikat Datta, former Economics and Political Weekly editor Paranjoy Guha Thakurta, who now writes regularly for, former TV18 anchor and diplomatic reporter at The Tribune Smita Sharma, former Outlook journalist S.N.M. Abdi and former DNA reporter Iftikhar Gilani.

The Wire’s analysis of the data shows that most of the above mentioned names were targeted between 2018 and 2019 – in the run-up to the 2019 Lok Sabha general elections.

While some journalists appear to have been added to the list at more or less the same time, suggesting official interest in the group, others figure as standalone entries, perhaps for the stories they were working on at the time. And these stories are not always the obvious ones.

One young television reporter, who requested that her name be withheld as she has left the profession to pursue a career in another field, told The Wire that the only story she can remember doing during the period the data suggests she might have been targeted for surveillance was on the CBSE paper leak.

Prior Pegasus targets?

In 2019, WhatsApp, along with Canada-based Citizen Lab, alerted dozens of Indians who had been affected by a Pegasus attack that exploited a hole in the messaging app firm’s security.

Two journalists whose phone numbers appear in the leaked records obtained by the Pegasus Project, are among those who received messages from WhatsApp in 2019 that their phones were compromised.

Of that group, records show that former Lok Sabha MP and veteran journalist Santosh Bharatiya was also marked on the list in early 2019. The former parliamentarian, who early in his career worked as a journalist, publicly stated that he too had received a message from WhatsApp.

Far away from Delhi

The leaked data also throws up the numbers of journalists who work far away from Lutyens’ Delhi and the national glare. This includes north-east-based editor in chief of Frontier TV Manoranjana Gupta, Bihar-based Sanjay Shyam and Jaspal Singh Heran.

Heran is editor-in-chief of the Ludhiana-based Punjabi daily Rozana Pehredar. The newspaper has reporters in every district of Punjab, is read widely and has a sizeable impact on the narrative in the state. The octogenarian told the Pegasus Project that due to his newspapers’ critical reportage, he has had run-ins with all governments over the years and has been at the receiving end of several legal notices.

He believes that any and all surveillance of journalists is “shameful”. “They don’t like it if we are critical of the direction in which this country is heading under their leadership. They try to silence us,” Heran said.

1,500 kilometres south east of Ludhiana we find another journalist not immediately prominent but of immense interest to the Indian client of NSO group. Roopesh Kumar Singh is an independent journalist based in Jharkhand’s Ramgarh and three phone numbers belonging to him are part of the leaked data.

Singh was not surprised to learn that he was marked as a potential snooping target. “I have always known that I am being watched, especially after a 2017 story about the killing of an innocent Adivasi by the Jharkhand police,” Singh told us. The story Singh mentioned was published by The Wire Hindi on June 15, 2017 and raised questions about the killing of an individual whom the police claimed was associated with a banned Maoist group.

Singh’s phone appears in the leaked records just a few months after the story, according to Pegasus Project data.

In June 2019, Singh was arrested by the Bihar police and booked for possession of explosives under the stringent Unlawful Activities (Prevention) Act (UAPA). He was released six months later on bail as the police failed to file a charge sheet within the stipulated time. “The police planted the explosives. It was an attempt to intimidate me because of my reporting,” Singh said.

What do forensic analyses show?

Amnesty International’s Security Lab was able to conduct digital forensics on the phones of seven journalists. The organisation’s results were tested for robustness through a blind test carried out by experts at Citizen Lab, a University of Toronto-based institute whose research partially laid the groundwork for WhatsApp’s landmark lawsuit against the NSO Group in 2019.

The security lab’s overarching methodology was peer-reviewed and endorsed by Citizen Lab.

The phones of former Indian Express journalist Sushant Singh, former TV18 anchor Smita Sharma, former EPW editor Paranjoy Guha Thakurta, former Outlookjournalist S.N.M. Abdi, The Hindu’s Vijaita Singh and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu were analysed.

Out of these, Amnesty found evidence that the phones of Sushant Singh, Thakurta, Abdi, Varadarajan and Venu were compromised with Pegasus spyware.

For Smita Sharma, the analysis found evidence of a hacking attempt through a vulnerability in Apple’s iMessage system, but nothing to indicate that her phone was successfully infected.

Vijaita Singh’s Android phone also showed evidence of an attempted hack, but no evidence of a successful compromise was detected.

While the results do not indicate what the attacker did using Pegasus, it comes to a few key conclusions for the following people:

1) S.N.M. Abdi: Phone compromised by Pegasus during the months of April 2019, May 2019, July 2019, October 2019 and December 2019. Amnesty was not able to verify the attack vector (I.e., the method through which the spyware used to infect the phone).

2) Sushant SinghPhone compromised by Pegasus from March 2021 to July 2021, through what Amnesty International calls a zero-click exploit in the iMessage service. The attack is referred to as ‘zero-click’, because it does not require the victims to take any action (such as clicking on a malicious link in a SMS or e-mail) for the infection to occur.

3) Paranjoy Guha ThakurtaPhone compromised by Pegasus during parts of April 2018, May 2018, June 2018 and July 2018. Amnesty was not able to identify the attack vector that the spyware used to infiltrate the phone.

4) M.K. VenuAnalysts at Amnesty found that the phone was infected with Pegasus as recently as June 2021, through what they called a zero-click iMessage exploit.

5) Siddharth VaradarajanPhone compromised by Pegasus during parts of April 2018. Digital forensics could not determine the manner in which the spyware infected the phone (I.e., the attack vector).

Digital forensic analysis was also conducted for the iPhone of a senior editor at a mainstream Indian newspaper, but no traces of Pegasus were found — primarily because it was not the same device being used by the journalist when her number showed up on the list.

Forbidden Stories and The Wire also reached out to a number of other journalists, both at mainstream publications and otherwise, to ask whether they would be open to participating in a forensic analysis. They refused, citing a number of reasons including a lack of support from their management or their inability to trust the underlying process.

Source: The Wire

(Additional reporting by Pawanjot Kaur, Ajoy Ashirwad Mahaprashasta and Devirupa Mitra)

Read The Wire’s coverage as part of the Pegasus Project here.

Leave a Reply