Growing evidence that the Indian State bought Pegasus spyware, the technical committee told
While the Govt of India has neither confirmed nor denied that it bought the spyware, in his deposition a cyber security expert has claimed there are definite traces of use by govt agencies
There is evidence that a) malware were planted in the devices of two Indian journalists, b) the malware was spyware Pegasus sold by Israeli company NSO, and c) Indian State had indeed bought the spyware.
These claims were made in his deposition before the Supreme Court appointed technical committee to inquire into the use of spyware Pegasus by the Indian Government. Cyber security expert Anand V. asserted that forensic examination of the data recovered from the devices of two Indian journalists--Siddharth Varadarajan and Sushant Singh-- had revealed traces of Pegasus.
Three versions of the Pegasus have been sold since 2015 by NSO, he told the committee, each more sophisticated than the previous one. Malwares, he explained, had a ‘command and control’ mechanism, which could be automatic or operated manually. Once devices are compromised, this mechanism allows data to flow back to the ‘command and control server’, he informed.
The spyware used both IP addresses as well as domain names to reach its targets. Ever since the Pegasus user manual was leaked in 2016 by a competitor, enough literature was available in cyber security domain to allow forensic examinations. Since domain names are typically sold for a minimum period of one year, the spyware too was generally used to surveille a target for several months.
It is worth recalling that the Government of India has neither confirmed nor denied that it bought the spyware. International media reports however have claimed that the Indian Prime Minister during his visit to Israel in 2015 had sealed the deal. The only admission made in Parliament by the Government of India is that there had been no “unauthorized surveillance” of Indian citizens. The reluctance of the Indian Government to say categorically that it had not bought the spyware gave rise to speculation even as the Ministry of Defence categorically denied having used it.
While the current price of the spyware is not known, in 2016 NSO was apparently charging government agencies $650,000 (Rs. 4.87 crore) for the capacity to spy on 10 iPhone users, along with a $500,000 (Rs 3.75 Cr) setup fee.
The cyber security expert’s deposition revalidates the findings of Amnesty International and Citizens’ Lab of Canada which had revealed traces of Pegasus on devices used by a cross-section of Indians.
Anand V. in his online deposition, open to the public, also seemed to suggest that traces suggested that the spyware was also hosted by Indian service providers MTNL and private telecom companies.
The last few months have seen the United States adding the Israeli company to the list of blacklisted firms found engaged in doubtful activity. The US Federal Bureau of Investigation admitted to have paid and obtained the spyware. And in August last year French intelligence investigators confirmed that Pegasus spyware was found on the phones of three journalists, including a senior member of staff at the country’s international television station France 24.
Amnesty International had revealed that the spyware had been found on the devices of Rona Wilson, one of the activists accused in the Bhima Koregaon case. The other accused have also pleaded to the court to hand over their devices, which are in the custody of the National Investigation Agency (NIA), to the technical committee appointed by the Supreme Court for examination.
As many as three international lawsuits, one by Apple, have been lodged against NSO, which is also facing inquiries in Israel. Ironically, the spyware is now believed to have been used by Israeli Police on former Prime Minister Benjamin Netanyahu and his family members.
(This article was first published in National Herald on Sunday)