India was among a number of countries using an Israeli company's spyware in attempted and successful hacks of smartphones belonging to journalists, government officials and human rights activists around the world. At least one number once used by Prime Minister Imran Khan was on the India list, according to an investigation by 17 media organisations published on Sunday.
The extent of the spyware – Pegasus – use was reported by The Washington Post, the Guardian, Le Monde and other news outlets who collaborated on an investigation into a data leak.
According to The Post, more than 1,000 phone numbers in India appeared on the surveillance list while hundreds were from Pakistan, including the one PM Imran once used. However, The Post did not specify whether the surveillance attempt on PM Imran's number was successful.
Indian investigative news website The Wire reported that 300 mobile phone numbers used in India — including those of government ministers, opposition politicians, journalists, scientists and rights activists — were on the list.
The numbers included those of more than 40 Indian journalists from major publications such as the Hindustan Times, The Hindu and the Indian Express, as well as two founding editors of The Wire, it said.
Reacting to the revelations, Federal Minister for Information and Broadcasting Fawad Chaudhry said he was "extremely concerned" by the reports. "Unethical policies of Modi government have dangerously polarised India and the region," he tweeted.
Federal Human Rights Minister Shireen Mazari also addressed the development and said "part two" of the report on how the Indian government had spied on its own ministers was expected today.
The Indian government denied in 2019 that it had used the malware to spy on its citizens after WhatsApp filed a lawsuit in the United States against NSO, the Israeli company producing the spyware, accusing it of using the messaging platform to conduct cyber espionage.
Israel's NSO Group and its Pegasus malware have been in the headlines since at least 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.
Sunday's revelations raise privacy and rights concerns, and reveal the far-reaching extent to which the private Israeli company's software may be being misused by its clients internationally.
The leak was of a list of more than 50,000 smartphone numbers believed to have been identified as people of interest by clients of NSO since 2016, the media outlets said.
One of the organisations, The Washington Post, said the Pegasus spyware licensed by the NSO Group was also used to target phones belonging to two women close to Jamal Khashoggi, a Post columnist murdered at a Saudi consulate in Turkey in 2018, before and after his death.
The Post said the list was shared with the news organisations by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International. The newspaper said the total number of phones on the list that were actually targeted or surveilled was unknown.
The Post said 15,000 of the numbers on the list were in Mexico and included those of politicians, union representatives, journalists and government critics.
The list reportedly included the number of a Mexican freelance journalist who was murdered at a carwash. His phone was never found, and it was not clear if it had been hacked.
The Guardian, another of the media outlets, said the investigation suggested "widespread and continuing abuse" of NSO's hacking software, described as malware that infects smartphones to enable the extraction of messages, photos and emails; record calls; and secretly activates microphones.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El Pais, the Associated Press (AP), Le Monde, Bloomberg, The Economist, Reuters and Voice of America, the Guardian said.
"We are deeply troubled to learn that two AP journalists, along with journalists from many news organisations, are among those who may have been targeted by Pegasus spyware," said Director of AP Media Relations Lauren Easton.
"We have taken steps to ensure the security of our journalists’ devices and are investigating," she added.
Reuters' spokesman Dave Moran said, "Journalists must be allowed to report the news in the public interest without fear of harassment or harm, wherever they are. We are aware of the report and are looking into the matter."
Meanwhile, Amnesty International decried what it termed "the wholesale lack of regulation" of surveillance software.
"Until this company (NSO) and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology," the rights group said in a statement.
The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
The Post said the numbers on the list were unattributed, but the media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.
They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials including heads of state, prime ministers and cabinet ministers.
The reports said many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Moroccan security services used the spyware to target around 30 French journalists and media executives, according to the investigation.
Pegasus is reportedly a highly invasive tool that can switch on a target's phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy.
In some cases, it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it “full of wrong assumptions and uncorroborated theories”, and threatened a defamation lawsuit.
“We firmly deny the false allegations made in their report,” NSO said.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.
“We would like to emphasise that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” it said.
Citizen Lab reported in December that about three dozen journalists at Qatar's Al Jazeera network had their mobile devices targeted by Pegasus malware.
Amnesty International reported in June 2020 that Moroccan authorities used NSO's Pegasus software to insert spyware onto the cellphone of Omar Radi, a journalist convicted over a social media post.
At the time, NSO told AFP that it was “deeply troubled by the allegations” and was reviewing the information.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv. It says it employs hundreds of people in Israel and around the world.