Phone numbers of Indian ministers, opposition politicians, journalists, activists and others are listed on a leaked database that reportedly reflects potential targets of illegal cyber surveillance using the Pegasus hacking software, according to the Wire.

Forensic tests revealed that at least some of those named on the list had their phones hacked by the spyware that Israeli company NSO Group says it only sells to “vetted governments”.

The leaks raise questions about cyber surveillance of Indian citizens, particularly in light of the government’s failure to deny whether it has purchased licences for the Pegasus hacking software after similar revelations in the past.

A government statement on Sunday once again failed to categorically address questions of whether any Indian agencies had used the spyware. Instead, it said that “there has been no unauthorised interception” and that “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”.

Spyware targets

The leaked list, featuring more than 50,000 phone numbers “concentrated in countries known to engage in surveillance of their citizens”, was accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International, which shared it with 17 news organisations as part of the Pegasus Project.

According to the Wire, which focused on the Indian portion of the list, “the numbers of those in the database include over 40 journalists, three major opposition figures, one constitutional authority, two serving ministers in the Narendra Modi government, current and former heads and officials of security organisations and scores of businesspersons”.

The Wire revealed the names of dozens of journalists and activists on the list, including its own founder-editors Siddharth Vardarajan and MK Venu, The Hindu’s Vijaita Singh, the Hindustan Times’ Shishir Gupta, as well as scholars and activists on the Committee for the Release of Political Prisoners and relatives, lawyers and friends of those arrested in the Bhima Koregaon case and the accused themselves.

The Wire added that more names would be revealed over the next few days. It said that the database also features a number registered in the name of a sitting Supreme Court judge, though it has yet to verify whether the judge was using it during the period of the hacking.

Forensic analysis

The list accessed by Forbidden Stories does not identify who added the numbers to it, why they did so or whether all of the potential targets were indeed hacked using Pegasus, according to the Washington Post.

But analysis by Amnesty International’s Security Lab on a limited cross-section of the database found “a tight correlation between time stamps associated with a number on the list and the initiation of surveillance” in 37 smartphones. In other words, in those cases, the phones had evidence of either being hacked or hacking attempts at almost the same time their numbers were added to this list.

These include the phones of the Wire’s Siddharth Vardarajan, journalists Paranjoy Guha Thakurta and Sushant Singh and SNM Abdi, Delhi University Professor Syed Abdul Rahman Geelani, all of which were found to be hacked by the Pegasus spyware.

In the cases of former TV18 anchor Smita Sharma and The Hindu’s Vijaita Singh, their phones showed hacking attempts that appeared to be unsuccessful, according to the Wire.

“If true, it is a violation of privacy which goes against the Supreme Court ruling,” Vijaita Singh told the Wire. “Secondly, it compromises a journalist’s ability to report on matters of grave national importance in sensitive areas, particularly which require speaking truth to power. It creates an environment of fear and intimidation for both the journalist and her sources, placing them at grave risk.”

International targets

Internationally, the list includes more than 180 journalists from reputed organisations including the Wall Street Journal, CNN, The New York Times, Al Jazeera and more, as well as hundreds of politicians and government officials, dozens of human rights activists, several Arab royal family members and the numbers of some heads of state and prime ministers.

Reporters working on the Pegasus Project have only been able to identify a portion of the 50,000 numbers that were potential targets of the cyber hacking, but that is unlikely to be an exhaustive list of those targeted by the spyware. In addition to India, the numbers identified on the list have been traced to Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

According to the Washington Post, Citizen Lab, the University of Toronto’s cyber-security group that has previously studied the use of Pegasus, has found evidence that all 10 countries have been clients of the NSO Group that developed the software. The company has asserted several times that it only licences its spyware to governments.

In a statement, the NSO Group said that the information put out by the Pegasus Project has “no factual basis”, and is based on “wrong assumptions” and “uncorroborated theories”. However, a US-based attorney whose firm has been engaged by the company wrote to the Wire saying, “NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes.