News website The Wire’s founding editor Siddharth Varadarajan and South Asia Editor of the Organised Crime and Corruption Reporting Project Anand Mangnale were among journalists recently targeted using the Pegasus spyware, an investigation by human rights organisation Amnesty International and The Washington Post alleged.

The Pegasus spyware is licensed to governments around the world by the Israeli cyber intelligence company NSO Group. The company insists that it sells its software only to “vetted governments” with good human rights records and that it is intended to target criminals.

However, in July 2021, a consortium of international media organisations had reported that Pegasus was being used by governments around the world to snoop on critics.

The exposés had shown that the military-grade spyware had been used for unauthorised surveillance of Opposition leaders, activists and journalists, including Congress MP Rahul Gandhi, Vardarajan and another founding editor of The Wire, MK Venu. In India, The Wire had reported that 161 Indians were spied on using Pegasus. The Indian government had denied the allegations.

On Thursday, Amnesty International claimed that it first observed indications of the renewed use of Pegasus on individuals in India during a regular technical monitoring exercise in June 2023.

This was after the Financial Times reported in March, quoting unidentified persons, that the Indian government was looking for spyware that has a “lower profile” than Pegasus. It reported that the Centre was willing to spend up to $120 million to obtain such spyware. The defence ministry had declined to comment on the report, the newspaper said.

On Thursday, Amnesty International said that its latest findings have shown that journalists in India are facing the threat of unlawful surveillance merely for doing their jobs. It alleged that Varadarajan was targeted with Pegasus again on October 16, but there were no indications that the latest attack was successful.

“Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, said.

He added: “Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.”

The findings come after in October, American technology company Apple had issued a security alert to several Opposition MPs and journalists saying that “if your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone”.

In a subsequent clarification, the company said that it does not attribute the threat notifications to any specific state-sponsored attacker. An Apple spokesperson said the company is not specifically saying that the Indian government was responsible for these attacks, but added that it does not rule out the possibility.

A forensic analysis on the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale, found traces of Pegasus spyware activity on their devices, Amnesty International’s Security Lab said.

The lab also said that it found evidence from Mangnale’s device of a zero-click exploit that was sent to his phone on iMessage on August 23 that was designed to covertly install the Pegasus spyware. A zero-click exploit is a malicious software that allows spyware to be installed on a device without requiring any action from the user, such as clicking on a link.

Mangnale’s phone was vulnerable to the zero-click exploit at the time of the spyware attack but it is not clear if it resulted in a successful compromise of his device, Amnesty International said.

The organisation also said that Varadarajan was targeted again using the same email address that was employed against Mangnale “confirming that both journalists were targeted by the same Pegasus customer”.

The organisation added that “there are no indications that the Pegasus attack was successful in this case”.

The human rights organisation also called for the immediate release of the findings of the Indian Supreme Court’s Technical Committee Report on Pegasus use in India.

Following the allegations of the Pegasus attack in 2021, the Supreme Court had appointed an expert committee to look into the allegations. In August 2022, the court said that some malware was found on five of the 29 phones that the panel examined. However, the panel said that it was not clear whether the malware was Pegasus.

The judges also took note of a finding by the panel that the Centre did not cooperate with the inquiry.

Amnesty International said that the Indian government should conduct an immediate, independent, transparent and impartial investigation into all cases of targeted surveillance, including the latest revelations.

On the latest findings, the NSO group told The Washington Post that while it cannot comment on its customers, it maintains that all of them are “vetted law enforcement and intelligence agencies”.

“The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes,” NSO said. “The company has no visibility to the targets, nor to the collected intelligence.”