Spyware created by an Israeli surveillance company linked to the murder of journalist Jamal Khashoggi and used to target senior government officials in US-allied countries was also used to spy on more than two dozen prominent human rights activists, journalists, politicians, academics, and judges in India, WhatsApp revealed on Thursday.
The revelation has rocked the country — WhatsApp’s largest market with over 400 million users — and sparked fears that India’s right-wing nationalist government led by the Bharatiya Janata Party (BJP) has surveilled dissidents, even though it’s not clear who, or even which national government, ordered the snooping through the software tool, known as Pegasus.
India’s Home Ministry, the federal government department responsible for the country’s security, has denied being behind the hack, describing the reports as an attempt to “malign the government of India.”
Pegasus exploited a flaw in WhatsApp, the Facebook-owned instant messaging app, to insert malicious code on a target’s device by making a video call through WhatsApp, the company said. WhatsApp, which has more than 1.5 billion users around the world, fixed the flaw in May, and immediately started working with a University of Toronto–based internet watchdog called Citizen Lab, which began contacting people affected over the past several weeks.
WhatsApp sued the NSO Group, the Israeli company which created Pegasus in a San Francisco federal court earlier this week, saying that the tool was used to target at least 100 human rights activists, journalists, and members of the civil society across the world. On Thursday, WhatsApp disclosed for the first time that people in India were affected, telling the Indian Express newspaper that “not an insignificant number” of Indians were among those targeted.
A WhatsApp spokesperson provided the following statement to BuzzFeed News: "In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users and asked U.S. courts to hold the international spyware firm known as the NSO Group accountable. We agree with the government of India that it'.s critical together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide.”
Among the dozens of people in India who were reportedly targeted were lawyers helping minority groups, environmental and civil rights activists, political science professors, and journalists covering security and defense. Some said WhatsApp had contacted them in recent months to inform them they had been targeted.
Once installed, Pegasus could be used to send back messages, photos, location data, calendars, and more, to whoever had deployed the tool. It also let an attacker turn on a phone's microphone and camera remotely.
Despite the revelation, which national government was behind the hack remained unclear, although some of those who had been targeted reported being told the Indian government was behind the surveillance.
According to Citizen Lab, the NSO Group has a multi-year history of letting government clients around the world from countries like Saudi Arabia, Mexico, the United Arab Emirates, and others, abuse its technology against political dissidents, lawyers, journalists, and human rights defenders.
An NSO Group spokesperson said that the company could not disclose whether India’s government or intelligence agencies had used its technologies. “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” the spokesperson said in an email to BuzzFeed News. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.”
Court documents submitted by Facebook show that Pegasus can only be sold by approval of Israel’s Ministry of Defense, and requires significant local infrastructure and technical support before it can be deployed. “This kind of [spyware] can only be used by governments,” Prashant Bhushan, an Indian Supreme Court lawyer, told HuffPost India, fueling fears about the Indian government’s involvement.
Bela Bhatia, a human rights activist based in the Indian state of Chhattisgarh, told BuzzFeed News that a researcher from Citizen Lab called her in September to say that she had been targeted, and suggested the Indian government might be involved. Bhatia said that she told the researcher that she was “not surprised.” Bhatia also said that the researcher had messaged her on Thursday evening to say that although there was circumstantial evidence, Citizen Lab did not have any technical evidence of the Indian government’s involvement.
Citizen Lab researcher John Scott-Railton declined to tell BuzzFeed News what he had told Bhatia and the other people who were targeted, citing confidentiality. But he did say that the Citizen Lab had identified “over 100 cases that look like abuse and hacking.” These cases, Scott-Railton said, include journalists, human rights defenders, people who oppose politicians, and religious figures of multiple faiths in 20 countries and four continents.
On Thursday evening, India’s Information and Technology Ministry said that it was “committed to protecting the privacy of all Indian citizens,” and that it had sought a detailed response from WhatsApp on the issue. WhatsApp has until Nov. 4 to respond.
"We agree with the government of India’s strong statement about the need to safeguard the privacy of all Indian citizens,” said a WhatsApp spokesperson. “That is why we’ve taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide."
This story was updated with a statement from WhatsApp.