Timing of 2019 WhatsApp-NSO Hack in India Validates Leaked Database Accessed by Pegasus Project


Sukanya Shantha, Kabir Agarwal and Anuj Srivas

Links between the two offer corroboration for the latter, while providing further insight into the spyware net.

New Delhi: A closer analysis of the records of probable spyware targets reported recently by The Wire as part of the Pegasus Project and the 2019 use of WhatsApp to hack Indian phones – an attack the Narendra Modi government acknowledged in Parliament that year – provides key corroboration of the leaked data’s robustness.

Not only do all of the two dozen Indians, who publicly acknowledged being notified in 2019 about being a Pegasus target, figure in the records accessed by The Wire and its international media partners, but the leaked database records also indicate their phone numbers were selected during the 12-day window in March-April 2019 when WhatsApp says Pegasus spyware used vulnerabilities in the messaging app to target users.

A comparative analysis of these two sources of data –  the list of 2019 targets and Pegasus Project data – also leads to new revelations. For example, using the Pegasus Project data, The Wire has also been able to identify at least one previously unknown target of the 2019 attack, an individual who chose not to go public two years ago.

WhatsApp lawsuit

In November 2019, over 100 Indians received messages that their phones had been subjected to an attempted hack. Out of them, 23 individuals chose to come out and publicly state they had received a warning, providing in the process to the media various forms of documentary proof.

The warnings they received came from either WhatsApp or the Toronto-based Citizen Lab, an Internet cybersecurity watchdog organisation that worked with the Silicon Valley company to identify potential victims. In many cases, people received messages from both parties.

The range of people whom the Facebook-run firm said may have been targeted by the NSO Group’s Pegasus spyware was broad, but one thing many of them had in common – in the words of WhatsApp CEO Will Cathcart – was that they were individuals who had “no business being under surveillance in any way, shape, or form”.

When WhatsApp filed its 2019 lawsuit in a California court against the NSO Group, the claims put forth represented the second cache of evidence which indicated that Pegasus attacks had been identified within the India region and on the phones of Indian citizens (the first being Citizen Lab’s original analysis of a South Asia-focused Pegasus operator it dubbed as ‘Ganges’).

While WhatsApp’s warnings sparked only short-lived political controversy in India at the time, it assumes new relevance in light of the latest media relations surrounding the usage of Pegasus spyware within the country.

Link number 1

For instance, The Wire can now confirm that the phone numbers of all 23 Indian victims who went public in 2019 also appear on the leaked list of thousands of numbers that the Pegasus Project, a consortium of 17 media organisations, recently investigated.

The list of numbers investigated by the Pegasus Project is believed to have been selected as people of interest by clients of the NSO Group, which sells surveillance software only to “vetted” government agencies around the world.

The 23 individuals who acknowledged that they received a warning in 2019 include activists, lawyers, academics and journalists.

The full list of these individuals is as follows:

Made with Flourish

There are several takeaways from this compilation. Firstly, all of them have at least one phone number in the Pegasus Project database – but multiple people have two numbers, including Shalini Gera, Anand Teltumbde and Bela Bhatia.

Secondly, all of the known 2019 targets have Android smartphones, a pattern that the Pegasus Project believes was common to the WhatsApp hack worldwide.

Link number 2

As The Wire has previously explained, the Pegasus Project data contains the time and date (or ‘time-stamp’) that numbers were selected, or entered onto a system.

In its lawsuit filed before the Northern District Court of California, WhatsApp claimed that the NSO Group and its customers caused malicious code to be transmitted over WhatsApp servers “between approximately April 29, 2019, and May 10, 2019”, in an effort to infect approximately 1,400 target devices.

The Wire’s analysis of the leaked data shows that the phone numbers of all 23 people named above were accompanied by at least one associated record that falls in the two week period that WhatsApp says its users were subjected to an attack.

Why is this important? Forensic analysis conducted by Amnesty International’s Security Lab for the Pegasus Project concluded that there were some sequential correlations between a time-stamp present in the leaked data and evidence of infection detected on a victim’s phone.

That is, put simply, evidence of a Pegasus infection was detected shortly after a corresponding time-stamp present in the data.

The fact that all 24 Indian targets notified by WhatsApp in 2019 have at least one time-stamp that fits into the time-period that WhatsApp believes the attacks were launched using the NSO Group’s spyware is, therefore, a neat two-pronged piece of evidence that reinforces the credibility of both the Pegasus Project and WhatsApp/Facebook’s lawsuit.

Database helps identify more WhatsApp victims

While only 23 individuals came out publicly in 2019, WhatsApp informed the Indian government that it has evidence to believe that up to 121 people were targeted.

In the last few weeks, The Wire has learned of the existence of at least nine more victims notified by WhatsApp in 2019, four of whose numbers are present in the Pegasus Project’s leaked data. None of these targets chose to come out in 2019 and there is no mention of them in the public domain.

One of these new cases was discovered as a result of The Wire merely contacting numbers on the leaked Pegasus Project database which were selected in early 2019. This individual, who declined to be identified, works with a Chinese media outlet but is based out of India. The person confirmed that they had been contacted by Citizen Lab in late 2019.

This list of people include:

Made with Flourish

Of these, as the table above notes, the numbers of Chahal, Gidwani, Pant, Ranjan and the unidentified Indian journalist are present in the database. All of these individuals also have at least one accompanying ‘time-stamp’ that corresponds to the two-week period in early 2019 that is mentioned in WhatsApp’s lawsuit against the NSO Group.

Courtesy The Wire

Leave a Reply