On November 3, Indian National Congress claimed that Priyanka Gandhi had also been informed by WhatsApp via a message that her phone had been infected with Pegasus malware using the WhatsApp vulnerability that was revealed in May 2019. This is in addition to similar claims made by Praful Patel (National Congress Party) and Santosh Bhartiya (Janata Dal). However, a source familiar with the developments in identifying victims of Pegasus targeted through the WhatsApp vulnerability told MediaNama that there are no politicians on the list.

This does not mean that Priyanka Gandhi was not infected with Pegasus. This simply means that her device was not infected using the WhatsApp vulnerability. The WhatsApp vulnerability basically allowed an attacker to plant Pegasus in the target’s phone through a missed WhatsApp voice/video call. If there was an attempt to snoop on her using Pegasus, it happened via other means, which include and are not limited to: malicious links sent via messages or emails, malicious email attachments, or malicious files sent via instant messaging platforms. As a result, WhatsApp or Citizen Lab would not have contacted her. MediaNama has reached out to Citizen Lab for more clarification.

What did WhatsApp say? “WhatsApp cares deeply about the privacy and security of our users. We have already contacted the users directly we have reason to believe were targeted. Users can contact us within the app and we will respond directly,” a WhatsApp spokesperson told MediaNama.

Was Mamata Banerjee also attacked? NDTV reported that West Bengal Chief Minister Mamata Banerjee had made a similar claim. But, as per an India Today report, Banerjee had said that her phones were being tapped by the Modi government. That’s different from infecting her phone with Pegasus using the WhatsApp vulnerability.

How many people have been infected with Pegasus using the WhatsApp vulnerability? On October 29, WhatsApp sued the Israeli spyware company NSO Group for exploiting a since-then fixed vulnerability that targeted 1,400 people, about 100 of whom were human rights defenders, journalists, political dissenters, and lawyers in at least 20 countries. About two dozen of these are activists and journalists from India. WhatsApp had informed the Ministry of Electronics and IT (MeitY) in early September 2019 that 121 Indians had been affected by this, the Indian Express reported.

Congress claims govt bought software to target politicians

Randeep Singh Surjewala, a member of the INC, disclosed all this at a press conference. He drew attention the Indian Computer Emergency Response Team’s (CERT-In) vulnerability report dated May 17, 2019 that listed the WhatsApp vulnerability, and proved that the Indian government was informed of this vulnerability, despite its claims to the contrary now. This page has since been removed. (Read more about the vulnerability report here.) He also said that as per the NSO group, its products are only licensed to government and law enforcement agencies, thereby concluding that “Government of India and its agencies bought the spyware”.

At the same press conference, he cited Citizen Lab’s report titled Hide and Seek. In his statement, Sujrewala claims that the Citizen lab report states that “Pegasus software was used to target politicians in India”. However, a proper reading of the report reveals the following things:

  1. Operators are not country specific: Citizen Lab identified 36 operators across 45 countries. That means, 36 people/groups were using Pegasus across 45 countries. Each operator used a bunch of IP addresses that Citizen Lab identified.
  2. GANGES name given by Citizen Lab, not NSO Group: The Pegasus operator name “GANGES” is a nickname given by Citizen Lab to one of the 36 distinct operators. “We give each operator an Operator Name drawn from national symbols or geographic features of the country or region that appears to be targeted.” The operator for Singapore was thus nicknamed “MERLION”. NSO Group did not call their operations in India, “GANGES”. That would be a bit too on the nose for a spyware agency, wouldn’t it?
    • While suspected infections of GANGES include Airtel, MTNL, Hathway and Star Broadband Services in India, they also include the Pakistan Telecom Company Limited, the Bangladesh Telecommunications Company Limited, the Telemar Norte Leste SA (Brazil) and Starhub Internet Exchange (Singapore).
  3. Same operator targeted Pakistan too: The operator, nicknamed “GANGES” (look at point 1), carried out suspected infections in India, Pakistan, Bangladesh, Brazil and Hong Kong. This means, the same person/group of people (operator) potentially targeted all these countries.
  4. Operator had been active since June 2017: GANGES was active from June 2017 until at least September 2018, when Citizen Lab published its report. The snooping, if okayed by the Indian government, wasn’t done just in the run up to the 2019 general elections, as Congress has claimed. MediaNama has reached out to Citizen Lab to clarify if GANGES was active after that.
  5. Not clear if politicians in India were targeted: The Citizen Lab report does NOT say Pegasus was used to target politicians in India. It says that GANGES “used a politically themed domain signpetition[.]co”. This might “suggest politically motivated targeting”. Politically motivated targeting is not restricted to just politicians, and in worst scenarios, may not include politicians at all. This domain name is part of the malicious link URL that would be used to attract a Pegasus target. Who would be attracted by a URL bearing the name “signpetition”? For instance, the operator FALCON, which was active in UAE from October 2016 until at least September 2018, used “nomorewarnow[.]com”.
  6. Cross border surveillance also carried out: Of the 36 operators Citizen Lab identified, at least 10 engaged in cross-border surveillance. So it wasn’t necessarily Country A snooping on its own citizens, but potentially on citizens of Country B.

MediaNama has reached out to Surjewala and other members of Congress party for comment.