OCCRP reports equipment described as utilised for Pegasus matches Israeli gear bought by IB

New Delhi: The Organized Crime and Corruption Reporting Project (OCCRP) has reportedly recently found that a hardware shipment made to India's Intelligence Bureau (IB) matched the specifications in a Pegasus spyware brochure, in contrast to the Union government's assertion from the previous year that the claims of illegal surveillance in the nation were "sensationalist and lacked substance". According to a report issued by the OCCRP on Thursday, October 20, import records reveal that the nation's primary domestic intelligence organisation had "bought hardware from the Israeli spyware firm NSO Group", which "matched the description of equipment used elsewhere to deploy the company's flagship Pegasus software."

The OCCRP's findings by Sharad Vyas and Jurre van Bergen come after a New York Times article from January this year that claimed the Indian government had bought Pegasus spyware in 2017 as part of a significant arms deal with Israel. Pegasus is a military-grade malware that can covertly and undetectably install surveillance spyware on a targeted device. It has the ability to track the device, record keystrokes, intercept communications, and spy on users using the camera and microphone. Pegasus differs from conventional malware in that it can "write"—that is, it may add content to the target's device in addition to spying on them.

According to the Pegasus Project, a worldwide coalition of media organisations that tried to identify who may have been harmed by Pegasus, Pegasus is known to have been used against journalists, activists, and political dissidents. Rahul Gandhi, the leader of the Congress party, was among the senior politicians and famous journalists whose phones were potentially compromised by spyware, according to the Pegasus Project's investigation in India.

Ashwini Vaishnaw, the Union Minister of Information Technology, refuted these reports in the Lok Sabha in July of last year, claiming they were a part of an "attempt to malign Indian democracy." The Supreme Court established a commission to look at the Pegasus spying allegations later in October 2021.

The committee established by the court later turned in its findings in August of this year, noting that although malware had been discovered on five out of the 29 machines presented, there was no concrete proof that Pegasus was to blame. The Union government's lack of cooperation with its investigation was also mentioned. With the exception of an annex recommending legislation changes pertaining to cybersecurity and privacy, the committee's report was not made public.

OCCRP Findings

The majority of the information in the OCCRP report is based on import data that it examined, which allegedly demonstrates that IB, based in New Delhi, got a shipment of hardware from NSO in Israel in April 2017 that matched the description of gear used elsewhere to operate the Pegasus programme. According to reports, the shipment was transported by air and contained equipment worth $315,000.

"The consignment included Dell computer servers, Cisco network equipment, and 'uninterruptible power supply' batteries, which provide power in case of outages, according to a bill of lading obtained through a global trade data platform that draws on national customs documents," the report says.

According to the OCCRP, the timing of the shipment and its description (it was marked as "for Defence and Military Use") matched the information provided in the January report by the New York Times which says, "Pegasus and a missile system had been centrepieces of a major 2017 arms deal between Israel and India." A week and a half before the customs records indicated the shipment occurred, Israel Aerospace Industries, the company hired to deliver missile defence systems, announced the conclusion of that arrangement on April 6 of that year, according to the study.

According to the OCCRP, it is not possible to determine with certainty if the imported hardware was utilised for Pegasus. However, it draws attention to the fact that the shipment's specs reflect those listed in a Pegasus spyware brochure, which was provided to a US court in a lawsuit brought against NSO Group in 2019 by Meta, the parent company of Facebook and WhatsApp. "The brochure — which notes that necessary hardware is supplied with the system upon deployment — outlines the need for two computer racks, network equipment, servers, network cables, and batteries to keep the servers running in case of outages. This hardware is needed to run the Pegasus platform and store data extracted from mobile phones," the OCCRP says in its report.

Additionally, the Mexican news organisation Aristegui Noticias had previously reported on a contract for Pegasus between an NSO Group client and a Mexican business. The report adds that documents from the Meta case also indicate similar hardware shipments made to Ghana, another NSO Group customer, and that the shipment's characteristics match those specified in this contract.

While the NSO Group and India's IB did not reply to their inquiries, the OCCRP report also states that "two intelligence officials — a senior officer and a contractor — also told OCCRP that Pegasus had been purchased by the government in 2017."

Ajit Doval, India's national security adviser, reportedly travelled to Israel in late February 2017, according to the report, before Indian Prime Minister Narendra Modi's historic trip to Israel in July of that same year.

'Strong and alarming evidence'

Etienne Maynier, a security analyst at Amnesty International, responded to the OCCRP findings by stating that they "provide strong and alarming evidence of surveillance transfers with Indian authorities." He requested that the Supreme Court of India "immediately and without further delay" make the committee's report on the use of spyware in the nation public. "All the victims of Pegasus spyware abuse in India deserve transparency, and the Indian authorities should come clean on their relationship with NSO."

Sitaram Yechury, the general secretary of the CPI(M), responded to the OCCRP report through Twitter. "Pegasus has been used to hack phones and snoop upon Opposition parties, Election Commissioners, members of the judiciary, lawyers and journalists. At least now the Modi government should come clean. The truth cannot be hidden for long," he wrote in a tweet.