According to a research carried out by the University of Toronto and Amnesty International, several human rights activists in India were targeted by a spyware-infecting campaign that lasted for about ten months, from January to October 2019. The researchers have confirmed that at least nine activists were targeted, while three of them dealt with the “Pegasus” spyware threat. This is the notorious spyware tool developed by NSO, and which had taken the underworld by storm in 2018, when Citizen Lab researchers found it present in 45 countries.
The activists received phishing emails that attempted to infect them with the spyware software. If they fell into the trap, their communications would then be compromised, and their privacy would be breached. The attackers also used the NetWire spyware, which is capable of logging keystrokes, stealing account credentials, and performing audio recordings. The emails contained links that pointed to “Firefox Send,” Mozilla’s encrypted file-sharing service. This was most likely done to evade AV detection and to pass through email filters. The PDFs that were hosted in the service were actually Windows executables, and basically spyware tools.
The senders of the emails claimed to be journalists, political persons, or fellow activists, but all of this was false. While the entity behind this campaign and the planting of the Pegasus and NetWire spyware remains unknown, there are a few pointers to consider. The particular activists played a key role in the protests that concerned the violent uprising in Bhima Koregaon in 2018. Moreover, the ‘NSO Group’ has recently reaffirmed that they only license their spyware on governments and law enforcement agencies.
Indeed, publications from 2018 indicate that the Maharashtra Police was somehow able to follow the moves of particular activists closely, and they even published evidence in the form of intercepted communications that proved conspiracy against public safety. The police had claimed that the data was retrieved by analyzing the storage of confiscated laptops. Still, the timely arrests, as well as the fact that the laptops were most probably hosting encrypted data, raised some questions among those who don’t take generic explanations lightly. Still, there’s no evidence pointing to the perpetrators‘ identity, and the NSO has already denied having any connection with the particular findings.