INDIA TARGETS APPLE OVER ITS PHONE HACKING NOTIFICATIONS

Gerry Shih and Joseph Menn

A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.

Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company’s internal threat algorithms were faulty and announced an investigation into the security of Apple devices.

In private, according to three people with knowledge of the matter, senior Modi administration officials called Apple’s India representatives to demand that the company help soften the political impact of the warnings. They also summoned an Apple security expert from outside the country to a meeting in New Delhi, where government representatives pressed the Apple official to come up with alternative explanations for the warnings to users, the people said. They spoke on the condition of anonymity to discuss sensitive matters.

“They were really angry,” one of those people said.

The visiting Apple official stood by the company’s warnings. But the intensity of the Indian government effort to discredit and strong-arm Apple disturbed executives at the company’s headquarters, in Cupertino, Calif., and illustrated how even Silicon Valley’s most powerful tech companies can face pressure from the increasingly assertive leadership of the world’s most populous country — and one of the most critical technology markets of the coming decade.

The recent episode also exemplified the dangers facing government critics in India and the lengths to which the Modi administration will go to deflect suspicions that it has engaged in hacking against its perceived enemies, according to digital rights groups, industry workers and Indian journalists.

Many of the more than 20 people who received Apple’s warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon. They included a firebrand politician from West Bengal state, a Communist leader from southern India and a New Delhi-based spokesman for the nation’s largest opposition party.

Of the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a nonprofit alliance of dozens of independent, investigative newsrooms from around the world.

On Aug. 23, the OCCRP emailed Adani seeking comment for a story it would publish a week later alleging that his brother was part of a group that had secretly traded hundreds of millions of dollars’ worth of the Adani Group conglomerate’s public stock, possibly in violation of Indian securities law. A forensic analysis of Mangnale’s phone, conducted by Amnesty International and shared with The Washington Post, found that within 24 hours of that inquiry, an attacker infiltrated the device and planted Pegasus, the notorious spyware that was developed by Israeli company NSO Group and that NSO says is sold only to governments.

A spokeswoman for Adani denied that the magnate was involved in any hacking effort and accused OCCRP of conducting a “smear campaign” against the Adani Group. She also criticized The Post for asking whether the Adani Group was involved in, or had knowledge of, the hacking attempts against OCCRP. “While categorically denying and rejecting this insinuation, we find it disturbing and inappropriate that you would make an attempt to draw our name into this specious construct,” Varsha Chainani, the Adani Group’s head of corporate communications, said in an emailed response to written questions. “The Adani Group operates with the highest level of integrity and ethical standards.”

Gopal Krishna Agarwal, a national spokesman for the BJP, said any evidence of hacking should be presented to the Indian government for investigation. Hiren Joshi, the top communications official in the prime minister’s office, did not respond to requests seeking comment. Apple declined to comment in response to written questions.

The Modi government has never confirmed or denied using spyware, and it has refused to cooperate with a committee appointed by India’s Supreme Court to investigate whether it had. But two years ago, the Forbidden Stories journalism consortium, which included The Post and OCCRP, found that phones belonging to Indian journalists and political figures were infected with Pegasus, which grants attackers access to a device’s encrypted messages, camera and microphone.

In recent weeks, The Post, in collaboration with Amnesty, found fresh cases of infections among Indian journalists. Additional work by The Post and New York security firm iVerify found that opposition politicians had been targeted, adding to the evidence suggesting the Indian government’s use of powerful surveillance tools.

In addition, Amnesty showed The Post evidence it found in June that suggested a Pegasus customer was preparing to hack people in India. Amnesty asked that the evidence not be detailed to avoid teaching Pegasus users how to cover their tracks.

“These findings show that spyware abuse continues unabated in India,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab. “Journalists, activists and opposition politicians in India can neither protect themselves against being targeted by highly invasive spyware nor expect meaningful accountability.”

NSO spokesperson Liron Bruck said that the company does not know who is targeted by its customers but investigates complaints that are accompanied by details of the suspected hack.

“While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime,” Bruck said. “The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”

David Kaye, a former United Nations special rapporteur on free expression who has testified before an Indian Supreme Court committee probing the government’s suspected use of Pegasus, said the recent reporting by The Post and its partners “further shifts the burden onto the Indian government to disprove the allegations that it uses these kinds of tools.”

“Especially after this information, the government absolutely has to be honest and transparent,” Kaye said. “But the accretion of evidence suggests this is not divorced from the broader assault by the Modi government on the freedom of expression and the right to protest.”

A persistent threat

One after another at October’s end, some of India’s best known journalists and politicians posted on X, formerly known as Twitter, that Apple had warned them that state-sponsored hackers may have targeted their devices. While Apple, as usual, did not accuse the Indian government or describe the attacks, the self-identified victims said there was a pattern: Many had questioned Modi’s close relationship with Adani, who lent the Indian leader aircraft for his 2014 election campaign, traveled abroad with him during state visits and operates a vast portfolio of seaports, airports, railroads and power plants.

On Aug. 31, the OCCRP published a joint investigation with British news outlets the Financial Times and the Guardian, reporting that Adani’s longtime associates had routed funds through offshore shell companies into publicly traded Adani shares. Adani denied the story’s allegations, but the report spurred calls for a parliamentary probe of suspected stock manipulation, and it renewed criticism that Modi’s government had failed to regulate Adani’s dealings out of loyalty to the businessman.

Hours after OCCRP sought comment from Adani a week before the story’s publication, unknown hackers used an exploit called Blastpass to weave through two security holes in Mangnale’s phone and install Pegasus, according to Amnesty’s analysis. Amnesty said it found no signs of an attempted intrusion on Nair’s phone, which is not uncommon after sophisticated attacks.

“We know Pegasus is only licensed to governments, and we know that the attack happened hours after we sent the email,” Mangnale said. “I am not pointing at anyone, but that is a hell of a coincidence.”

Others warned by Apple include Mahua Moitra, a member of Parliament who has vocally condemned Modi’s relationship with Adani. Moitra was expelled from Parliament this month by a BJP-dominated committee investigating allegations that she accepted gifts from an Adani business rival in exchange for raising questions about the billionaire’s business interests. In an interview, Moitra called the charges fabricated and said the government should scrutinize Adani’s transactions instead of her communications.

“Adani is the government and the government is Adani,” Moitra said. “It is our greatest misfortune that we are governed by a bunch of peeping Toms.”

IVerify examined Moitra’s phone backup and confirmed that she had received an Apple warning. It also saw urgent crash reports that, together with other digital records, suggested the device had been hacked. The company also found a threat notification and suspicious activity on the phone of Praveen Chakravarty, head of the opposition Indian National Congress party’s data analytics department.

This is far from the first time the Indian government has been accused of snooping on critics.

In 2018, researchers at the University of Toronto’s Citizen Lab found evidence that servers used to plant NSO spyware were embedded in Indian telecom networks. Two years later, Citizen Lab and Amnesty found that nine human rights advocates in India had been hacked with emails that installed commercial spyware on their Windows computers.

In 2019, Meta’s WhatsApp also sued NSO, alleging that the firm exploited vulnerabilities in its chat software to hack approximately 1,400 people, and told the media that the victims included journalists and dissidents in India. NSO has denied wrongdoing in the case, which is pending. And last year, journalists working for OCCRP unearthed customs records showing that India’s Intelligence Bureau, the domestic security agency, received shipments of hardware matching Pegasus specifications from NSO’s offices outside Tel Aviv.

Siddharth Varadarajan, a co-founder of the Indian digital media outlet the Wire, received one of Apple’s Oct. 30 warnings. Amnesty found that the same hackers that broke into Mangnale’s phone had tried to do the same to Varadarajan’s. In both cases, someone using the Apple ID natalymarinova@proton.me had used the Blastpass vulnerability. The Post received no response to an email sent to that address.

The attempt to infiltrate Varadarajan’s phone and install Pegasus, which took place on Oct. 16, failed, Amnesty found. That’s because Blastpass had been revealed in September by Citizen Lab, Apple had fixed the two flaws it used and Varadarajan had kept his iPhone’s software updated.

Varadarajan said he was not working on any sensitive stories around the time of the attempted hack. But he said he was leading protests over the arrest of a leftist publisher accused of spreading Chinese Communist Party propaganda. The publisher’s website, Newsclick, had often run articles critical of Modi and Adani.

Government counteroffensive

As soon as journalists and opposition politicians shared their warnings from Apple, BJP officials scrambled to contain the fallout.

Senior Modi administration officials called Apple India’s managing director, Virat Bhatia, after the news broke, said two people with knowledge of the matter. One of the people said Indian officials asked Apple to withdraw the warnings and say it had made a mistake. After a heated discussion, the company’s India office said the most it could do was put out a public statement that emphasized certain caveats that Apple had already listed on its tech support page about the warnings.

Apple India soon sent out emails observing that it could have made mistakes and that “detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.”

“Civil society was puzzled and concerned by the Apple statement,” said one U.S. digital rights advocate, who spoke on the condition of anonymity to speak frankly about what he viewed as company missteps.

Bhatia told others that the company was under intense pressure from the government, but other Apple executives stressed the need to stand firm, the two people familiar with the events said. Bhatia declined to comment.

Still, Apple India’s corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple’s warnings could be false alarms and that similar warnings had been issued to users in 150 countries, not just India, said three Indian journalists, who spoke on the condition of anonymity to protect their relationship with Apple. The guidance effectively cast doubt on Apple’s own security team and shifted the spotlight away from the Modi government, these journalists said.

A BJP memo distributed to party surrogates and friendly media outlets pushed similar talking points. The memo, seen by The Post, noted that Apple users in 150 countries, including “several political leaders in Uganda,” had received similar hacking notices and that Apple’s operating systems contained security vulnerabilities. The evening the memo went out, government officials anonymously told Indian outlets they suspected that an “algorithmic malfunction” within Apple’s internal systems had generated the hacking notices, and Piyush Goyal, India’s commerce minister, said in a television interview that the notices may have been “a prank.”

On social media, pro-government influencers further muddied the waters. Sanjeev Sanyal, one of Modi’s economic advisers, pointed out on X that, in Apple’s hacking alerts, the company advised targeted users to consult with Access Now, a digital rights group that Sanyal noted has received funding from George Soros, the liberal financier and philanthropist. Soros is often painted by the Indian right as a boogeyman who masterminds international conspiracies against India.

“See the sinister plot here?” Amit Malviya, the head of BJP’s social media team, asked his 765,000 followers on X, implying that Apple, Access Now, Soros and opposition politicians were working together to falsely accuse the government of hacking.

On Oct. 31, Rajeev Chandrasekhar, the deputy minister of electronics and information technology, announced that a government probe had been launched into “these threat notifications and … Apples claims of being secure.”

After receiving a barrage of questions from the government, one Apple security expert from outside India flew to the country in November and met with officials at the technology ministry’s New Delhi offices, where officials again demanded alternative explanations for the warnings, according to the three people familiar with the events.

But Apple defended its work to the officials. “When Apple sends a notification, that’s yelling ‘fire.’ You’d better be pretty confident there’s a fire,” said a person who worked with the company. He and others spoke on the condition of anonymity to discuss sensitive dealings with authorities.

In response to questions from The Post about whether the government exerted pressure on Apple, the Ministry of Electronics and Information Technology said in a statement: “We have instituted technical investigation in the reported matter. So far, Apple has cooperated fully in the investigation process.”

Nikhil Pahwa, the founder of the Indian tech policy news website MediaNama, said the Modi government deployed a familiar tactic.

“You can’t have the Indian government investigating itself,” Pahwa said. “What we see often with the Indian government is what I would call ‘kite-flying’: putting a message out to defuse a situation or to misdirect a situation.”

A dilemma for Apple

Silicon Valley companies have been pressured to overlook Indian government overreach before. This year, The Post found that both Facebook and X uncovered covert Indian military propaganda and calls for violence on their platforms, but executives hesitated to remove them. In both cases, executives at the companies’ India offices warned colleagues at the U.S. headquarters about the risks of clashing with the government and endangering their business.

But the confrontation between Apple and the Modi administration this autumn was more delicate for both sides and ended in a stalemate, according to industry analysts and people working with Apple.

For its part, Apple has been looking to India as a revenue driver as sales flatten in other markets. India is on track to account for 10 percent of Apple sales in 2025, up from 4 percent now, according to Wedbush Securities analyst Daniel Ives.

“India will be the heart and lungs of Apple’s strategy outside of China,” Ives said.

The Modi administration, meanwhile, doesn’t want to alienate a high-profile device manufacturer that it has been courting as part of its “Make In India” campaign to create factory jobs. That may have helped to blunt the government’s retaliation over the hacking warnings, people working with Apple said.

Although Apple India executives initially helped provide Modi government officials fodder for doubts about the warnings, Apple ultimately ceded less ground than its Silicon Valley peers have, according to people familiar with the events who noted that Apple issued no new statement after the November summit with Indian authorities.

“Apple is treading a very delicate line,” said Steven Feldstein, a fellow at the Carnegie Endowment for International Peace in Washington who studies the spyware industry. “It needs to stand up for digital rights and its core brand of protecting privacy, but it also doesn’t want to jeopardize its presence in an extremely important market.”

Apple unveils new security feature to block government spyware

Rank-and-file Apple employees say that the company cannot afford to compromise on its commitment to making its devices as safe as possible in an era when crime and surveillance are surging. Last year, Apple introduced Lockdown Mode, an option that drastically reduces the number of electronic avenues that can be used to implant Pegasus or similar spyware. No infections have been discovered on phones running in Lockdown.

A multitude of internal signals factor into Apple’s determination that a country is behind a specific hacking attempt, and the chances of false alarms are small, former employees and people working with the company say. Apple has expanded its security and threat-research teams in recent years, hiring technologists with human rights backgrounds as well as intelligence agency veterans, and it conducts inquiries like a small intelligence agency itself. If it detects something unusual, it looks for the same activity elsewhere and then follows the leads to find more hacking techniques and victims.

With many hacking attempts, something outside the norm occurs. It can stand out as starkly as someone coming into a restaurant and ordering three desserts, then one entree, and then six appetizers, said a former Apple employee.

Apple sued NSO for allegedly hacking its infrastructure and began warning of state-sponsored attacks in November 2021, after the Forbidden Stories consortium exposed worldwide abuses. (Attacks on Android phones are also common, but they have a variety of manufacturers.) The Commerce Department blacklisted NSO that same month, barring it from deals with American companies.

The alerts have played a major role in exposing hacking activity, especially when those notified get their phones examined afterward. The discoveries have revealed hacking methods that can then be blocked, making it more expensive for those who sell the most powerful hacking tools, industry experts say.

“Apple’s warnings have fundamentally changed the game for finding spyware abuses,” said John Scott-Railton, a researcher at Citizen Lab. “Their warnings shift the power balance.”

The increased attention has elevated the issue to the White House, which this year pledged with allied governments not to buy from the companies whose tools were being abused by authoritarian regimes.

India is not among the governments that joined the pledge.

This year, there have been other signs of the Indian government hacking targets it perceives as threats.

In recent weeks, iVerify examined the phone of the New York-based Sikh separatist Gurpatwant Singh Pannun, who U.S. prosecutors say was targeted for assassination by an Indian official. IVerify engineers found severe crashes of his encrypted messaging apps that could have been triggered by hacking attempts, said chief executive Danny Rogers. Referring to activity of an encrypted messaging app during two days in July, Rogers said: “Eight Signal crashes in a row screams that someone is trying to hack you.”

Rogers said those crashes were not proof of a hacking attempt but were troubling because there was other evidence Pannun had been targeted. In May, Pannun was chatting over Telegram with an account belonging to Hardeep Singh Nijjar, a Sikh separatist based in Canada, Pannun told The Post. When the conversation seemed off and Pannun called Nijjar over the phone, Nijjar said he hadn’t used Telegram in a while. A few weeks later, on June 18, Nijjar was shot by masked gunmen in a parking lot — a slaying that Canadian Prime Minister Justin Trudeau announced in September was “credibly” linked to the Indian government.

Pannun told The Post that his own phones had been hacked twice before. The U.S. State Department declined to address India’s alleged use of spyware directly. A spokesman said that the government “remains very concerned about the proliferation and misuse of commercial spyware, which is being used around the world to erode democratic values and to enable human rights abuses. We are committed to countering the misuse of this technology and the threats they pose, in partnership with allies around the world, and we welcome other like-minded partners to join us.”

Journalists still under fire

Officially, the Indian investigation of Apple continues, but people briefed on the matter said pressure on the company has waned. The next step is a report by India’s cybersecurity office, but it has no deadline. Indian media have reported that Indian officials now believe Apple’s warnings of state-sponsored hacking were genuine, but that the culprit may have been Beijing. While China is India’s great regional rival and a prodigious hacker, it has never been publicly linked to any use of Pegasus. The Israeli defense ministry must approve all sales of the spyware.

While tensions between Apple and New Delhi have eased, the journalists who faced hacking attempts continue to experience pressure. In November and December, a third Indian journalist who has worked with OCCRP received phishing emails from a hacker who posed as a whistleblower seeking to leak corporate documents. The emails contained malware, according to OCCRP’s security team, which has not been able to identify the sender.

After the publication of their Adani investigation in August, Mangnale and Nair were summoned by the crime branch of the Ahmedabad city police force, in Adani’s and Modi’s home state of Gujarat, to respond to a complaint by a local investor who accused them of releasing a “grossly false and malicious” story about Adani. Ahmedabad police have also summoned two British reporters with the Financial Times, which collaborated with OCCRP on the investigation, as part of a preliminary inquiry.

A spokesperson for the FT declined to comment. The OCCRP said it has successfully appealed to the Indian Supreme Court to protect Mangnale and Nair from potential arrest, but the journalists are still fighting in court to avoid questioning by police.

At their first hearing on Dec. 1, the OCCRP journalists discovered a particularly high-powered lawyer was arguing the case on behalf of local police.

That lawyer was Tushar Mehta, the solicitor general of India.

https://www.washingtonpost.com/world/2023/12/27/india-apple-iphone-hacking/
Top - Home