Human rights activists in India were targeted by a coordinated spyware campaign from January to October of 2019, according to research published Monday by Amnesty International and the University of Toronto’s Citizen Lab.
Nine activists in total were targeted, eight of which have been calling for the release of 11 people jailed during protests related to the violent uprising in Bhima Koregaon, India in 2018.
The targets were sent spearphishing emails with malicious links and files that, if clicked, would infect the victims’ computers with spyware capable of tracking their communications. Three of the activists were also alleged to have been targeted by Pegasus, a notorious spyware program developed by Israeli surveillance software firm NSO Group last year.
Human rights defenders in India have been victimized by spyware in the past. But the research shows that surveillance software has been leveraged multiple times against activists linked to the Bhima Koregaon activists. One of the activists who was imprisoned following the protests, Anand Teltumbde, alleged last year that someone used NSO’s software in an attempt to hack his devices.
“That some of these individuals were targeted multiple times shows that there is a disturbing pattern of spyware attacks against [human rights defenders] involved in the Bhima Koregaon case,” the researchers wrote in a blog post about the campaign. “This spyware campaign is very concerning in the context of an already perilous situation for [human rights defenders] in India where surveillance is used along with threats, imprisonment and smear campaigns against activists to shrink the space for civil society.”
The case against the Bhima Koregaon protesters has relied “almost entirely on digital evidence obtained from the arrested activists’ devices,” according to Amnesty and Citizen Lab. In 2018, Indian police are alleged to have released materials found on the activists’ devices to smear them.
NSO Group has historically claimed its tools can only be used by law enforcement and government-run intelligence agencies.
“As written in the report, the most recent alleged discoveries have no links to NSO. All other allegations are recycled and misleading,” an NSO spokesperson told CyberScoop in a statement.
The perpetrators behind the new campaign, whose identities remain unknown, also tricked the activists with spearphishing emails that purported to be from journalists, officials from local courts or other people who knew the targets. The perpetrators used links to lead targets to a file hosted on Mozilla’s file-sharing platform Firefox Send, in a likely effort to avoid malware and email filters. The malware was delivered by files that looked like PDFs, but which were actually malicious Windows programs.
The campaign then would deploy commercially available spyware capable of logging keystrokes and stealing credentials and audio recordings. The malware, NetWire, has been used in the past by criminal groups and in corporate espionage incidents. In April, researchers for BlackBerry Cylance found evidence that tied NetWire to a Chinese-based hacking collective known as Winnti Group.
The news comes just one week after Citizen Lab revealed a hack-for-hire business in India has been targeting activists, journalists, and investment firms for approximately seven years in multiple credential-stealing campaigns.
“We currently have no evidence showing any link with the hacker-for-hire research published by the Citizen Lab recently,” a spokesperson from Amnesty International told CyberScoop.