India’s Spy Agency Bought Hardware That Matches Kit Used for Pegasus, Shows Import Data

India’s Intelligence Bureau, the country’s main domestic intelligence agency, bought hardware from Israeli spyware firm NSO Group that matches the description of equipment used elsewhere to deploy the company’s flagship Pegasus software, import documents show.

The finding bolsters the claim, reported by the New York Times early this year, that the Indian government purchased Pegasus spyware in 2017 as part of a major arms deal with Israel. 

Pegasus, which secretly infects mobile phones with surveillance software, has been deployed in various countries, in many cases to spy on journalists, activists, opposition politicians, and dissidents.

Last year, the Pegasus Project, a collaborative investigation into who had been targeted by the software, revealed that a number of phones in India had potentially been infected, including those of prominent journalists and senior politicians, such as opposition Congress party leader Rahul Gandhi.

The Indian government has declined to confirm or deny whether it purchased Pegasus software. In July last year, the country’s information technology minister dismissed the reports as “sensationalism” and called them an attempt “to malign Indian democracy and its well-established institutions.”

In October, the country’s Supreme Court launched an inquiry into claims reported by the Pegasus Project that the government had used the spyware. The committee ended its investigation last month, saying that while some of the phones it examined contained malware, it could not find conclusive evidence that Pegasus was deployed. 

Import data reviewed by Organised Crime and Corruption Reporting Project (OCCRP), a global network of investigative journalists, however, shows that in April 2017 the New Delhi-based Intelligence Bureau (IB) received a shipment of hardware from NSO in Israel matching the description of equipment used elsewhere to run Pegasus software. 

The consignment included Dell computer servers, Cisco network equipment, and “uninterruptible power supply” batteries, which provide power in case of outages, according to a bill of lading obtained through a global trade data platform that draws on national customs documents. 

The shipment, delivered by air, was marked “for Defence and Military Use” and cost $315,000. That description — and the timing of the shipment — appeared to match the account given in January by the New York Times, which reported that Pegasus and a missile system had been “centerpieces” of a major 2017 arms deal between Israel and India. 

The conclusion of that deal was announced on April 6 that year by Israel Aerospace Industries, which was contracted to supply missile defence systems, a week and a half before the customs documents show the shipment took place. 

It is not possible to say conclusively whether the imported hardware was used for Pegasus. But the specifications resemble those laid out in a brochure for Pegasus spyware submitted to a US court in a lawsuit filed against NSO Group by Meta, the parent company of Facebook and WhatsApp, in 2019.

The NSO Group and the Intelligence Bureau did not respond to questions about the shipments sent by OCCRP. 

The brochure — which notes that “necessary hardware is supplied with the system upon deployment” — outlines the need for two computer racks, network equipment, servers, network cables, and batteries to keep the servers running in case of outages. This hardware is needed to run the Pegasus platform and store data extracted from mobile phones.

Images from a brochure for Pegasus spyware, showing the hardware used to run it.

The specifications also resemble those outlined in a contract for Pegasus between a Mexican company and NSO Group, originally reported by the Mexican news outlet Aristegui Noticias and obtained by OCCRP and its partners. Documents from the Meta lawsuit also show similar hardware shipments made to Ghana, another NSO Group customer. 

Two intelligence officials — a senior officer and a contractor — also told OCCRP that Pegasus had been purchased by the government in 2017. Both spoke on condition of anonymity because their jobs prohibited them from speaking publicly.

Etienne Maynier, a security researcher at Amnesty International, said that the findings “provide strong and alarming evidence of surveillance transfers with Indian authorities.”

India’s National Security Adviser Ajit Doval had reportedly visited Israel in late February, ahead of a historic visit by Indian Prime Minister Narendra Modi to Israel which took place in July. 

While the agency’s official mandate is counter-intelligence and combating domestic terrorism, it has allegedly been used in the past to gather political intelligence. There is no formal law to regulate the Intelligence Bureau, and its constitutionality has been challenged repeatedly in recent years.

In late 2018, the Ministry of Home Affairs empowered the Intelligence Bureau to decrypt any information collected from any device in India.

However, legal experts have raised questions whether extraction of data using Pegasus or equivalent software would constitute decryption or hacking. If it is considered as hacking and not decryption, it will not be covered under the above provision. That’s because Pegasus is not for "decryption of information" but essentially intrusion of a phone, altering its system/application software, and its use so would be considered hacking under Indian law and a criminal act under the Information Technology Act.

A public outcry over the alleged use of Pegasus pushed India’s Supreme Court to set up an expert panel in October last year to investigate the claims. 

The panel finished work in August, concluding that it could not prove Pegasus had been used. However, it noted that the government  “did not cooperate” with its investigation. Its report was not made public, apart from an annex recommending legal reforms related to cybersecurity and privacy. 

Maynier said the court should make the report public “immediately and without further delay.” 

“All the victims of Pegasus spyware abuse in India deserve transparency, and the Indian authorities should come clean on their relationship with NSO,” he said. 

The writers are with OCCRP.