At least three Indian lawyers’ smartphones have allegedly been hacked since May 2019 with elite cyber-weapons sold to various governments and security services by Israeli company NSO Group, which has been sued by Facebook this week in a California court over NSO-connected hacking campaigns allegedly exploiting WhatsApp vulnerabilities against 1,400 activists gl(of whom at least 19 are based in India).

The hacks would have given the attackers (which the victim lawyers are currently assuming to have been the government) basically unfettered access to any documents on the lawyers’ smartphones, allowing monitoring of their location, microphone, calls and even live video feeds. It also generally allows attackers full access to messages sent or received, even in encrypted messaging apps or emails, and could conceivably be used to obtain access to any number of confidential or privileged case documents stored on the lawyers’ computers.

As first reported by Firstpost, the smartphone of Nagpur-based lawyer Nihalsing Rathod (GLC Mumbai LLB), who is part of the senior counsel Colin Gonsalves-founded Human Rights Law Network, was hacked by the advanced NSO-created Pegasus malware.

Scroll has added two more lawyers who have come forward to the list: Chhattisgarh-based Shalini Gera (Delhi University LLB, and part of the Jagdalpur Legal Aid Group) and Chandigarh-based Ankit Grewal (2012 JGLS Sonepat LLB), besides at least 12 other activists.

All three lawyers have been active in human rights related legal work (which is sometimes described as ‘activism’), as well as notably the controversial Bhima Koregaon case: Rathod represented the accused Surendra Gadling, and Gera and Grewal had acted for defendant Sudha Bharadwaj (who also happens to be a lawyer).

The lawyers’ counter-party in the Bhima Koregaon legal case is, of course, the Maharashtra government.

There are several other reasons that make it more than likely that some arm of the Indian government was involved in the hacks of the lawyers.

The so-called Pegasus and similar advanced spyware packages built by NSO often make use of a string of vulnerabilities to exploit even the newest updated versions of Google’s Android and Apple’s iPhone’s operating systems, which can sell in underground hacking black markets for millions of dollars, putting it out of reach of most ordinary cyber-criminals (one ex-NSO employee was jailed last year in Israel for trying to sell the company’s software for $50m to private parties).

If government or police indeed turn out to be behind the hacks, this should be of major concern to the legal profession, where privileged communications with clients accused of crimes is sacrosanct to ensuring fair trials.

Newspapers requests for comment from ministers and departments seem to have gone unanswered so far.

Chances of the Bar Council of India (BCI) piping up to seriously defend legal privilege are most likely slim.

Ultimately this will therefore likely be an issue that the judiciary will get to enjoy wrestling and getting to the bottom of: some of the lawyers and activists are all but certain to approach the courts over this.

Rathod told Scroll:

“I have reason to believe that the Bhima Koregaon case is based on the letters which were planted through this route or some other route by government agencies itself. The ridiculous contents of those letters make it more apparent.”

“My senior, [advocate] Surendra Gadling, used to receive similar calls and messages and that is perhaps how they managed to plant those stupid letters on him. It all seems connected to the Bhima Koregaon case.”

Gera said:

I was really surprised when he told me the targeting was done between February and May this year. As you know, I was persecuted by the Chhattisgarh police two years ago but now I assumed I was of no interest to the government. Then, it struck me that this could be because of the Bhima Koregaon case, I am involved in the case as Sudha’s lawyer.

Considering she had been told that Pegasus sold for millions of dollars, she added: “So I guess it is the Indian state. I don’t think I am of interest to any other state.”

What can lawyers or activists do to protect their communications?

Even if being vigilant and educating oneself about cybersecurity, at the end of the day there is probably very little most lawyers can realistically do if fearing they may find themselves the possible target of a determined nation state.

Because attacks sold by companies such as NSO employ so-called “zero day” attacks that neither Google or Apple are aware of at the time of use, it is almost impossible for ordinary users to defend against such spyware, which can be triggered by something as innocuous as clicking on a link to what can often seem like a legitimate website, or PDF or Word documents or even videos.

Getting targets to click on web links or to open such documents is usually achieved through what are known as sophisticated “spear phishing” attacks, where the attacker often eerily convincingly impersonates a trusted intermediary.

According to Firstpost, the hack against Rathod was likely set up by messages or emails the numbers of which he did not know.

A member of Toronto University’s internet security and freedom research body Citizen Lab working with WhatsApp eventually alerted Rathod and other victims about the attacks.

Other attack vectors have included merely receiving a missed call or more recently a video call via WhatsApp, without the user being any the wiser. Even SMS messages have historically been used to compromise smartphones.

Grewal told Scroll that “he had been suspicious for some time now as he used to get missed calls on WhatsApp from foreign numbers. This made him change handsets frequently”, adding: “I noticed a sharp increase in these mysterious missed calls once I got involved with Sudha Bharadwaj’s case.”

Israel-based NSO has claimed that it only sells its products to nation states and legitimate law enforcement agencies, in order to allow legal surveillance of criminals.

However, the company has come under fire and had said it would sever its commercial relationship with Saudi Arabia, for instance, after its software was linked to assisting in the government’s murder of journalist Jamal Kashoggi, as well as surveillance of other human rights activists and organisations.

NSO has also been accused of cooperating with other regimes that have not had the best track record of only using the software against criminals: as often, journalists and human rights activists have seen the software used to spy on them, in countries including Panama, Mexico and the United Arab Emirates, as well as allegedly a secret roster of many other nation state clients.