Indians are by now fairly attuned to being victims of cyber fraud and crime, as the present Narendra Modi government brings the 1.34-billion population under increasing digitisation through its Digital India mission and under mass surveillance through biometric and personal identification registration that can detect online financial transactions, banking activity, overseas travel and social media exchanges.
Nevertheless, they were greatly alarmed by news of a particularly rabid mode of cybersnooping on select citizens by an Israeli firm sanctioned by Israel’s defence ministry and presumably engaged by the Indian government. The 18 citizens so targeted – there are more coming forward – include civic and human rights activists who are behind bars on charges of sedition, as also lawyers who are fighting their cases and academics who have spoken up for them.
Some 1,400 persons – senior government and military officials, political dissidents, academics, intellectuals, journalists, lawyers and civil libertarians – across 45 countries, including India, have been targeted by a state-of-the-art mobile phone spyware suite called Pegasus, which is produced and marketed by Israel’s NSO Technologies Group, based in Herzliya, near Tel Aviv. They had been targeted through the video calling feature of the popular Facebook-owned WhatsApp messaging platform.
The malware attack had come to light in May, when it was found that it required but a click on a specially crafted exploit link by the user to penetrate the security features on the phone and deliver a chain of zero-day exploits to install Pegasus without the user’s knowledge. WhatsApp had then announced an update designed to block the malicious code, but NSO developed an even more undetectable and supremely sophisticated software that could intrude simply via a missed call on the messaging app and breach the app’s encrypted communication system.
Citizen Lab, of the University of Toronto’s Munk School of Global Affairs & Public Policy, which, responding to a tip-off, has scanned the internet between August 2016 and August 2018 for servers associated with the spyware, notes that Pegasus exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
WhatsApp filed a lawsuit against the NSO Group in a California court on 29 October, charging the Israeli company with breach of contract and unlawful activity. “Between approximately 29 April 2019, and 10 May 2019, defendants caused their malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400 target devices,” WhatsApp said in its lawsuit. “The target users had WhatsApp numbers with country codes from several countries, including the Kingdom of Bahrain, the United Arab Emirates, and Mexico.”
According to the plaint, Pegasus is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection. This cyber espionage tool can no longer be uninstalled, even through factory reset, leaves no trace on the device, consumes minimal battery and memory, and has a self-destruct option that can be used any time. Even buying a new handset does not help, unless those targeted change all their passwords.
The WhatsApp application is protected by the strongest encryption means known today, disallowing any third party, including WhatsApp, from viewing encoded messages as they traverse phones. Pegasus, however, disables this protection completely, enabling all conversations and attachments to be uploaded to the monitoring server silently in the background.
Cases are also being lodged in India against NSO as well as the right-wing Bharatiya Janata Party (BJP) government. The government has been accused of violating the Constitution, Article 19 of which guarantees the right to freedom of speech and expression to all citizens. The government is held cognisable also because NSO caters only to governments and not private agencies or individuals, and that too after written approval from the Israeli defence ministry.
Both Prime Ministers Modi and Benjamin Netanyahu have an excellent personal rapport and India also happens to be the largest buyer of arms from Israel. What will also be addressed is whether a country can have export control laws that allow the sale of deeply invasive and clandestine tools like Pegasus to governments that may appropriate them for unlawful purposes. Also questioned will be whether sovereign states like Israel are justified in sanctioning such sales that are more associated with authoritarian or “rogue” regimes. Israeli security cabinet minister Zeev Elkin has, however, been quoted as saying: “NSO is a private player using capabilities that Israelis have. There is no Israeli government involvement here, everyone knows this is not about the state of Israel.”
Michael Joseph, Director System Engineering, India & SAARC, at Bengaluru-based Fortinet, the India office of the California-headquartered global leader in broad, integrated and automated cybersecurity solutions, says that threat researchers have reported abuse of the spyware as it depends on who gets their hands on this very powerful tool. “This was one of the potentially harmful applications developed with a lot of effort, time, and money to be installed on a very small number of devices,” he observes. “There have been a few high-profile cases where it has been used for other than law enforcement and for political reasons.” A powerful weapon sold as the ‘AK-47’ of spyware for various governments, the Pegasus programme, says Joseph, was stolen last year by a disgruntled NSO employee who was arrested as he tried to sell it on the Dark Web for $50 million.
On its official website, the NSO Group declares that its products are used “exclusively by government intelligence and law enforcement agencies to fight crime and terror”. It maintains that its products, which are designed by telecommunications and intelligence experts, “help government intelligence and law-enforcement agencies use technology to meet the challenges of encryption to prevent and investigate terror and crime”. The Group has grown rapidly and increased its revenues fourfold since its founding in 2014, finishing 2018 with revenues of $250 million and “dozens of licensed customers”.
One of the victims, Shalini Gera, who is an advocate representing victims of state-sponsored violence, reportedly described her “really frightening” experience, as her phone was rendered completely vulnerable and its microphone and camera switched on and off at will. Referring to the nine imprisoned civic activists and their lawyers, she observed that if the authorities had access to their phones and computers, they may well have also planted evidence. The government has charged the nine accused and their supporters with links to banned far-left groups, but has till now been able to only furnish digital “evidence” from their phones and computers to keep them in jail.
In their anxiety to build up their case, the authorities held up a copy of Leo Tolstoy’s War and Peace before the Bombay High Court, which concurred that the nature of literature read by the accused was evidence of their affiliation with banned organisations. The court later retracted this observation following a public outcry. It is also widely believed that none but the government would want to act through Pegasus against those targeted, in line with the growing atmosphere of intolerance against those critical of the ruling dispensation. The national leadership is now increasingly equating itself with nationhood and those critical of it are charged with being seditious, or “exciting disaffection towards the government”. While Section 124 A of the Indian Penal Code provides for life imprisonment for sedition, Section 121 concerns waging, or attempting to wage, war against the government and is punishable with a life sentence or even death.
WhatsApp, which is currently facing off with the Indian government in the Supreme Court on the issues of a “rise in hate speech, fake news and so-called anti-national activities online through defamatory social media posts”, has termed the targeting of the Indian members of “civil society” an “unmistakable pattern of abuse”.
Under fire from the media and activists, the Indian government has sought an explanation from WhatsApp why it failed to reveal details of the Pegasus spyware attack on Indian citizens, even in the meetings Will Cathcart, WhatsApp global head as also vice president of product management at Facebook, and Facebook global policy and communications head, Sir Nick Clegg, had with Indian IT minister Ravi Shankar Prasad in New Delhi in July and September. Prasad also released a statement, saying the government is “concerned at the breach of privacy of citizens of India on the messaging platform WhatsApp”.
Indicating that just about every breach in the last 20 years was a result of gaps in visibility, awareness, and control, Joseph said, “If you can’t see what’s on your network, you can’t protect it; if you can see what’s connected, but have no contextual awareness about what’s happening, you can’t protect it; and if you can detect and understand what’s happening, but don’t have an integrated and automated way to respond, you still can’t protect it.” Joseph said there has been a specific call for the adoption of Zero Trust across the government, Zero Trust positing that traffic inside the perimeter should be trusted no more than outside traffic.
“Going forward, trust assessment needs to move beyond a simple binary yes-no model to be more adaptive and risk-based,” he avers.