Israeli spyware used to spy on Indian journos, activists: Whatsapp confirms

The hackers allegedly used an Israeli technology, Pegasus develeoped by Israeli firm, NSO to the conduct cyberespionage

In a startling revelation, WhatsApp has confirmed that at least two dozen journalists, academicians, Dalit and human rights activists, in India have been targeted for surveillance for a two week period until May 2019, The Indian Express reported. The hackers allegedly used an Israeli technology, Pegasus developed by Israeli firm, NSO to conduct cyberespionage. WhatsApp contacted the users and alerted them that their phones had been under surveillance.

The social media firm declined to comment on the identities and “exact number” of those targeted for surveillance in India when contacted by The Indian Express. But a WhatsApp spokesperson confirmed to the daily that the company was aware of those targeted and had contacted all those suspected of being under surveillance.

“Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” the spokesperson said.

The Indian Express reached out to Home Secretary A K Bhalla and Electronics and Information Technology Secretary A P Sawhney for comments, but the efforts went unanswered.

Earlier WhatsApp filed a lawsuit in US federal court against Israeli technology firm NSO Group, accusing it of using the Facebook-owned messaging service to target some 1,400 WhatsApp users including journalists, human rights activists and others. WhatsApp alleged that the companies violated US and California laws as well as WhatsApp’s terms of service which prohibit this type of abuse. It claimed that smartphones were penetrated through missed calls alone.

Meanwhile, The NSO Group has been adamant that it only sells its software to governments for "fighting crime and terror" and that it investigates credible allegations of misuse.

In a statement, the NSO group said: “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists.” After doubts about this technology were first raised in May, the NSO Group said it put in place a ‘Human Rights Policy’ on September 19 which “further embeds human rights protections throughout our business and governance systems”.

A Canada-based cybersecurity group Citizen Lab in 2018, found suspected NSO Pegasus infections associated with 33 of the 36 operators in 45 countries including India. The report claims that it discovered an Indian link active from June 2017 to September 2018.

“We identified five operators that we believe are focusing on Asia. One operator, Ganges, used a politically themed domain.” the group said.

Arab human rights activists approached Citizen Lab after the suspicion that they were under surveillance.

Earlier, the NSO Group ended its agreement with Saudi Arabia after news emerged that the firm's spyware had been used to target and track journalist Jamal Khashoggi before he was killed inside the Saudi Arabian consulate in Istanbul.

According to WhatsApp, the messages sent and received from the platform are encrypted and secure. The real problem arises when the hacker uses technology to compromise the device, making it prone to breach of privacy and thereby endangering personal freedoms.

The Facebook-owned messaging service in May alerted the users to upgrade the application to plug a security gap that allowed for the injection of sophisticated malware that could be used for spying the 1.5 billion users around the world.  

Apparently, to draw a target under surveillance, a Pegasus operator will send a specially created 'link' to the target device and if the user clicks on the link, the operator can penetrate through security features on the phone and install Pesagus without any permission. The spyware then could contact the operator’s command and control servers to receive and execute operator commands, and send back the target’s private information, including passwords, contact lists, text messages, and live voice calls from popular mobile messaging apps. According to the lawsuit filed by WhatsApp, even without a response from the target (i.e, if the user doesn't click on the specially crafted link sent by the operator), the phone is still vulnerable to a privacy breach. Just a missed video call on WhatsApp can breach the security. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.