Koregaon link: (From left) Anand Teltumbde, Bela Bhatia and Shubhranshu Choudhary; phones hacked.

Did Modi govt use Israeli bug to snoop on activists, journalists, judges?

WhatsApp confirms Israeli bug snooped on Indians; hacked many activists linked to Bhima-Koregaon case

Agency Report | New Delhi | 31 October, 2019 | 10:50 PM

The government has asked WhatsApp for an explanation on a snowballing snooping scandal after WhatsApp confirmed it had informed several Indian users this week that they had been targeted by Israeli spyware earlier this year in a hacking spree that included journalists, activists, lawyers and senior government officials. The journalists and activists are believed to have been targets of surveillance for a two-week period until May when the national election was held. The users were informed just before WhatsApp's parent company Facebook sued Israeli cybersecurity company NSO on Tuesday, alleging that it used WhatsApp servers to spread malware to 1,400 users across 20 countries. Pegasus, spyware developed by NSO, was used to break into the phones during a two-week period in April. WhatsApp has confirmed that Israeli spyware, called Pegasus, was used by operators to spy on journalists and human rights activists in India. A WhatsApp spokesperson said that WhatsApp was aware of those targeted and had reached out to them, but the Facebook-owned company has declined to reveal the identities and "exact number" of those who were targeted. Of the 1,400 users affected, at least two dozen were academics, lawyers, Dalit activists and journalists in India. WhatsApp had contacted and alerted the targets that they had been under "state-of-the-art surveillance for a two-week period until May 2019." In May, WhatsApp updated the app and launched a probe into how the hack worked and affected people.

After WhatsApp confirmed that Indian human rights activists and journalists were among those targeted by Israeli spyware, a political blame game erupted on Thursday between the Bharatiya Janata Party (BJP) and the Congress, with some leaders demanding a parliamentary probe into the matter.

“Indian users were among those contacted by us this week,” a WhatsApp spokesperson said, without revealing the numbers or names of those affected.

However, some individuals came out on their own on social media and news outlets, revealing they were among those affected by the spyware developed by Israeli cyber intelligence company NSO Group.

The piece of NSO Group software called Pegasus allegedly exploited WhatsApp’s video calling system with installing the spyware via giving missed calls to snoop on 1,400 select users globally.

“Government of India is concerned at the breach of the privacy of citizens of India on the messaging platform Whatsapp. We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” tweeted IT Minister Ravi Shankar Prasad.

“Those trying to make political capital out of it need to be gently reminded about the bugging incident in the office of the then eminent Finance Minister Pranab Mukherjee during UPA regime. Also a gentle reminder of the spying over the then Army Chief Gen. VK Singh,” said Prasad.

“These are instances of breach of privacy of highly reputed individuals, for personal whims and fancies of a family,” he added.

The BJP also dared WhatsApp to reveal the names of those affected.

The WhatsApp Spygate immediately snowballed into a political controversy, with several Congress leaders blaming the BJP of being behind the WhatsApp snooping.

“Modi Govt caught snooping! Appalling but not Surprising! After all, BJP Govt 1. Fought against our right to privacy. 2. Set up a multi-crore Surveillance Structure until stopped by SC. SC must take immediate cognisance & issue notice to BJP Govt,” tweeted Congress Party leader Randeep Singh Surjewala.

Congress leader Jaiveer Shergill tweeted: “1) BJP Govt wanted Aadhar linked with phone 2) objected to right to privacy as a fundamental right; 3) 20/12/2018 issued Notification authorising data snooping 4) WhatsApp snooping thru Israeli Software; Next- cameras in our Homes in name of Rashtravaad? Tricks of Bhrasht Jasoos Party?”

Congress Party spokesperson Sanjay Jha tweeted: “Big Bro is watching, reading and analysing your #WhatsApp message”.

Facebook-owned WhatsApp has already sued NSO Group that exploited its video calling system to snoop on 1,400 select users globally.

Those targeted in India included the human rights activists who were arrested over their alleged involvement in the Bhima-Koregaon Dalit riots near Pune in January last year and some journalists.

Of 1,400 affected users, over 20 are academics, lawyers, Dalit activists and journalists from India.

Sidhant Sibal, who is principal diplomatic and defence correspondent for WIONews, tweeted: “Here is the good news. WhatsApp was able to raise the alarm of hacking and they promptly took measures–Technical & Legal. Having been approached by them, they suggested measures to be safe online.”

According to WhatsApp, the NSO Group used the flaw to hack into users’ smartphones.

“It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world,” the head of WhatsApp, Will Cathcart, wrote in an op-ed published by The Washington Post.

In a statement, NSO Group denied performing any such act, saying it disputed the allegations and vowed to “vigorously fight them.”

In May, WhatsApp urged its 1.5 billion users to upgrade the app after discovering the vulnerability that allowed spyware to be installed on users’ phones via the app’s phone call function.

NSO limits sales of Pegasus to state intelligence agencies and others. The software has the ability to collect intimate data from a target device.

According to experts, the victims of the latest WhatsApp spyware attack may have lost important personal information including location data and email content.

“The bug can be exploited based on a decades-old type of vulnerability – a buffer overflow,” Carl Leonard, Principal Security Analyst at cybersecurity company Forcepoint, said.

“One could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information,” Leonard added.

As WhatsApp snooping of human rights activists and journalists in India reached political corridors, an RTI reply revealed that the Indian government flatly denied either purchasing or planning to purchase the infamous software in question developed by Israeli cyber intelligence company NSO Group.

In a reply to an RTI plea filed on October 23 which asked whether the Indian government has purchased or given purchase order for the software called Pegasus from the NSO Group, the Ministry of Home Affairs replied on October 31: “Please refer to your online RTI application dated 23.10.2019 received by the undersigned CPIO on 24.10.2019. It is informed that no such information is available with the undersigned CPIO.”

“An appeal, if any, against this reply can be made within 30 days,” the MHA reply added.

Significantly, the reply came on the day when the WhatsApp spygate drove both the BJP and the Congress leaders into heated arguments over various social media platforms.

IT Minister Ravi Shankar Prasad joined the debate, saying the government is concerned at the breach of the privacy of citizens of India on the messaging platform WhatsApp and has asked the platform to explain the breach.

The country went berserk after WhatsApp confirmed that Indian human rights activists and journalists were among those targeted by the Israeli spyware Pegasus.

The Home Ministry issued a separate statement on the WhatsApp controversy: “Some statements have appeared based on reports in the media, regarding breach of privacy of Indian citizens on WhatsApp. These attempts to malign the Government of India for the reported breach are completely misleading.

“The Government of India is committed to protecting the fundamental rights of citizens, including the right to privacy; and will take strict action against any intermediary responsible for breach of privacy.”

Pegasus spyware can be installed on devices as “exploit links”.

Upon clicking on the link, Pegasus secretly enables a jailbreak on the device and can read text messages, track calls, collect passwords, trace the phone location, as well as gather information from apps including (but not limited to) iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype.

According to cybersecurity experts, the victims of the latest WhatsApp spyware attack may have lost important personal information including location data and email content.

“The bug can be exploited based on a decades-old type of vulnerability – a buffer overflow,” Carl Leonard, Principal Security Analyst at cybersecurity company Forcepoint, said.

“One could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information,” Leonard added.

In the wake of reports of snooping of some Indians by an Israeli agency, the Congress accused the government of being behind it and demanded an investigation monitored by the Supreme Court.

Congress chief spokesperson Randeep Surjewala said his party suspects that even judges of the Supreme Court and High Courts, besides many opposition leaders, have been snooped upon.

“We suspect that many opposition leaders and judges of the Supreme Court and High Courts are in this list,” Surjewala said.

He said the government should tell which agency of the Government of India has purchased and deployed the ‘Pegasus’ surveillance software and who have authorised them to do so NSA or PMO?

“We urge the Supreme Court to take suo moto cognizance of this brazen and blatant illegal hacking of telephones and introduction of the spyware by the BJP government agencies and conduct a court-monitored inquiry,” the Congress spokesperson said.

Referring to Telecom Minister Ravi Shankar Prasad’s tweet in which he said WhatsApp has been asked to “explain” snooping, Surjewala said, this is “pot calling the cattle black”.

“The ‘Right to Privacy’ of the citizens has been an anathema to the majoritarian BJP government. Over the last five years, the BJP government has done everything to crush the right of citizens, including every dissenting voice. It is time to remind the nation that the present BJP government opposed the “Right to Privacy’ to be read as part of the fundamental rights,” Surjewala said.

He said the BJP government “in fact argued that no Indian should have a ‘Right to Privacy’ until the Supreme Court overruled and declared ‘Right to Privacy’ as a fundamental right. BJP government also sought to place a ‘multi-crore surveillance structure’ until its designs were stopped by the intervention of the Supreme Court.” (IANS)