WhatsApp users were targeted for surveillance using spying software supplied by the Israeli company NSO Group. Photo: Courtesy Maxpixel.net

In the middle of October this year, the world’s biggest messaging platform, WhatsApp, started sending out alerts to select users advising them that their security had been compromised. The messages were sent after security researchers found that an Israeli company had been supplying spying software that specifically targeted WhatsApp users.

Once the targeted device is hacked through WhatsApp, it makes all the data on the phone available to the spies. Everything on the phone, be it email or other messaging platforms or photographs and documents, can then be easily accessed by the spy agency using the Israeli spyware. For WhatsApp, which features end-to-end encryption, the hack was a devastating blow to the security of its users.

In an uncharacteristic opinion piece in The Washington Post published last week, Will Cathcart, the head of WhatsApp, wrote about this massive attack on the platform.

“In May, WhatsApp announced that we had detected and blocked a new kind of cyberattack involving a vulnerability in our video-calling feature. A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call,” Cathcart wrote.

The article was released as soon as WhatsApp, which is owned by Facebook, filed a complaint against the Israeli company, NSO Group, in a US federal court. The petition, which has been seen by Asia Times, reveals the extent to which the spyware supplied by NSO Group has been used globally. Interestingly, the spying software’s code has special clauses that limit its ability to target American and Israeli citizens, according to the petition filed in the US federal court.

The shock waves being felt across the world continue to intensify as more names of people who were targeted are revealed.

A spyware called Pegasus

From August 2016, The Citizen Lab, part of the Munk School for Global Affairs at the University of Toronto, Canada, was tracking the deployment of spying software by NSO Group. They scanned the internet looking for servers that left behind traces of the spying software. By August 2018, they had found that citizens and networks in 45 countries had been targeted by this particular spying software from NSO Group.

In a detailed report published earlier this year, Citizen Lab detailed how it found the spyware and identified who the possible targets were. They were confident enough to identify the spyware by its name – Pegasus, also known as Q Suite.

Not since the revelations made by National Security Agency (NSA) contractor Edward Snowden has anything created such a furor over citizens being targeted for surveillance. Big tech companies like Facebook are wary of being targeted and scaring users off their platforms. “That is why Facebook decided to push back this time,” a US-based senior company official told Asia Times. “Big tech companies are no longer willing to accede to government agencies for surveillance.”

Screenshot from The Citizen Lab report shows how the Pegasus malware could extract all kinds of information from the device. Photo: Courtesy The Citizen Lab

Pegasus is different from normal phone or physical surveillance because it offers complete and irreversible control of the target’s phone. As the contract that NSO Group signed with the government of Ghana indicates, the spyware can even survive a factory reset of the phone, in the case of those using Google’s Android operating system. Put simply, the capabilities of Pegasus are so advanced that it allows surveillance of the target’s thoughts as soon as they start typing.

However, that is not the end of it. The key-logger built into the spyware saves the usernames and passwords of other sensitive accounts operating from the infected device. This allows for the sending of emails and even the planting of false evidence in the target’s Google account. Ironically, this gives a target infected by Pegasus an opportunity to claim that any evidence used against them by law enforcement agencies is “fabricated.” This ends up defeating the very purpose for which the company claims Pegasus was created.

The contract that NSO Group signed with Ghana offers further insights into how the surveillance operation works. It involves rack-mounted storage arrays of massive capacity that rain into petabytes. They also had dedicated routers and switches for moving data, data processing servers, an SMS gateway and modems. It also facilitated functional cellular network connections at a strength of -95 dBm. The set-up would also have symmetric ATM lines and fiberoptic connections to ensure dedicated high-speed connectivity. Each operator network deploying Pegasus had two anonymous SIM cards to attack their targets through WhatsApp.

The full hardware cost was $8 million and the annual service contract was for $ 1.76-million.

The contract clearly shows that it is a tripartite agreement between NSO Group, the end-user, which is usually a government intelligence agency, and a local systems integrator. This model opens the surveillance engine to third parties, which creates more potential for abuse. From the documents, it is also clear that government agencies that used Pegasus did not have full control over how this data was stored and accessed by NSO Group.

The targets

The United States, India, Canada, Saudi Arabia, Singapore, Thailand, the United Kingdom, Ghana, Brazil, Kuwait and Pakistan are among a host of countries whose citizens were targeted by Pegasus.

In December last year, it was revealed that Pegasus had also helped Saudi assassins to target Saudi journalist Jamaal Khashoggi. A critic of Crown Prince Mohammed bin Salman, Khashoggi, a columnist for The Washington Post, was lured into the Saudi Arabian consulate in Istanbul in October 2018. Once inside, he was tortured, killed and dismembered with a bone saw.

In India, targets included well-known scholars like Dr Bela Bhatia, who is working to advance tribal rights, and lawyers representing other human rights defenders in courts in the western state of Maharashtra. It also included teachers and scholars from Delhi University and at least one former minister for civil aviation in the previous government.

“WhatsApp reached out to all these people and informed them after we had found evidence that they had been targeted. We saw outlier user behavior and saw their data was being compromised. So we worked with third-party experts like The Citizen Lab to trace the attackers and their victims,” a senior WhatsApp representative said.

Much of their findings go against claims made by NSO Group’s main promoters.

Novalpina Capital, which owns NSO Group, issued a detailed public statement in response to several open letters from The Citizen Lab and Amnesty International after the scandal came to light.

Screenshot of the targets of Pegasus spying software detected by Citizen Lab. Photo: Courtesy The Citizen Lab

In a public statement, Novalpina Capital stressed that it had ensured there was no misuse of its spying software. “The company’s technology is designed in such a way that it can only be deployed by an intelligence or law enforcement agency to whom the technology is sold under license. NSO has no involvement whatsoever in any end-user agency’s tactical deployment decisions,” it said.

But mounting evidence backed by technical specifications has now proved beyond doubt that many citizens were being targeted across the world. Researchers found that in Mexico in 2017 lawyers, journalists and even a child were targeted by the NSO spyware. In August 2016, a UAE-based activist, Ahmed Mansoor, was also targeted.

It was also revealed that NSO Group helped set up fake domains on the internet to lure the targets. Once they clicked on these fake domains, the spying software would be installed on their device, enabling state agencies to monitor all their online activities round the clock.

Failure to protect citizens

Surveillance laws in many countries strictly regulate how people are targeted. In a country like India, surveillance is allowed under very exceptional circumstances. An Indian Supreme Court order from December 1996 ensures several checks and balances in the system to prevent the misuse of surveillance.

Inquiries made by Asia Times reveal that at least one federal intelligence agency that concentrates on generating intelligence from every state was one of the buyers of the Pegasus spying software. However, how and why this was deployed, and how the targets were chosen, is yet to be ascertained.

Spying software such as Pegasus helps state agencies to easily circumvent these established protocols. For instance, since there is no requirement to contact the internet service provider or the cellphone company, it has unfettered access to targeted individuals.

The reaction from the Indian government after this was revealed led to claims and counter-claims. The union minister for telecommunications and information technology, Ravishankar Prasad, claimed on Twitter that officials were never informed about this by WhatsApp. However, it was quickly revealed that not only was the Indian government informed, it was actually informed twice.

In May 2019, WhatsApp sent a detailed report to the Computer Emergency Response Team-India (CERT-IN), the nodal body for such cyberattack cases.

The mission of CERT-IN is to be the “national nodal agency for responding to computer security incidents as and when they occur.” It is also responsible for collection, analysis and dissemination of cyber incidents and regularly publishes information on CVEs (common vulnerabilities and exposures). Given that it is now established beyond doubt that it was informed by WhatsApp that it was indeed possible to infect devices via a video call, senior government officials told journalists off the record that the report was “technical jargon.”

However, this was also called out as details of the full report show links to media reports that explained in plain language what had happened. It seems no one on CERT-IN actually read the report. In September this year, WhatsApp again alerted the Indian government and shared the fact that 121 Indians had been targeted. Once again, this was ignored by the Indian government.

A review of the tender documents put out by CERT-IN point to a potential and immediate cause, the lack of money (about US$8,000) is allocated to security research annually. This is limited to buying forensic tools. In contrast, Citizen Labs receives substantial funding from various donor organizations and has built substantial expertise over the years to track surveillance software.

Also read: Cyberattack scare dogs India’s nuclear plants

Leave a comment