Pegasus spyware and Kudankulam breach

Union Minister Ravi Shankar Prasad looked outraged as he declared that the government had sought WhatsApp, owned by Facebook, to explain the breach. The Indian Express in the morning had reported that Indian journalists, lawyers and Human Rights activists had been victims of surveillance, presumably by government agencies.

This came to light when WhatsApp sued the NSO Group, which developed the spyware Pegasus to plant malware in smartphones. WhatsApp had first learnt of the malware in May this year, said Facebook which owns WhatsApp, after being alerted by Citizen Lab in Canada. Investigations had proven that the malware had affected at least 1,400 WhatsApp users across 45 countries, including India.

When WhatsApp reacted to Prasad’s outburst by pointing out that it had alerted the Government of India in May, the government spokesmen claimed that the alert was too technical and too full of jargon to be taken seriously. This was followed by WhatsApp replying that it had alerted the Indian government in September as well and had indicated that it had found 121 users in India to have been snooped upon by the spyware.

While the government and WhatsApp engage in a war of words, National Security Adviser Ajit Doval has not uttered a single word on the controversy. The NSA may not be an expert on cyber security but his conspicuous silence on the issue has been baffling. This is not only because of his close relations with both Isreali establishment as well as several kingdoms in the Middle East, which seem to be in the middle of this emerging global scandal.

The NSA’s silence is also baffling because of the successful hacking of the Kudankulam Nuclear Power Plant and the clumsy cover-up by the government. As reports surfaced about the hacking in the media, Nuclear Power Corporation Limited (NPCIL) first issued a denial. On the very next day, however, NPCL took a U-turn and admitted the breach while downplaying it by claiming that the breach had occurred in a stand-alone computer on the administrative side.

The incident prompted The Washington Post to carry an expert opinion that India may not be quite awake to the threats posed by cyber security.

What is also significant is that none of the victims of surveillance by WhatsApp, in India at least, seem to be from the establishment. On the contrary, they all seem to be critics of the government and people who have been fighting government policies. There is no explanation yet on who else but government agencies could have been interested in hacking their phones.

Even more significant is that international media have been reporting on the threat posed by spyware Pegasus since at least 2016 when Wired.com reported, “These days it seems like every government has a far-reaching and well-developed digital surveillance operation, complete with defence, international espionage and offensive components. Smaller nations even join spy alliances to pool resources. But there are still many nation-states that for various reasons prefer not to handle their cyber intelligence development in-house. So, they do what we all do when we need software: they buy it from a vendor.”

The portal named the NSO Group and mentioned that its clientele comprised largely governments. The spyware, the report warned, could even hack through Apple’s iPhones and the malware Pegasus, once placed in the device, could ‘surveil virtually anything, relaying phone calls, messages, emails, calendar data, contacts, keystrokes, audio and video feeds, and much more back to servers anywhere in the world.

The very next year, in 2017, The New York Times reported that the Mexican government had used the spyware to target some of the most outspoken critics of the then Mexican President.

In 2018, NYT published results of an investigation and reported that the NSO Group had sought to impress the United Arab Emirates (UAE), a prospective client, by offering pricey updates and demonstrating the capability of Pegasus by hacking the phone of a ‘powerful’ Saudi Prince and the editor of a London-based Arab newspaper.

Following the brutal and cold-blooded murder of Saudi dissident Jamal Khashoggi in the Saudi Consulate in Istanbul last year, a friend of Khashoggi filed a lawsuit charging the Israeli software company of helping Saudi royalty to track Khashoggi by taking over his smartphone.

The lawsuit, filed in Israel by the Montreal-based Saudi dissident Omar Abdulaziz, followed similar suits filed by journalists, activists and others charging that the NSO Group helped governments of Mexico and the UAE spy on their smartphones even when individuals had no criminal records and posed no threat of violence.

There have clearly been enough signals in the past few years to alert the Government of India to the possibility of not just compromising the safety and privacy of citizens but also of vital installations.

Pegasus, the spyware, does not come cheap and costs millions of dollars in licensing fees, installation and maintenance. Possibly that is the reason why the software is primarily sold to governments.

Two years ago, a disgruntled employee had copied the software and offered to sell it on the Internet for a whopping $50 million or approximately Rs 350 crore.

But using the spyware is not only illegal under Indian laws, even by the government, but buying it directly could well leave a money trail that the government may not be able to hide. That could have been a strong enough reason for government agencies to have desisted from buying the software. But nobody is sure.

The possibility of the government facilitating the purchase of the software by third parties, say private industry, has not been ruled out. Such industrial entity or entities could then use the software to not only snoop on their competitors and rivals in the market but also help government agencies, as and when required, to snoop on political adversaries and critics.

Our digitised brave, new world faces serious cyber threats. But the government and India’s Computer Emergency Response Team (CERT-IN) are yet to inspire much confidence in their ability to cope with such threats.

Earlier this year in yet another chilling report, the New York Times provided a grim picture of what is now widespread as digital espionage.

“Today even the smallest countries can buy digital espionage services…corporations that want to scrutinise competitors’ secrets, or a wealthy individual with a beef against a rival, can also command intelligence operations for a price, akin to purchasing off-the-shelf elements of the National Security Agency or the Mossad,” the report stated.

It went on to add, “The Middle East is the epicentre of this new era of privatised spying. Besides DarkMatter and NSO, there is Black Cube, a private company run by former Mossad and Israeli military intelligence operatives…and Psy-Group, an Israeli company specialising in social media manipulation…”.

It is, therefore, intriguing that the Indian NSA hasn’t yet spoken on the threats or tried to reassure the country that the government has zero tolerance to snooping.