NAGPUR/NEW DELHI — Lawyers defending the human rights activists arrested under the controversial Bhima Koregaon case have confirmed that their phones were targeted by Pegasus, a controversial WhatsApp snooping software developed by Israeli company NSO Group.
The NSO Group has maintained that the Pegasus software is only sold to government agencies around the world. Pegasus garnered international attention in 2018 when a spate of lawsuits against NSO alleged that the company’s software was used to target journalists and activists across the world, including journalist Jamal Khashoggi, who was murdered on the premises of the Embassy of Saudi Arabia in Istanbul, Turkey.
The revelation that Indian security agencies are spying on citizens without any warrants or oversight is significant in itself, but the use of Pegasus in the Bhima Koregaon case is particularly troubling as much of the evidence produced by the security agencies pertains to files ostensibly obtained from the computers and phones of the accused, who have been charged with waging war against the state.
In June 2018, the Pune police launched a series of country-wide raids targeted at lawyers and human rights defenders involved in fighting politically-charged legal cases involving Dalit issues, adivasi rights, and those accused of supporting the banned Communist Party of India (Maoist).
India’s ruling Bharatiya Janata Party (BJP), and their supporters in the Indian media, quickly leveraged the raids to raise the bogey of “Urban Naxals” in an attempt to silence anyone criticising the ruling party. Naxal is another term used to describe Maoist cadres.
In court, the Pune police produced ostensibly incriminating correspondence that they claimed was drawn from the computers of these activists. Now, lawyers representing the accused say the Pegasus hack proves that this correspondence was planted on their computers.
“We have consistently been saying that many of the so-called ‘letters’ obtained by the police have been planted on the hard-drives of activists,” said Nagpur-based lawyer Nihalsingh Rathod, who represents several of the accused including celebrated Dalit lawyer Surendra Gadling. “Now it is clear just how they planted these files on Mr. Gadling’s computer.”
Rathod worked closely with Gadling as his junior associate at the time Gadling was arrested. Since Gadling’s arrest, Rathod has taken up his case.
Rathod told HuffPost India he learnt he was a target when he was contacted by a researcher from the University of Toronto’s Citizen Lab on October 7 2019.
“The researcher told me that he suspected that my phone had been targeted by malware and compromised,” Rathod told HuffPost India. “The researcher didn’t tell me that the malware was sold exclusively to national governments, and so I did not suspect that the Indian government was behind the attack.”
Soon after his call with Citizen Lab, Rathod received a generic message from WhatsApp’s business account stating, “In May we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices. There is a possibility this phone was impacted, and we want to make sure you know how to keep your mobile secure.”
The message instructed Rathod to upgrade to the latest version of WhatsApp and to keep his phone’s operating system up to date.
“I thought this was a routine malware problem, so I did not pay much attention,” Rathod said.
On October 29, Facebook — which owns WhatsApp — filed a lawsuit against the NSO Group, alleging that NSO’s Pegasus software had been used to target over 1,400 WhatsApp users around the globe. Then, on October 31 2019, The Indian Express reported that Indian journalists and Dalit activists were amongst those targeted.“When I read the Express article, I was shocked to learn the software had only been licensed to government agencies,” Rathod said.
“Before his arrest, similar things happened to Surendra Gadling’s phone and computer. He asked me about it. I thought it was just spam.”
Rathod said he was now planning legal action against the Indian state.
“We have always maintained that the letters police claim to have found on Gadling’s computer were planted,” Rathod said. “As defenders of human rights and the constitution, we feel helpless and hopeless.”
Video Call And Email Hack
In December 2017, six months before Surendra Gadling was arrested, Rathod said that he began receiving video calls from unknown international numbers. Gadling received similar messages, Rathod said, suggesting that Indian police and intelligence agencies had begun snooping on Gadling before he was arrested.
“When I tried to pick up the call, it would suddenly become a video group call, and then disconnect,” Rathod said. “I tried contacting WhatsApp but got no response.”
In March 2019, Rathod finally filed a complaint withWhatsApp, which could explain how Facebook and Citizen Lab came to contact him.
WhatsApp has confirmed that the Pegasus software exploited a vulnerability inWhatsApp’s voice calling software. The vulnerability, WhatsApp has said, has since been fixed.
Yet Rathod said he was also subjected to spear-phishing attacks, where he received emails with attachments that contained malicious software.
“I received emails that looked like reports on police encounters, but when I opened the attachments, they would turn out to be empty,” Rathod said. “Now I realise, this malware could have been used to gain access to our computers.”
What is Pegasus?
Pegasus is a tool, designed by Israeli cyber-group NSO, to give an attacker complete control over the victim’s mobile device. It has been deployed many times around the world, and can be spread through a link in a chat, or through an attachment with an email.
Earlier this year, Whatsapp found it was also possible to infect a device with Pegasus by simply sending a missed call through WhatsApp.
The Citizen Lab, an academic research group based at the University of Toronto’s Munk School, noted that WhatsApp is publicly attributing the attack to NSO Group, an Israeli spyware developer that also goes by the name Q Cyber Technologies.
Citizen Lab noted:
As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses.
NSO Group claims it sells its spyware strictly to government clients only, and all of its exports are undertaken in accordance with Israeli government export laws and oversight mechanisms. However, the number of cases in which their technology is used to target members of civil society continues to grow.
Pegasus is NSO Group’s flagship spyware tool, and it can infiltrate both iPhones and Android phones.
According to Citizen Lab, once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, and use the GPS function to track a target’s location and movements.
That means every account you have is compromised; everyone you know is now known to your attacker, and every call, text message, or chat, can be read.
Your phone can be used to watch what’s going on, and listen in on your conversations, as they’re taking place, without your knowing about it.
Citizen Lab senior researcher John Scott-Railton noted that once downloaded onto a phone (via a website link in a text message or email), the software can do anything that users can do, including read text messages, turn on the camera and microphone, add and remove files, and manipulate data.
In its litigation, WhatsApp gives more details. “Pegasus and its variants,” it noted, “were designed to be remotely installed and enable the remote access and control of information—including calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating systems. In order to enable Pegasus’ remote installation, [NSO Group] exploited vulnerabilities in operating systems and applications (e.g. CVE-2016-4657) and used other malware delivery methods, like spearfishing messages containing links to malicious code.”
In 2017, the wife of a murdered Mexican journalist was sent alarming text messages concerning her husband’s murder, designed to trick her into clicking on a link and infecting her phone with the Pegasus spyware. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada with a fake package notification, resulting in the infection of his iPhone. Citizen Lab has tracked more than two dozen cases using similar techniques.
WhatsApp has filed a case against NSO for breaching its terms of service by using the messaging platform to spread spyware — but if all our conversations on WhatsApp (and other apps like Signal) are “end-to-end” encrypted, why does this matter? Shouldn’t everything they receive be unreadable?
That would be the case if Pegasus was intercepting communication between people — but what it does instead is take over one of the “ends” of the conversation; so it can read the messages after they’re decrypted on your phone.
“We have not yet been able to write software that doesn’t have bugs or flaws,” said Joseph Hall, SVP for a Strong Internet, Internet Society told Science X, a leading web-based science, research and technology news service.
The intrusion at WhatsApp “wasn’t an attack on encryption, it was an attack on another element of the application” Marc Lueck of the security firm Zscaler said in the same article.
“End to end encryption does nothing to protect against attacks on your endpoint, true. And seatbelts and airbags do nothing to prevent your car from being hit by a meteorite,” tweeted Matt Blaze, a Georgetown University computer security expert. “While neither protects against every possible harm, they both remain the most effective defenses against very common harm.”