“Business only with governments”. These 4 words describe the debate on the use of the spyware Pegasus in India to spy on judges, political leaders, students, civil servants, journalists, civil rights activists, and businesspersons. This statement of 4 words follows a previous statement by the makers of this spyware malware NSO,
Simultaneously, the NSO Groups have separated themselves from the real use of which the spyware was placed by its “clients”, that is the government. There may be instances that some governments who were NSO Group’s clients have misused the spyware.
How It All Started?
In 2019, a tech reporter from New York City captured an interception device that was displayed at Milipol, which is a trade show in Paris that happens on homeland securities. The NSO Group and the exhibitor kept the hardware at the back of a van, which may have suggested the ease of portability and asserted that this hardware will not work on the phone numbers of the US may be because of a self imposed restriction by the firm.
Since the foundation of the Israeli cyber giant in 2010, it was probably the very first time a portal made by the NSO group BTS (Base Transceiver Station) was shown on a media report.
A BTS, or “rouge cell tower”, or “stingray”, or “IMSI Catcher”, replicates authentic cellular towers and enables mobile phones within a specified range to connect to it, so that the traffic that has been intercepted can be easily manipulated by the attackers. The BTS that was photographed in 2019 constituted horizontally stacked cards, which is likely to enable interceptions over various frequency bands.
Other than that there are options, one of which includes leverage access to the mobile operator of the target itself. In that case, there is no need for an attacker to use a rogue cell tower but they would have to depend on the regular network infrastructure for their data manipulation.
In either way, the capability of launching “network injection” attacks which are performed remotely without any engagement of the target or any knowledge provides Pegasus a unique edge thus making it a flagship product of NSO Group.
The new breakout of Pegasus in India has made it a center of a worldwide collaborative investigation project which has found that the spyware was targeting hundreds of cell phones in India which included the cell phones of journalists, opponent polity party leaders, civil activists, judges, etc.
There are questions that arise in the Indian context. Let us have a look at those questions.
- Does NSO’s client include the Government Of India or one of its agencies?
This is a very simple question whose answer can be in either Yes or No, having said that NSO has assured that it sells this spyware only to government or intelligence agencies. But the Indian government has refused to answer this question in a forward manner. As the government refuses to answer this question clearly, suspicion increases with each passing day.
- If we consider that the government is not their client, then the next question that arises is who is their client?
The government, on denying the fact that they are NSO’s clients, triggers the next question, then who is it? The government would then revert back saying “I don’t know”, then the next question that is bound to arise is “Aren’t you anxious to know who the Indian client is?” The government does not know how to answer the above-mentioned questions, because whenever it does, a chain of other questions follows it that the governing body is not ready to answer.
- If the Indian government or its agencies was one of the NSO’s clients, then when did it begin using the spyware?
If the government was confident about not being involved in this Pegasus project then they would have surely said a clear “No” and then they would not have to face the later questions. But it did not say anything clearly and that increased the suspicion.
How Does Pegasus Vary From Other Spyware?
Was built by the veterans of the Israeli Intelligence Agencies.
Until the beginning of 2018, the clients of NSO Group generally relied on WhatsApp messages and SMS to trick targets into clicking and then opening a malicious link that would infect their mobile with malware and the attacker would get access to all their information. A Pegasus brochure defined this as ESEM (Enhanced Social Engineering Message). When a malicious link filled as ESEM is opened the phone is redirected to a server that checks the operating system and transfers a remote exploit that is suitable.
Amnesty International, in its 2019 October report first documented the use of “network injection” which allowed the attackers to install Pegasus spyware without the need of any interaction or connection with the target or the victim. Pegasus is ready to achieve such zero-click installation in different ways. Among them, one is the Over The Air (OTA) option which sends a push message secretly that allows the device of the target to load the spyware, and the target doesn’t even know about it and they will not have any control as well to stop the installation.
This, a Pegasus brochure brags, is the uniqueness of NSO Group which properly differentiates the Pegasus solutions compared to other spyware that is available in the market.
What Information Can Be Compromised?
Since the news of Pegasus in India broke out, many were wondering what information that is vulnerable? Once the phone is infected, it becomes a digital spy under the complete control of the attackers. When it is installed in the device, Pegasus contacts the Command and Control (C&C) server of the attacker to receive and implement instructions and revert back the private data of the target which includes contact lists, passwords, text messages, calendar events, and live voice calls. The attacker has the potential to control the phone’s microphone and the camera and also use the GPS function for tracking the target.
To avoid consumption of high bandwidth which may alert the target, Pegasus transfers only scheduled updates to a C&C server. This spyware is formulated to get into the forensic analysis, avoid any detection by the anti virus software, and can be removed and deactivated by the attacker if and when required.
Why Is Pegasus In India An Alarming Notice For Americans?
Under a collaboration known as the Pegasus Project, 17 media houses around the globe have recently released alarming data about the way few governments have used this spyware that has been made in Israel by Pegasus NSO Group to sneak into perceived adversaries.
This Pegasus spyware is known as a weapon to be used against terrorists and criminals. But Pegasus in India showed a different dimension altogether. It was allegedly used in India to spy over opponent political leaders, judges, students, journalists, and many more. While all the proofs are towards the Indian Government, it has completely denied all the charges.
This unraveling of the Indian democracy stands as an important lesson for the people of the United States., especially with the current revelations revolving around former President Donald Trump’s last few days in office and his Republican Party’s reluctance to hold him accountable.
India Vs Other Nations
The reaction of the BJP government to the Pegasus Project remains in blunt contrast to the reaction of a hard-wired democracy like that of Israel, a questionable democracy like Hungary, and a liberal democracy like that of France.
France considered serious exception to this allegation where the President Emmanuel MAcron announced an emergency security meeting, which was declared for an array of investigation, had a talk with the Prime Minister Naftali Bennett, and he convinced him that the conclusion of the enquiry that was ordered by Israel will be shared with him. Soon later, the Defence Minister of Israel, Benny Gantz flew to France to ensure peace with France.
A review was ordered by Israel by the National Security Council of the allegations that were made against the NSO Group. The start of the investigation was made by the Israel government officials visiting the offices of the NSO Group.
In Hungary the Justice Minister asserted that there is a requirement of such a tool by every country but refused to comment on the Pegasus spyware. Opposition leaders, journalists, mayors, and students were among those whose phones had been infiltrated. Strong demands were raised for the resignation of the government.
In India, the government refused any sort of investigation and also denied a debate in the parliament. The MPs of the BJP Party refused to sign the register for attendance at a meeting of the parliamentary committee and stopped any further proceedings.
Sandes Launched Despite The Attack Of Pegasus In India
Despite the controversy regarding the attack of Pegasus in India, the Indian Government has launched an instant messaging platform known as the Sandes. This app has been launched in both Apple App Store and Google Play Store recently but was available for central government employees from August 2020 when it was first launched by the NIC (National Informatics Center).
Sandes is similar to any other instant messaging application and anyone can register themselves to use it with their email id or mobile number. Presently it is being availed by employees and agencies that are directly linked to the government.
While speaking about the launch of Sandesh, Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology of India, Rajeev Chandrasekhar asserted,
This application has similar features such as group and one-to-one messaging, sharing of media and files, audio and video calls, and also an integration of e governance application. Even though there is no transfer option of chat history from Sandes or other applications or vice versa, the chats can be backed up in the email of the user.
Pegasus in India is a hot debate now. So to safeguard yourself you will have to maintain acute cyber hygiene. But when Pegasus uses a vulnerability in the target’s operating system of the phone, there is nothing that can be done to stop the “network injection”. The malware will get installed on your phone.