Home ministry sources say there are fears that international lobbies might have been involved in spying, to create a narrative around Indian governance as well as the economy.
Neha Alawadhi & Karan Choudhury report.
Photograph: Dado Ruvic/Illustration/Reuters
The government is exploring options to assess the extent of the impact caused by NSO Group’s spyware on Indian individuals even as home ministry sources said there are fears that international lobbies might have been involved in spying.
These lobbies, the ministry says, are trying to create a narrative around Indian governance as well as the economy.
“We have been investigating the spying allegations for some time and are trying to understand the extent of the damage done. We are also looking at lobby groups active in India to figure out if they were involved in this and why, and come out with a report soon on this issue,” said a senior official looking into the investigation.
WhatsApp said on October 29 it was filing a federal complaint in the United States against Israeli technology firm NSO Group for a cyber-attack that exploited a vulnerability in the chat app’s video-calling feature, which could compromise the target person’s device. According to reports, 121 Indians were also affected in the breach.
The breach was first reported in May this year but gathered steam in India after WhatsApp’s complaint and activists and journalists saying they received communication from Toronto-based Citizen Lab, which helped WhatsApp’s investigation of the breach.
Sources said some other investigative agencies including the National Investigation Agency might be involved at a later stage. However, no such decision has been taken yet in this regard.
While NSO has maintained it sells only to governments, the India has so far not categorically accepted or denied buying NSO software by either the Centre, states, or government agencies. WhatsApp has said it will cooperate with the government to “do all we can to protect users from hackers attempting to weaken security”.
Collateral damage to WhatsApp Pay?
Facebook-owned WhatsApp has been keen to launch its payments service in India for over a year. Last week, during its quarterly earning call, Facebook Chief Executive Officer Mark Zuckerberg said the company would launch the payments feature in India soon.
Payments through WhatsApp were introduced to a test group of a million users in February last year. The service is based on the Unified Payments Interface standard, which has been developed by National Payments Corporation of India.
A senior official of NPCI did not comment on whether the issue would impact WhatsApp Pay’s prospects in India. “It is too early to jump to any conclusion. But safety of platforms that seek to provide payment services will be cause for concern,” said an official at the ministry of electronics and information technology. The NSO breach has sparked fears that the UPI apparatus might get jeopardised through WhatsApp.
Government sources said WhatsApp withheld information from the government after the May revelations of a spyware targeting Indian users. They cited WhatsApp’s information on the issue given to the Computer Emergency Response Team-India, saying it was a “communication in pure technical jargon without any mention of Pegasus or the extent of breach”.
Social media users pointed out the agency should have followed up on the vulnerability reported on its own website. Pegasus is the name of the software that is sold by NSO Group.
The CERT-In is the “national nodal agency for responding to computer security incidents as and when they occur,” according to the IT ministry website. However, the agency’s role has become more like an advisory that a pre-emptive response organisation.
“Organisations that are cyber-attacked are required to report to CERT-In. However, it is understood that the victim organisations have not received any feedback from CERT-In on the breaches they have reported. CERT has to re-invent its role in helping organisations learn how to cope with such attacks,” said Kamlesh Bajaj, founder director of CERT-In.
“The Pegasus-WhatsApp breach has made it clear that devices can be broken into and even end-to end encryption can be circumvented. CERT should be aware that platforms will be exploited. They should work directly with vendors like Microsoft, Google, and Facebook whose platforms get hacked or impacted,” he said.
