WhatsApp has revealed that at least two dozen academics, lawyers, Dalit activists, and journalists in India were the target of surveillance by threat operators using security firm NSO Group’s Pegasus spyware.
The revelations, reported by news outlet Indian Express, come as the Facebook-owned messaging service filed a lawsuit against the Israeli company for helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists, and senior government officials.
“Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” a WhatsApp spokesperson was quoted as saying to the publication.
In May 2019, WhatsApp stopped a sophisticated cyberattack that exploited its video calling system to deliver Pegasus malware surreptitiously. In the lawsuit filed yesterday, the company alleges NSO Group of weaponizing the vulnerability to turn the devices into secret eavesdropping tools to surveil persons of interest.
After a six-month long investigation, the company began sending specially crafted messages to approximately 1,400 users that it believes were impacted by the campaign and provided help to defend themselves from such attacks in the future.
NSO Group, which refuted WhatsApp‘s accusations, has consistently maintained its technology is offered only to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crimes.
But numerous instances to the contrary have surfaced in recent months, what with Pegasus being employed by repressive governments around the world such as Morocco, Rwanda, and Saudi Arabia to target journalists and human rights advocates. So far, the Indian government has neither confirmed nor denied using the spyware.
Back in September 2018, University of Toronto’s Citizen Lab disclosed as many as 36 NSO Group customers who were involved in targeted surveillance operations across 45 countries. The infections in India were traced back to an operator it called “Ganges,” their covert operations directed against popular cellular carriers and ISPs such as Bharti Airtel, MTNL, and Hathway.
If anything, the development is another reminder that technology companies should never be required to intentionally weaken their security systems via backdoors.
“The mobile phone is the primary computer for billions of people around the world,” WhatsApp head Will Cathcart wrote in The Washington Post yesterday. “It is how we have our most private conversations and where we store our most sensitive information. Governments and companies need to do more to protect vulnerable groups and individuals from these attacks.”
Update on Nov. 1 3:30 PM IST: After the Indian government sought an explanation from WhatsApp to explain the nature of the privacy breach on its messaging platform impacting about 121 users in the country, WhatsApp provided us the following statement —
Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable. We agree with the government of India it’s critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide.