New Delhi: A false alarm or an attack with an “impossible-to-prove” origin — the jury is still out on the alerts sent out by tech major Apple to Indian Opposition leaders about possible “state-sponsored” attacks on their devices, but the timing has struck some experts as suspicious.
From the Trinamool Congress’ Mahua Moitra to the Congress’ Shashi Tharoor, and Priyanka Chaturvedi of the Shiv Sena (Uddhav Balasaheb Thackeray), several prominent Opposition politicians Tuesday said they had received the aforementioned warning from US-headquartered Apple. The Union government has said it will investigate the allegations.
In a clarification, Apple said it does “not attribute the threat notifications to any specific state-sponsored attacker”, while stressing that state-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time.
“Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected,” it added.
“We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behaviour to evade detection in the future.”
On its website, the company states that the threat notifications are designed to “inform and assist users who may have been targeted by state-sponsored attackers”.
Apple says it has so far sent such threat notifications to individuals in nearly 150 countries.
This is not the first time the threat of cyberattacks allegedly conducted by the government has reared its head — in 2021, a global media expose had alleged that high-grade Israeli spyware Pegasus was deployed to target prominent figures across several countries, including India.
About the Apple affair, the Modi government has said it will investigate these allegations. Questioning Apple’s claims of their devices being “designed for privacy”, the government has asked the tech giant to join the investigation with “real, accurate information” on the alleged attacks.
Union Minister for Electronics & Information Technology Ashwini Vaishnaw said in a series of tweets on X (formerly Twitter) that the government is concerned by the statements regarding the notification from Apple.
“However much of information by Apple on this issue seems vague and non-specific in nature. Apple states these notifications maybe based on information which is ‘incomplete or imperfect’. It also states that some Apple threat notifications maybe false alarms or some attacks are not detected,” the minister said, adding that Apple has also claimed that Apple IDs are securely encrypted on devices, making it extremely difficult to access or identify them without the user’s explicit permission.
“The Government of Bharat takes its role of protecting the privacy and security of all citizens very seriously and will investigate to get to the bottom of these notifications…” he added.
Union Minister of State for Electronics and IT Rajeev Chandrasekhar, meanwhile, asked Apple to clarify “if its devices are secure”, while adding that the government “will investigate these threat notifications and also apples claims of being secure and privacy compliant devices (sic)”.
Also Read: Was AIIMS cyberattack inevitable? Doctors flagged risks soon after hospital went digital in 2016
State-sponsored cyberattacks
According to experts, state-sponsored cyberattacks are notoriously hard to trace to the original perpetrators.
Finland-headquartered global cyber security and privacy firm F-secure noted in a blog that, for such attacks, states can directly employ hackers through their militaries and government authorities or fund them indirectly, which makes it easier to deny their involvement if the attack is detected.
These attacks don’t necessarily have a monetary goal, but can involve espionage, attacking critical infrastructure and companies, and spreading disinformation, it added.
According to Apple, if it discovers activity consistent with a state-sponsored attack, it notifies the targeted users via a ‘Threat Notification’ displayed at the top of the page after the user has signed in to appleid.apple.com, or through email/iMessage notifications.
Apple said in an August 2023 blog that users who are issued these alerts are individually targeted because of who they are or what they do.
“Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent,” it said.
State-sponsored attacks, it added, are highly complex, cost millions of dollars to develop and often have a short shelf life. The vast majority of users will never be targeted by such attacks.
‘Impossible to guard against’
Digital rights activist Nikhil Pahwa, who founded the tech-policy-analysis portal MediaNama, said in a statement on X that such attacks are virtually impossible to guard against, because they “could get you to click on a link via any medium: email, sms, WhatsApp message etc”.
“It could be a message posing as a credit card statement, ecommerce package delivery link, anything. It’s social engineering. It could happen to anyone.”
Asked how Apple may be able to detect such attacks, Pahwa told ThePrint it “would have some triggers on the device… if there is certain activity, whether client-side scanning or massive amounts of information being exfiltrated out, or attempts to access certain parts of the device stack”.
“No one knows for sure and they don’t disclose this, but it would be activity on the device that triggers their investigation,” he added.
In his X statement, he said it is “virtually impossible” to identify who is behind these attacks.
“You can’t ever conclusively prove who has attacked someone with such tools because it is virtually impossible to trace the source,” he added. “It’s possible to guess, and you can do a probabilistic determination. It’s impossible to prove.”
Advocate Apar Gupta, founding director at the NGO Internet Freedom Foundation (IFF), said in a post on X that the timing of the notifications — with elections in five states and the 2024 Lok Sabha polls around the corner — is “alarming”.
“Public cynicism or judicial stupor should not preclude us from demanding an independent, transparent technical analysis and clear disclosures from the Government of India regarding its spyware purchases and deployments. This issue strikes at the heart of Indian democracy,” he added.
He noted earlier reports about the Indian government deploying Pegasus spyware, adding, “[Nonprofit] Access Now and Citizen Lab [initiative based in University of Toronto, conducting R&D at “the intersection of cyberspace, global security & human rights”] last month confirmed the validity of Apple’s threat notifications sent to Russian journalists. These confirmations lend high credibility to such notifications.”
He was referring to an Access Now-Citizen Lab investigation that reportedly found the iPhone of journalist Galina Timchenko — head of a Latvia-based Russian media organisation labelled “undesirable” by the Russian government for its critical coverage of President Vladimir Putin — had been infected with Pegasus.
She had subsequently received a similar alert from Apple, the organisations said.
Additionally, Gupta said, a Financial Times report disclosed in March that India is seeking new spyware contracts.
Meanwhile, legal services organisation Software Freedom Law Center said in a statement that mobile phones contain vast amounts of personal data and any unwarranted intrusions constitute a gross violation of the owner’s right to privacy.
“They are qualitatively and quantitatively different from any other object in our lives. If hacked, a host of personal information such as their private interests, photographs, health data, location and browsing history is laid bare to the attacker,” it pointed out.
“Such attacks, if they are sponsored by government agencies, are in violation of the safeguards for surveillance as provided in the Information Technology Act, 2000, and the rules therein as well as the Telegraph Rules,” it said.
(Edited by Sunanda Ranjan)
Also Read: What is Pegasus? The ‘ultimate spyware’ used for surveillance