New Delhi: Last week, exploiting a security loophole in the Facebook-owned messenger service WhatsApp, hackers injected a spyware into several mobile phones. While the identity of the hackers is still unknown, it is known that an Israeli company, the NSO Group, developed the spyware.
The hackers succeeded in installing the spyware on both Android and iPhones by making WhatsApp calls to the users. The spyware was transmitted even if the call wasn’t received. In several cases, the call disappeared from the logs soon after.
It took WhatsApp until Monday, 13 May, to acknowledge the hack. It issued an advisory, asking its 1.5 billion users to immediately update the app.
But this is hardly the first instance of a multinational firm being targeted by a cyber attack. ThePrint looks at the world of cyber warfare, which features various state-sponsored hackers, developers such as NSO, and sovereign governments who operate in a completely unregulated environment.
NSO, a billion-dollar developer
NSO is an Israeli technology firm which focuses on cyber security. Originally founded by Israeli general Avigdor ben-Gal, the firm has maintained very close ties with the Israeli government and its security forces.
It has been reported that before the NSO can sign a contract with a foreign government, the deal has to be approved by the Israeli government. Thus, NSO has often acted as a diplomatic and cyber surveillance tool of the government.
It was bought over by American private equity firm Francisco Partners in 2014, but has continued to retain its close ties with the Israeli government. On 14 February 2019, when the founders reacquired NSO from Francisco, it was valued at $1 billion.
NSO developed a spyware, Pegasus, over a decade ago. Over the years, it has been updated and developed into three different versions, one of which was used to infiltrate WhatsApp last week.
According to a report in the Financial Times: “Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages or location, and even turns on the camera and microphone to live-stream meetings.”
This highly effective modus operandi has allowed NSO to sell its software as “zero clicks technology”.
NSO claims that it has sold Pegasus to dozens of governments, which use it to prevent terrorist attacks, infiltrate drug cartels, and perform other security functions. But the reality seems to be darker than claimed by NSO.
Dark side of Pegasus
Researchers at the University of Toronto’s Citizen Lab have been shadowing Pegasus since 2017. They claim that over 40 countries, including Bahrain, the UAE, Saudi Arabia and Morocco, have used the software.
There are currently two on-going lawsuits against NSO, in Israel and in Cyprus. According to these cases, governments have allegedly used Pegasus to track dissidents, journalists, and human rights activists.
Details have emerged on NSO’s dealings with the Saudi and Mexican governments, which present a bleak image of how governments plan to use this spyware.
A businessman told Financial Times in 2017 that the Saudi government had paid NSO $55 million for ‘Pegasus 3’, which would allow it to track 150 targets simultaneously.
The lawsuit in Israel revealed that the Mexican government paid NSO $32 million in 2014 for ‘Pegasus 2’. This spyware included a feature called Enhanced Social Engineering Message, which would allow the government to send text messages to users, customised to their social media profiles. Once the user clicks on it, the spyware would be automatically transmitted.
NSO claims that it has a robust internal vetting process, and has rejected business worth $150 million over the past three years. But its critics call this vetting process a sham. They point to NSO’s dealings with countries like Saudi Arabia, which have a history of human rights violations.
The big picture: An unregulated cyberspace
A 2015 agreement between the US and China had reduced these attacks for a brief while, but they have again resumed.
Last year, the US Department of Justice issued indictments for several hacking-related incidents, including cases against a dozen Chinese companies and individuals. But most of the indicted individuals continue to live in China, and the American efforts to get them deported have had no impact.
The nub of the problem seems to be the complete absence of any ground rules governing cyber behaviour, such as restrictions on developing capabilities. Unlike nuclear warfare, which features the logic of ‘mutually assured destruction’, there have been no doctrines agreed upon for cyber warfare.
Get the PrintEssential to make sense of the day's key developments