First, there was the public scepticism on whether, Apple, a company based in the Silicon Valley had a sufficiently robust internal method of checking internal threat algorithms –or they were faulty—and had announced an investigation into the security of Apple devices. There were demands that the company “soften the impact of the warnings”. Second, they apparently, according to The Post, also summoned an Apple security expert from outside the country to a meeting in New Delhi, where government representatives pressed the Apple official to come up with alternative explanations for the warnings to users, the people said. They spoke on the condition of anonymity to discuss sensitive matters.

Not coincidentally, in more recent weeks, The (Washington) Post, in collaboration with Amnesty, has reported on new cases of infections on phones belonging to Indian journalists. More investigations by both The Post and a New York security firm iVerify found that opposition politicians had been targeted, adding to the evidence suggesting the rather brazen and continued use, by the Indian government of powerful surveillance tools.

Further, in addition, Amnesty had showed The Post evidence it found in June that suggested a Pegasus customer was preparing to hack people in India. Amnesty asked that the evidence not be detailed to avoid teaching Pegasus users how to cover their tracks. “These findings show that spyware abuse continues unabated in India,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab. “Journalists, activists and opposition politicians in India can neither protect themselves against being targeted by highly invasive spyware nor expect meaningful accountability.”

Meanwhile, ironically, the report also states that the NSO spokesperson Liron Bruck said that the company does not know who is targeted by its customers but investigates complaints that are accompanied by details of the suspected hack. “While NSO cannot comment on specific customers, we stress again that all of them are vetted law enforcement and intelligence agencies that license our technologies for the sole purpose of fighting terror and major crime,” Bruck said. “The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”

During the Modi government and the BJP representatives open attempts to arm-twist the visiting Apple official, the person reportedly stood by the company’s warnings. However, the aggressive intensity of the Indian government effort to “discredit and strong-arm Apple” has seriously disturbed executives at the company’s headquarters, in Cupertino, Calif., and illustrated how even Silicon Valley’s most powerful tech companies can face pressure from the increasingly authoritarian leadership of the world’s most populous country, India. India is also a huge technology market in the coming decade.

This incident also is symptomatic of the dangers faced by those critical of the government in India and the lengths to which the Modi administration will go to deflect suspicions that it has engaged in hacking against its perceived enemies, according to digital rights groups, industry workers and Indian journalists.

At the end of October 2023, most of the 20 plus people who received Apple’s warnings have been openly critical of Modi or his long time ally, Gautam Adani, an Indian energy and infrastructure tycoon. This included a prominent politician from West Bengal state, a Communist leader from southern India and a New Delhi-based spokesman for the nation’s largest opposition party. Among the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a non-profit alliance of dozens of independent, investigative newsrooms from around the world. Siddharth Varadarajan, a co-founder of the Indian digital media outlet the Wire, received one of Apple’s Oct. 30 warnings. Amnesty found that the same hackers that broke into Mangnale’s phone had tried to do the same to Varadarajan’s.

It was on August 23, 2023 that the OCCRP emailed Adani seeking comment for a story it would publish a week later alleging that his brother was part of a group that had secretly traded hundreds of millions of dollars’ worth of the Adani Group conglomerate’s public stock, possibly in violation of Indian securities law. A forensic analysis of Mangnale’s phone, conducted by Amnesty International and shared with The Washington Post, found that within 24 hours of that inquiry, an attacker infiltrated the device and planted Pegasus, the notorious spyware that was developed by Israeli company NSO Group and that NSO says is sold only to governments. An Adani spokesperson not just denied this but accused OCCRP of conducting a “smear campaign against the Adani group. While the top guns in the Modi administration kept mum, Gopal Krishna Agarwal, a national spokesman for the BJP, said any evidence of hacking should be presented to the Indian government for investigation.

Incidentally, the Modi government has never confirmed or denied using spyware, and it has refused to cooperate with a committee appointed by India’s Supreme Court to investigate whether it had. It may be recalled that two years ago, in 2021, the Forbidden Stories journalism consortium, which included The Post, found that phones belonging to Indian journalists and political figures were infected with Pegasus, which grants attackers access to a device’s encrypted messages, camera and microphone.

All the details of the controversy may read in The Washington Post here. David Kaye, a former United Nations special rapporteur on free expression who has testified before an Indian Supreme Court committee probing the government’s suspected use of Pegasus, said the recent reporting by The Post and its partners “further shifts the burden onto the Indian government to disprove the allegations that it uses these kinds of tools.” ”Especially after this information, the government absolutely has to be honest and transparent,” Kaye said. “But the accretion of evidence suggests this is not divorced from the broader assault by the Modi government on the freedom of expression and the right to protest.”

Related:

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

‘Government-backed attacks’: Google warned 500 Indians against hacking

The post GoI targeted Apple days after the Hi-tech cos notified journalists & opposition politicians of phone hacking: Washington Post Exclusive appeared first on SabrangIndia.

Snooping on opposition politicians, journalists, political dissidents or even business rivals seems to have become the norm. It is also becoming easier with new methods, technology and people available to carry out such tasks without much difficulty.

In 2021, it was the Pegasus Project. Now, cybersecurity groups have identified several cyber criminal outfits and individuals, including those acting like mercenaries, who can be engaged and used by any power—either governments, their agencies or even the big business—against their ‘enemies’.

While a large chunk of the victims is journalists, political dissidents are becoming the main target of these cyber attackers or hackers. These cyber criminals not only snoop to find out what the targets are up to but they can also gather their data and destroy their entire activity, even personal ones, by attacking their mobile phones, laptops and computers. Most of the time, victims do not even know that they are being tracked or hacked.

To understand the level of the threat being posed by ‘political’ cyber criminals, the Pegasus Project, its impact and expanse have to be understood first. An Israeli cyber arms firm named NSO Group created the Pegasus spyware. The company is supervised by the Israeli government’s Defenc3e Department.

Though NSO claims that the spyware was developed for surveillance of “serious crimes and terrorism”, the technology was used by governments around the world mostly against non-criminal individuals, mostly dissidents. About 50,000 phone numbers of mostly opposition politicians, political dissidents, journalists, lawyers and human rights activists, among others in various countries were leaked in 2020. As many as 14 presidents, prime ministers and diplomats were also on this list. This spyware was acquired/purchased by several governments under an agreement with Israel.

A significant number of the hacked phones inspected by Amnesty International’s cybersecurity team revealed that the malware was covertly installed on mobile phones and other devices running on iOS and Android. The information gathered by Amnesty International was sent by it to 17 global media organisations, leading to protests in different countries, including India, with the protestors demanding a probe into the acquisition and the use of Pegasus, its abuses and a limitation on trading such repressive malware.

A new situation has arisen now—a government or a large corporation can easily access these cyber criminals or mercenaries, who can be hired or their spyware bought to plant spy malware inside the devices of the target.

Threatpost, a Massachusetts (US)-based independent cybersecurity news organisation, has recently come out with a report regarding such emerging cyber threats. Since 2021, various “state-aligned threat groups” have turned up their targeting of journalists to steal data and credentials and also track them, according to the report. The report, quoting researchers at a leading cybersecurity firm called Proofpoint, said there have been “efforts by advance persistent threat (APT) groups. … Attacks began in early 2021 and are ongoing. The APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar with threat actors targeting email and social media accounts as phishing inroads in cyberespionage campaigns”. Sunnyvale (California)-based Proofpoint says it protects “people, data and brand against advanced threats and compliance risks”.

Another aspect of cybercrime targeting individual freedom has been pointed out in an article by Threatpost writer Elizabeth Montalbano. A “cybergang” called the Atlas Intelligence Group (AIG) has been recently spotted by security researchers recruiting independent black hat hackers to execute specific aspects of its own campaigns, she alleged.

AIG, also known as the Atlantis Cyber-Army, functions as “a cyber-threats-as-a-service criminal enterprise. This group markets services including data leaks, distributed denial of service, remote desktop protocol hijacking and additional network penetration services”, according to the report. AIG, the for-hire cyber criminal group, “is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called ‘cyber mercenaries’ to carry out specific illicit hacks that are part of larger criminal campaigns”.

The report further stated that AIG is “unique in its outsourcing approach to committing cybercrimes. … For example, Ransomware-as-a-Service organised crime campaigns can involve multiple threat actors—each getting a cut of any extorted lucre or digital assets stolen. What makes AIG different is it outsources specific aspects of an attack to ‘mercenaries’, who have no further involvement in an attack. … only AIG administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets”.

Journalists have been targeted before but not like this. How do these cyber mercenaries attack a journalist or a dissident activist? The attacks typically involve some type of social engineering to lower the guard of targets to coax them to download and execute various malicious payloads onto their personal digital devices, the researchers said. The ways to attract a gullible journalist include emails and messages sent via various social media platforms on topics related to their areas of focus or specialisation, political or otherwise.

“In various instances, the attackers would lie low after posting malware infection. This would enable them to gain persistence on a recipient’s network and help them conduct lateral network reconnaissance and propagate additional malware infections within the target’s network. Secondary tactics included tracking or surveilling journalists.”

Proofpoint said that adversaries or hackers used web beacons planted on journalists’ devices to carry out surveillance. While the latest report tracks some of the most recent activities against journalists, targeting this group of individuals certainly is not novel given the type of information they know when it comes to political and socio-economic issues, the researchers noted.

“APT actors, regardless of their state affiliation, have and will likely always have the mandate to target journalists and media organisations and will use associated personas to further their objectives and collection priorities,” they wrote. Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

The researchers at Proofpoint delved deep into these attacks on journalists. Some of the examples they wrote about included the targeting of media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment. If opened, the attachment would “install and execute Chinoxy malware—a backdoor that is used to gain persistence on a victim’s machine”. Early this year, a US-based media organisation was the target of phishing attacks that appeared to offer job opportunities from reputable companies to journalists. The attack was reminiscent of a similar one against engineers that the same group of cyber criminals had mounted in 2021.

“The sites were fraudulent and the URLs were armed to relay identifying information about the computer or device someone was working from to allow the host to keep track of the intended target,” the researchers said. Another example was that of a state-sponsored actor which hid behind the persona of a fake media organisation to deliver malware to public relations personnel for companies located in the United States, Israel and Saudi Arabia.

“Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks,” the researchers said. In one campaign that occurred in March 2022, a cyber criminal firm sent an email with the ironic subject line ‘Iran Cyber War’ that ultimately dropped a remote access trojan on the victims’ machines. “The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing,” the researchers added.

“Between September 2021 and March 2022, Proofpoint observed campaigns (run by this threat actor) approximately every two to three weeks. The March 2022 campaign targeted both individual and generic, group email addresses … (of those) involved in energy, media, government, and manufacturing.”

With individuals and cyber criminal groups involved in hacking and the dark Web becoming active in the Internet world, it would become easier for authoritarian and autocratic governments to target opposition leaders, political dissidents, human rights activists and journalists. These regimes can hire such cyber criminals on the sly without signing any official agreement as they did in the case of Pegasus. 

The writer has extensively covered internal security, defence and civil aviation for the Press Trust of India for three decades. Views are personal.

Courtesy: Newsclick

The post Spying on Opposition, Dissidents, Scribes Becomes More Dangerous appeared first on SabrangIndia.