Snooping on opposition politicians, journalists, political dissidents or even business rivals seems to have become the norm. It is also becoming easier with new methods, technology and people available to carry out such tasks without much difficulty.

In 2021, it was the Pegasus Project. Now, cybersecurity groups have identified several cyber criminal outfits and individuals, including those acting like mercenaries, who can be engaged and used by any power—either governments, their agencies or even the big business—against their ‘enemies’.

While a large chunk of the victims is journalists, political dissidents are becoming the main target of these cyber attackers or hackers. These cyber criminals not only snoop to find out what the targets are up to but they can also gather their data and destroy their entire activity, even personal ones, by attacking their mobile phones, laptops and computers. Most of the time, victims do not even know that they are being tracked or hacked.

To understand the level of the threat being posed by ‘political’ cyber criminals, the Pegasus Project, its impact and expanse have to be understood first. An Israeli cyber arms firm named NSO Group created the Pegasus spyware. The company is supervised by the Israeli government’s Defenc3e Department.

Though NSO claims that the spyware was developed for surveillance of “serious crimes and terrorism”, the technology was used by governments around the world mostly against non-criminal individuals, mostly dissidents. About 50,000 phone numbers of mostly opposition politicians, political dissidents, journalists, lawyers and human rights activists, among others in various countries were leaked in 2020. As many as 14 presidents, prime ministers and diplomats were also on this list. This spyware was acquired/purchased by several governments under an agreement with Israel.

A significant number of the hacked phones inspected by Amnesty International’s cybersecurity team revealed that the malware was covertly installed on mobile phones and other devices running on iOS and Android. The information gathered by Amnesty International was sent by it to 17 global media organisations, leading to protests in different countries, including India, with the protestors demanding a probe into the acquisition and the use of Pegasus, its abuses and a limitation on trading such repressive malware.

A new situation has arisen now—a government or a large corporation can easily access these cyber criminals or mercenaries, who can be hired or their spyware bought to plant spy malware inside the devices of the target.

Threatpost, a Massachusetts (US)-based independent cybersecurity news organisation, has recently come out with a report regarding such emerging cyber threats. Since 2021, various “state-aligned threat groups” have turned up their targeting of journalists to steal data and credentials and also track them, according to the report. The report, quoting researchers at a leading cybersecurity firm called Proofpoint, said there have been “efforts by advance persistent threat (APT) groups. … Attacks began in early 2021 and are ongoing. The APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar with threat actors targeting email and social media accounts as phishing inroads in cyberespionage campaigns”. Sunnyvale (California)-based Proofpoint says it protects “people, data and brand against advanced threats and compliance risks”.

Another aspect of cybercrime targeting individual freedom has been pointed out in an article by Threatpost writer Elizabeth Montalbano. A “cybergang” called the Atlas Intelligence Group (AIG) has been recently spotted by security researchers recruiting independent black hat hackers to execute specific aspects of its own campaigns, she alleged.

AIG, also known as the Atlantis Cyber-Army, functions as “a cyber-threats-as-a-service criminal enterprise. This group markets services including data leaks, distributed denial of service, remote desktop protocol hijacking and additional network penetration services”, according to the report. AIG, the for-hire cyber criminal group, “is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called ‘cyber mercenaries’ to carry out specific illicit hacks that are part of larger criminal campaigns”.

The report further stated that AIG is “unique in its outsourcing approach to committing cybercrimes. … For example, Ransomware-as-a-Service organised crime campaigns can involve multiple threat actors—each getting a cut of any extorted lucre or digital assets stolen. What makes AIG different is it outsources specific aspects of an attack to ‘mercenaries’, who have no further involvement in an attack. … only AIG administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets”.

Journalists have been targeted before but not like this. How do these cyber mercenaries attack a journalist or a dissident activist? The attacks typically involve some type of social engineering to lower the guard of targets to coax them to download and execute various malicious payloads onto their personal digital devices, the researchers said. The ways to attract a gullible journalist include emails and messages sent via various social media platforms on topics related to their areas of focus or specialisation, political or otherwise.

“In various instances, the attackers would lie low after posting malware infection. This would enable them to gain persistence on a recipient’s network and help them conduct lateral network reconnaissance and propagate additional malware infections within the target’s network. Secondary tactics included tracking or surveilling journalists.”

Proofpoint said that adversaries or hackers used web beacons planted on journalists’ devices to carry out surveillance. While the latest report tracks some of the most recent activities against journalists, targeting this group of individuals certainly is not novel given the type of information they know when it comes to political and socio-economic issues, the researchers noted.

“APT actors, regardless of their state affiliation, have and will likely always have the mandate to target journalists and media organisations and will use associated personas to further their objectives and collection priorities,” they wrote. Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

The researchers at Proofpoint delved deep into these attacks on journalists. Some of the examples they wrote about included the targeting of media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment. If opened, the attachment would “install and execute Chinoxy malware—a backdoor that is used to gain persistence on a victim’s machine”. Early this year, a US-based media organisation was the target of phishing attacks that appeared to offer job opportunities from reputable companies to journalists. The attack was reminiscent of a similar one against engineers that the same group of cyber criminals had mounted in 2021.

“The sites were fraudulent and the URLs were armed to relay identifying information about the computer or device someone was working from to allow the host to keep track of the intended target,” the researchers said. Another example was that of a state-sponsored actor which hid behind the persona of a fake media organisation to deliver malware to public relations personnel for companies located in the United States, Israel and Saudi Arabia.

“Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks,” the researchers said. In one campaign that occurred in March 2022, a cyber criminal firm sent an email with the ironic subject line ‘Iran Cyber War’ that ultimately dropped a remote access trojan on the victims’ machines. “The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing,” the researchers added.

“Between September 2021 and March 2022, Proofpoint observed campaigns (run by this threat actor) approximately every two to three weeks. The March 2022 campaign targeted both individual and generic, group email addresses … (of those) involved in energy, media, government, and manufacturing.”

With individuals and cyber criminal groups involved in hacking and the dark Web becoming active in the Internet world, it would become easier for authoritarian and autocratic governments to target opposition leaders, political dissidents, human rights activists and journalists. These regimes can hire such cyber criminals on the sly without signing any official agreement as they did in the case of Pegasus. 

The writer has extensively covered internal security, defence and civil aviation for the Press Trust of India for three decades. Views are personal.

Courtesy: Newsclick

The post Spying on Opposition, Dissidents, Scribes Becomes More Dangerous appeared first on SabrangIndia.

 
A furore was caused by an order issued by the Cyber and Information Security Division of the Union Ministry of Home Affairs (MHA) on 20 December 2018, authorising 10 security and intelligence agencies to intercept, monitor and decrypt information generated, transmitted, received or stored in any computer resource.
 
Under The Right to Information Act, 2005 (RTI Act), the MHA has refused to disclose the reasons and materials such as file noting which formed the basis for issuing this order. Even more shocking is the MHA’s refusal to treat this as a valid query request for not complying with the duty of proactive disclosure of all relevant facts and reasons that underpin the order.
 
Controversy surrounding MHA’s December 2018 order
Through the December 2018 order, the MHA authorised intelligence organisations such as the Intelligence Bureau, the Research & Analysis Wing (R&AW) of the Cabinet Secretariat, the Directorate of Revenue Intelligence and the Directorate of Signal Intelligence ( for service areas of Jammu and Kashmir, North East and Assam only) to access information from any computer resource under the Information Technology Act, 2000. 
 
Security agencies such as such as the Central Bureau of Investigation (CBI), the National Investigation Agency, the Delhi Police and the Enforcement Directorate are also included in this list. The Central Board of Direct Taxes which is neither security nor an intelligence agency per se [although one of its arms- the Directorate General of Income Tax (Investigation) does engage in tax-related intelligence gathering operations] was also authorised to intercept computer resources.
 
In the December 2018 Gazette notification, the MHA stated that the order was being issued under Section 69(1) of the IT Act read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. 
 
Reflecting the very public outrage that the order caused, Opposition Leaders raised the issue in the Rajya Sabha, the next day. The Leader of the House ( also the then Hon’ble Union Finance Minister) is reported to have criticised them for raising the issue in the manner they did, saying: 
 
“What you are doing…is making a mountain where even a molehill does not exist.” 
 
He pointed out that the 2009 Rules were notified under the UPA-II regime and that the same agencies were being notified, for the same purpose, from time to time earlier as well.
 
The order was not an omnibus authorisation to intercept any computer resource but only such instruments that are linked to threats to national security, public order and integrity of India, he said. While beginning his reply to the Opposition Leaders, he is reported to have said that as senior leaders they ought to have obtained complete information about the issue before raising it in the House. (Click here for the verbatim report of the House proceedings): 
 
The RTI Intervention
Deeply influenced by the sage advice of the Hon’ble Leader of the House and remembering the fact that the proviso under Section 8(1) of the RTI Act states that information which cannot be denied to a Member of Parliament cannot be denied to any citizen, I submitted a request to MHA  through the RTI Online Facility seeking the following information:
 
1) A clear photocopy of all official records that contain the written reasons for issuing the authorisation to the 10 security and intelligence agencies specified in the attached Gazette notification as per the requirements of Section 69(1) of the Information Technology Act, 2000 (IT Act);
 
2) A clear photocopy of all file notings, correspondence and related legal opinion, if any, with annexures, if any that form the materials on the basis of which the said authorisation was issued;
 
3) The detailed reasons for not complying with the statutory requirement of voluntary disclosure of facts, details and reasons related to the said authorisation as per the statutory requirements under Section 4(1)(c) and 4(1)(d) read with Section 26(1)(c) of the RTI Act, 2005;
 
4) A list of all other security and intelligence organisations or other authorities that have been authorised for the purpose of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the IT Act, by the competent authority in the Government of India prior to 20/12/2018; and
 
5) A clear photocopy of all notifications issued till date, by every State Government and Union Territory Administration, similarly authorising security and intelligence organisations or authorities under their jurisdiction for the interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the IT Act.”
 
The MHA’s reply
The Central Public Information Officer (CPIO) of the MHA has rejected the information sought at paras 1, 2, 4 and 5 in the following words:
 
“Sought documents/information is classified as ‘Top Secret’ and cannot be disclosed as it is exempted under Section 8(1)(a), 8(1)(g) and 8(1)(h) of the Right to Information Act, 2005. This is in confirmation with the Central Information Commission decision vide no. CIC/VS/A/2014/000378/SB dated 02..09.2015 (available in public domain) in an appeal filed by Shri Amitabh Narayan”. (emphasis supplied)
 
As regards the query about non-compliance with the voluntary disclosure of facts and detailed reasons for the authorisation to intercept computers, the CPIO replied that “It is in the form of a question which is not covered under the definition of ‘information’ under Section 2(f) of the Right to Information Act, 2005.” (emphasis supplied) 
 
What is wrong with the CPIO’s reply?
1) The CPIO seems to be completely oblivious of the advice of the Leader of the House in the Rajya Sabha that anybody speaking about the interception order must so do after obtaining all facts. This was the express purpose of the RTI intervention but it was completely lost on the CPIO. The two gentlemen seem to be operating on completely different wavelengths. Section 4(1)(c) and 4(1)(d) of the RTI Act require every public authority to voluntarily disclose all relevant facts and reasons for such orders to the public at large. Under Section 26(1)(c) of the RTI Act, the Central Government has a duty to ensure that every public authority performs this voluntary duty. Section 26(1)(c) mandates the Government to require all public authorities to proactively disseminate accurate information about their activities effectively from time to time. The CPIO has ignored all these statutory requirements while making a decision on my RTI application.
 
2) Further, the CIC’s order which the CPIO has cited to reject four of the five RTI queries has nothing to do with the IT Act at all. The CIC in its wisdom has thought it fit not to record the contents of the RTI application in its September 2015 order. The CIC had held that the RTI applicant’s request for information about “telephone interception” under the 125+ years old Indian Telegraph Act and relevant Rules cannot be granted because it may prejudicially affect the interests protected under Section 8(1)(a) of the RTI Act (which of the seven grounds mentioned in that exemption is applicable, is not even discussed in the order). The CIC also ruled that disclosure would impede the investigation processes and reveal the source of information given in confidence to law enforcement agencies but there is no discussion about how disclosure will have such an effect. According to several High Courts, a detailed and well-reasoned justification is a mandatory requirement while invoking the exemptions under Sections 8(1)(g) and (h) of the RTI Act. The MHA which had decided this RTI application also had explained that telephone interception-related records are destroyed after six months. So some of the information was not available with them in material form and could not be supplied to the appellant, it had argued.
 
In my humble opinion, despite the glaring defects from which the CIC’s order suffers, it does not apply to anything done or order issued under the IT Act. The December 2018 order is not for telephone interception at all. Instead, it is for computer interception. The CIC’s 2015 order operates in a completely different field. 
 
The CPIO has mechanically washed his hands of the responsibility of being transparent about the routine actions of government. Further, I had not sought any information about any specific computer resource that was being intercepted by any of the 10 agencies listed in the December 2018 order. So the CPIO’s action of invoking Sections 8(1)(g) and (h) is also misconceived.
 
3) Further, there is at least one previous order of the CIC from June 2011 where access to information about telephone interception had been granted after severing the names of officers (see 5th attachment). In this case, information was sought from the CBI. Interestingly, the UPA-II Government issued a notification partially excluding CBI from the ordinary obligations of transparency under the RTI Act, in the same month and year. The CBI challenged the CIC’s order arguing that the benefit of exclusion is available to it with retrospective effect. So, the Delhi High Court stayed the operation of the 2011 CIC order. Meanwhile, several citizens filed petitions in High Courts across the country challenging the partial exclusion granted to the CBI. These petitions were transferred to the Supreme Court on the Central Government’s plea. This issue has been pending for more than seven years without resolution. The CIC’s two-page order of 2015 does not even mention the seven and a half page long CIC’s 2011 order where reasons for partial disclosure are discussed in detail. One would expect that the appeal ought to have been kept pending in view of the stay granted by the Delhi High Court on a similar issue. The CPIO’s MHA has cherry-picked a questionable CIC decision to deny information about the December 2018 interception authorisation order. 
 
4) The CPIO’s reply to my third RTI query is erroneous even under the terms of Section 69(1) of the IT Act, which is reproduced below:
 
69. Directions of Controller to a subscriber to extend facilities to decrypt information.
(1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource.
 
(2) The subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information.
 
(3) The subscriber or any person who fails to assist the agency referred to in sub-section (2) shall be punished with imprisonment for a term which may extend to seven years.” (emphasis supplied)
 
So when any order is issued under Section 69(1) of the IT Act, reasons must be recorded in writing. Under the 2009 Rules, these duties are required to be performed by the Secretary, MHA who is the “competent authority” for the Central Government. At Query #3 of my RTI application, I had asked, why these reasons have not been disclosed as per the requirements of the RTI Act. By holding that Query No. 3 is in the form of a question and is not seeking information, the CPIO has committed another error. While his boss is duty bound to record reasons before issuing the authorisation order, the CPIO has neither the intention of disclosing them nor will he treat non-compliance with the statutory duty of proactive disclosure of those very reasons as a valid basis for the RTI query. 
 
According to the Preamble of the RTI Act, one of its objectives is to ensure accountability of the Government and its instrumentalities to the governed. This accountability applies not only for decisions made and actions were taken by public authorities but also their omissions and failure to comply with statutory requirements. 
 
Every citizen has the right to know all the facts and reasons that form the basis of the December 2018 authorisation order. 
 
Meanwhile, the December 2018 order has been challenged in the Supreme Court of India. Even as we wait for the outcome of this case, I am planning to file the usual appeals. Perhaps a direct complaint to the CIC about  MHA’s non-compliance with Sections 4(1) and 26(1)(c) of the RTI Act might also be ordered in this case.

Nayak is a Programme Coordinator at Access to Information Programme, Commonwealth Human Rights Initiative
 

The post Opinion: Indian agencies can snoop on any computer but my RTI complaint against it gets rejected appeared first on SabrangIndia.