CERT-In, the country’s nodal cybersecurity agency, picked up the threat by using internal tools deployed to screen vulnerabilities and published its first advisory to Indian users on May 17, people in the know said. It rated the severity as “high” and said the vulnerability could be exploited by making a “decoy WhatsApp voice call”.
The alert by WhatsApp, delivered to the agency later in May, did not have any mention that the malware used in the attack was Pegasus, developed by Israeli surveillance firm NSO Group, the source said.
Subsequently, in September, the American company wrote to CERT-In stating that there was a spyware ‘attempt’ on 121 Indians and that around 20 Indian users of its messaging app may have been impacted.
“In a country of 1.3 billion people, when someone writes that 20 people may have been impacted by a malware without (saying) that it is something as serious as Pegasus, what more is supposed to be done when the government has already issued an advisory,” the official told ET.
WhatsApp had also informed the Indian government that it had fixed the vulnerability and was ambiguous about whether the attack actually happened or not. “They (WhatsApp) did not mention at all that those targeted may still be under attack,” the official said.
The ministry of electronics and IT (Meity) and WhatsApp are currently engaged in a war of words with the government accusing the company of not disclosing the seriousness of the snooping attack. But WhatsApp has claimed otherwise. The malware is said to have infected the smartphones of nearly two dozen Indians including journalists, lawyers and activists.
“(The company) knew who was being impacted and had started sending individual messages to them, why did it not share those details with the (Indian) government,” the person said. Moreover, none of the 20 people who were impacted, reported the attack to CERT.
On May 15, WhatsApp told ET that it has asked its users to update their apps in light of a discovery of a spyware which it did not name. WhatsApp said then that vulnerability was discovered that month (May), and that the company quickly addressed the problem internally. The company also alerted US law enforcement authorities to the exploit, and published a “CVE notice” — an advisory to other cybersecurity experts alerting them to “common vulnerabilities and exposures”.
Despite the government official claiming that it had no knowledge of NSO’s involvement in the vulnerability, the CERT advisory references to a Check Point article which attributes the spyware to NSO.
However, WhatsApp is silent about when it first alerted CERT In.
In a fresh statement, a company spokesperson said, “WhatsApp provides industry leading end-to-end encryption to help protect user privacy and security. In May, our security team caught and stopped a cyber attack designed to send malware to mobile devices. Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones. Technology companies are constantly working to stay ahead of these kind of challenges through updates and patches. The safety and security of our users remains our highest priority, which is why in May we blocked the attack and have taken action in the courts to hold NSO accountable.”
On October 29, WhatsApp sued the NSO Group, which is reportedly behind the technology that helped unnamed entities hack into roughly 1,400 devices across at least 20 countries, including India, Bahrain, Mexico and UAE, as per the company’s lawsuit in a court in California.
Soon after, the Indian government shot off a letter to WhatsApp asking why it wasn’t adequately informed of the attack as required under the IT Act.
WhatsApp in its response had pointed to its earlier communications in May and September to CERT-In.
While the identity of the people who were impacted was kept under wraps, the issue was also not brought up when union minister Ravi Shankar Prasad met two senior officials from Facebook-WhatsApp in July and September, the government has alleged.
A WhatsApp official, who did not want to be named, told ET last week the lawsuit was brought only against NSO Group because it had found evidence of its malware used for hacking into the messaging application and it had not implicated any government.