The story first reported by The Indian Express on Thursday were later confirmed after WhatsApp issued a frequently asked questions (FAQ) on their website, outlining the attack and their recourse trajectory.
Speaking to BOOM, Choudhary said, "I got to know when Citizen Lab contacted me two months back. They asked me who I am and what I do. I asked them why they wanted to know my details. So they shared about them. Then I told them what I do. So they said that it made sense why I came under attack."
"They have a list from Whatsapp. There is a Israeli company (Pegasus) who have created a very expensive spyware. Citizen Lab claimed that due to the high cost, individuals cannot use it but governments use it. Quite a few people were targeted in India and several around the world. We wanted to understand why you were targeted," Choudhary said.
Choudhary also shared the following screenshot, which shows his conversation with Citizen Lab.
NSO has said that they will vigorously fight and dispute the allegations made against them. "Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years," said NSO to BOOM.
What is the attack all about?
WhatsApp has revealed that they stopped a cyber-attack on the platform, aimed at exploiting their video calling services. Users at the receiving end were not required to pick up the video-call for the malware to be sent to their devices.
This exploit has affected around 1,400 victims, who were notified of this by the company through a special message.
What is the Indian angle?
The Indian Express has reported that more than two dozen Indian journalists, Dalit activists, academics and lawyers have been targeted by the exploit.
A WhatsApp spokesperson told the newspaper that they were aware of the number of people who were targeted by the exploit, and sent each one of them a message, they declined to give a number. Confirming the targets, the spokesperson added that "it is not an insignificant number."
Some media agencies have reported victims coming forwards to speak to them:
- HuffingtonPost India has reported on the victims being lawyers defending the arrested activits in the Bhima-Koregaon case.
- Newslaundry has also put out a list of those who have been targetted, including activists Bela Bhatia and Anand Teltumbe and lawyer Degree Prasad Chauhan.
One of WION's reporters was also targeted as stated in this tweet.
Meanwhile, Ravi Shankar Prasad, Minister for Information Technology and Law pushed out a series of tweets, where he expressed the government's concern at possible breach of privacy and has asked WhatsApp to explain what has been done to safeguard the 'privacy of millions of Indian citizens'.
According to Indian Express, the IT Ministry has directed WhatsApp to file a written response on the snooping by November 4.
The Ministry of Home Affairs too has come out with a statement.
BOOM had reached out to a WhatsApp spokesperson, who directed us to their FAQ.
What is Pegasus?
Pegasus is the spyware that is attributed to be the perpetrating software of the attack.
Citizen Lab is an academic group based out of the University of Toronto who are currently volunteering with WhatsApp to learn more about the impact of the attack. According to a statement by them, Pegasus is one of the most sophisticated spywares available on the market.
They said that Pegasus can send back victims' private data such as passwords, contacts, calendar events, text messages to operators' servers and can even activate victims' microphone and camera, and track the phone's GPS for location and movements.
Pegasus is also designed for effectively being able to evade anti-virus and anti-spyware software, and for operators to be able to deactivate the spyware.
Previously, Pegasus was linked to involvement with scamming the wife of a dead Mexican industrial tycoon in 2017, and a close aide of murdered Saudi dissident Jamal Khoshoggi in Canada in 2018.
BOOM has reached out to Citizen Lab for comments.
Who is WhatsApp accusing?
WhatsApp is pegging the blame of the exploit on an Israeli company called NSO Group, and its parent Q Cyber Technologies.
WhatsApp will initiate legal actions against them in a US court, stating that that NSO Group's actions violates both US and Californian law and WhatsApp's terms of service, and are thus seeking an injunction banning NSO from using their service.
They further state that this is the first time that an encrypted messenger service is initiating legal action against a private entity, and the complaint includes a revelation from an NSO employee that WhatsApp successfully repulsed the attack.
Strongly refuting these claims, NSO has decided to contest the claims. They said that their software is not designed to be used against civilians and journalists, and their clients only include vetted governments and affiliated agencies.
It is noteworthy that the complaint mentions that the target users and NSO's clients are government agencies in the United Arab Emirates, Mexico and the Kingdom of Bahrain, among others.
NSO Refutes WhatsApp
Meanwhile, in an email conversation with BOOM, NSO has refuted claims made by WhatsApp but refused to disclose who is or is not a client or discuss specific uses of its technology. This, they claimed is to protect the ongoing public safety missions of its agency customers and given significant legal and contractual constraints.
However, NSO did mention that the company's products are licensed to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime.
Who engaged with NSO to target Indians?
That is still unknown though NSO maintains that their clients are primarily government agencies.
While WhatsApp is targeting NSO, it is still unclear how WhatsApp's end-to-end encryption has been circumvented, and if those who commissioned these attacks were only government agencies or private entities as well.
Additional reporting done by Saket Tiwari