Israeli malware developer NSO Group found itself the subject of international headlines a couple of years ago. Not the good kind either. A leaked document apparently showed who was being targeted by the company’s cell phone exploits — a long, disturbing list that contained journalists, lawyers, activists, dissidents, religious leaders, and plenty of politicians.
The months following that initial leak have been even less kind to NSO. To be fair, NSO deserved every bit of this backlash since it had spent several years courting the business of some of the most abusive governments in the world.
NSO is pretty much out of the malware business at the moment, but even if it chooses to get back at it, it will be an extremely uphill battle. It’s been sanctioned, sued, and the subject of multiple investigations by governments apparently shocked to discover they themselves have been maliciously deploying malicious software.
India is one of several countries to open an investigation into NSO and possible use of its phone exploits. This investigation was actually opened by the nation’s top court, which has already been told by the Modi government that it’s not interested in cooperating with the Supreme Court’s inquiry. And the government still wants surveillance tech to (presumably) abuse. But, for the moment, it’s not interested in purchasing it from NSO Group.
Factoring into this latest news is a move Apple made after these revelations about NSO. It sued NSO towards the end of 2021 — a lawsuit that came with a new notification program attached. Apple stated it would notify any users it suspected to be targeted by state-sponsored hacking attempts. It made good on this promise almost immediately, notifying a Polish prosecutor that their phone had been subjected to hacking attempts. Many more notifications soon followed, with the company notifying victims in Thailand, El Salvador, and Uganda.
All of that has added up to this: the government of India being super-pissed Apple is letting people know state-sponsored hackers are trying to access their devices. Gerry Shih and Joseph Menn, reporting for the Washington Post, have the details:
A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.
Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company’s internal threat algorithms were faulty and announced an investigation into the security of Apple devices.
Understandably, it’s embarrassing getting caught doing the sorts of things people already suspect you of doing. But rather than say something useful — like the government will be looking into this to see if this is a misuse of the tech — the Modi government chose to accuse Apple of being incompetent and place it under investigation instead.
According to anonymous Modi administration officials, the government is placing a ton of pressure on Apple’s India reps to come up with an alternative to the notification program and/or the notifications themselves. Apparently, the government believes the notifications are having a negative “political impact.” Again, rather than alter its tactics, it’s pressuring Apple India reps to alter theirs. They’re seeking alternative wording that might suggest the Modi government has a better reason for hacking phones than simply to spy on people who aren’t fans of Modi or his administration.
That’s going to be a tough sell. The facts speak for themselves.
Many of the more than 20 people who received Apple’s warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon.
Things look even worse when you take a look at which journalists were apparently targeted by state-sponsored hacking:
Of the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a nonprofit alliance of dozens of independent, investigative newsrooms from around the world.
If the Modi administration wanted to draw attention away from its abusive tactics and alleged corruption, it couldn’t have picked a worse way to do it. Thanks to Apple’s notification program, the entire world now has a clearer picture of how (and why) the Indian government deploys phone exploits. And the malware detected on Mangnale’s phone was none other than NSO Group’s flagship product: Pegasus.
NSO did respond to requests for comment from the Washington Post, but as usual, its contribution to the discussion was less than useful. Once again, NSO stressed it only sells to governments and only for the purposes of combating terrorism and “major crimes.” But this part of the statement is even more useless than the usual stuff NSO says when yet another report shows even more abusive deployments of its spyware.
“The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”
“Provide” all the “mechanisms” you want, but it doesn’t actually prevent anyone from targeting the kind of people who shouldn’t be targeted by governments that bought malware and agreed to use it to fight terrorism and “major crime.” The correct response would be to terminate contracts and refuse to sell to governments caught abusing the tech. The incorrect response would be… well, pretty much everything NSO has done since the leak blew the lid off its plausible deniability.
It’s pretty easy to tell a powerful foreign government to fuck off from Cupertino, California. But things are far less simple for those having to deal with Indian government officials face-to-face. The Apple reps located in India appear to have been intimidated into at least some level of cooperation with the government’s preferred narrative.
Apple India soon sent out emails observing that it could have made mistakes and that “detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.”
But that appears to be the end of the concessions being made by Apple India. And Apple, for its part, flew an outside rep to India to meet with the government in an effort to disabuse it of its (clearly false) notions that Apple hacking warnings are generally just the result of incompetence by Apple’s security team.
For now, it appears the Modi administration believes it has won this match. Pressure to alter notifications has eased a bit as the government’s narrative is continually pushed by politicians who insist the notices were nothing but mistakes or, as one legislator put it, “fake” (as in news). The Indian government can try to enjoy this non-victory, but it’s still losing the long game. India’s citizens already know they can’t trust this government. This is just more evidence indicating the distrust is genuine and earned.
