The recent reports of Pegasus, a malicious software, being used to secretly monitor public figures in India have raised significant concerns. Developed by the Israeli firm NSO Group, this malware has evolved significantly since its inception, making it a formidable cyber threat. This widely-ranged spyware is known for surreptitious access to devices, collection of private information, and transmission of the same to its user.
Pegasus: A Detailed Overview
Pegasus, classified as a spyware, was developed by NSO Group, an Israeli firm established in 2010. This malware came into the limelight when researchers discovered its early version in 2016 that infected phones through spear-phishing. The means involved tricking phone users into clicking on malicious links via text messages or emails. However, with time, Pegasus has become more advanced and now uses “zero-click” attacks which can be successful without any action from the device owner. It often exploits “zero-day” vulnerabilities, i.e., flaws in an operating system unknown to the manufacturer, and therefore, unrectified.
High-Profile Targets
Human rights activists, journalists, lawyers, Indian ministers, government officials, and opposition leaders are among the globally reported targets of Pegasus. These individuals are feared to have had their phones compromised by this spyware. In 2019, WhatsApp sued NSO Group in a US court, accusing the firm of instigating cyber-attacks on the application by infecting mobile devices with the malicious software.
Mitigation Measures Taken in India
India has launched several initiatives to combat cybercrime and enhance cybersecurity. The Cyber Surakshit Bharat Initiative introduced in 2018 aims to increase awareness of cybercrimes and enforce safety measures across all government departments. In 2017, the National Cyber security Coordination Centre (NCCC) was developed to detect real-time cyber threats by scanning internet traffic and communication metadata. The Cyber Swachhta Kendra was launched in the same year to help internet users cleanse their computers and devices from viruses and malware. Recently, the Indian Cyber Crime Coordination Centre (I4C) was inaugurated and a National Cyber Crime Reporting Portal was established.
The Computer Emergency Response Team – India (CERT-IN), is the designated authority handling cybersecurity threats such as hacking and phishing. Laws in place include the Information Technology Act, 2000, and Personal Data Protection Bill, 2019.
International Countermeasures
The International Telecommunication Union (ITU), a specialized UN agency, plays a leading role in standardizing telecommunications and addressing cybersecurity issues. The Budapest Convention on Cybercrime, an international treaty that came into effect in July 2004, aims to harmonize national laws and enhance dual cooperation. However, India is not a signatory to this convention.
Different Types of Cyber Attacks
Cybercrimes take various forms such as malware, phishing, Denial of Service attacks, Man-in-the-middle (MitM) attacks, SQL Injection, Cross-Site Scripting (XSS), and Social Engineering. While malware includes damaging software such as ransomware, spyware, worms, viruses, and Trojans, phishing involves collecting sensitive information through deceptive emails and websites.
DoS attacks are designed to shut down a machine or network by overwhelming it with traffic or triggering a crash. MitM and XSS attacks involve attackers intercepting two-party transactions or injecting malicious code into a website. SQL injection targets servers storing crucial data for websites and services. Lastly, social engineering tricks users into breaking security procedures to acquire protected sensitive information.
