SUMMARY
CERT-In says it published an advisory about the malware attack on May 17
WhatsApp claims to have informed the government three days later without mentioning ‘Pegasus’
CERT-In has been accused of obfuscating facts by deleting vulnerability reports that WhatsApp has submitted in May
In a new twist to the Pegasus and the NSO Group’s WhatsApp spyware saga, India’s Computer Emergency Response Team (CERT-In) revealed on Wednesday (November 6) that it had published an advisory on the malware attack on the app’s users, three days before the Facebook-owned platform first alerted the Indian government.
According to a report, the country’s nodal cybersecurity agency, CERT-In said that it had picked up the threat by using internal tools deployed to check vulnerabilities and published its first advisory to Indian users on May 17.
At that time, the agency had rated the severity as ‘high’ and stated that the vulnerability could be exploited via ‘WhatsApp voice call,’ the report added.
However, the alert by WhatsApp, which was delivered to the agency later in May, did not have any mention of ‘Pegasus,’ a malware developed by Israeli surveillance firm NSO Group to attack the users. The advisory, which warned users against WhatsApp’s vulnerabilities, was removed for a few days after the Pegasus spyware made the headlines. However, the removal did not go well with the members of civil society and privacy enthusiasts, who accused the agency of trying to hide facts.
Earlier yesterday, the CERT-In website came back online after a brief outage.
WhatsApp Vs Indian Government: Pegasus Spyware
In response to reports about the Pegasus spyware, the government picked up on the ‘vague response’ by WhatsApp. The government had claimed that WhatsApp did not mention at all those who are targeted may still be under attack.
WhatsApp then said it had also written to the government In September, stating that there was a spyware ‘attempt’ on 121 Indians and that around 20 Indian users of the messaging app may have had their devices hacked.
Since the Pegasus spyware breach came to light, the ministry of electronics and IT (MeitY) and WhatsApp have been playing a blame game and waging a war of words with the government accusing the company of not disclosing the seriousness of the malware attack and vice versa.
The Indian government claims WhatsApp never revealed anything about Pegasus spyware or the relevance of the attack, which targeted 121 Indians, including journalists, activists and academia, among others.
WhatsApp retorted by saying it informed the Indian government twice, in May and September 2019, regarding the spyware. But, now after CERT-In’s latest advisory stating that it had published the vulnerability three days prior to WhatsApp, looks like the government may have the upper hand in this debate.
