TekFog: BJP’s Cyber Weapon to Target Citizens

An online news portal The Wire recently published a three-part investigative report on a sophisticated secret app called TekFog. This is used by BJYM’s (the youth wing of the BJP) IT Cell to automate its online hate campaigns. According to the investigation, the app can “hijack” WhatsApp accounts of people without their knowledge or consent and use these accounts in automated campaigns. These campaigns send hate messages on social media platforms such as Twitter and Facebook and even morph URLs of real news stories to redirect the readers to fake news stories.

It has been well known that BJP had invested huge sums of money in building a vast online social media troll army that it uses to spread its divisive misinformation campaigns and troll and abuse voices opposed to the BJP and the Modi government. What is new about these revelations is the sophistication of the tools at their disposal, hacking of WhatsApp accounts, automating their trolling activity at scale, with the active connivance of corporate houses in enabling these tools to help the BJP’s troll army.

One of the most disturbing things about the TekFog app seems to be its ability to hijack the WhatsApp accounts of private citizens. This is done by sending a video or image attached to the targeted WhatsApp account from unknown contact. This file contains malware, activated when the targeted person clicks on the attachment. At this point, the target WhatsApp account gets compromised and used by TekFog operatives. The malware also downloads the person’s complete contact and other personal information to the TekFog servers. Also, the activity status of the targeted WhatsApp account is monitored from the TekFog app by the IT Cell operatives. Once the activity status of the account becomes ‘inactive’, it becomes available to the TekFog operatives to send messages to the contacts of the account and anyone else. All this is done without the owner’s knowledge.

The choice of using the account only once it becomes ‘inactive’ is a practical one and not a technical limitation, as sending fake messages. In contrast, the owner still actively uses the account might raise suspicions. This type of attack is similar to that employed by Pegasus. Though Pegasus attacks are more sophisticated—they are zero-click attacks—meaning the targeted person requires no clicks to install the malware as opposed to the person requiring to click on the attachment in the case of TekFog.

Another feature of the TekFog app is the ability to trend hashtags and topics on Twitter. Topics are supposed to trend on Twitter when many people spontaneously post on a particular topic within a short period, for example, when a real breaking news scenario happens. Social media teams covet the ability to manipulate this trending feature on Twitter as it can then be used to amplify their narrative. These trends often drive mainstream news reporting.

The TekFog app can make automatic posts, tweets and retweets on Twitter and Facebook from accounts controlled by the app. The app can control hundreds and even thousands of such accounts. So, a single TekFog operative could automatically generate thousands of posts from a large number of different accounts in a brief period, leading to the hashtag or topic being pushed by these posts to trend on Twitter.

It was always well known that BJP IT Cell routinely gets their communal and Fake News topics to trend on Twitter using their troll army. These revelations make it clear that the BJP can trend issues with a relatively small number of operatives using the TekFog app. The number of tweets or retweets is not real people but TekFog operatives utilising the app. While the accounts controlled by the app could be accounts of actual BJP IT Cell members handed over to TekFog with their consent, it appears the app also can create “temporary” email addresses, activate phone numbers and bypass captcha codes to automatically create thousands of fake accounts on social media platforms such as Twitter and Facebook.

This ability to auto-post from multiple social media accounts is used for another very pernicious activity—trolling and abusing those critical of the BJP/RSS, especially women journalists active on social media platforms. The app has access to a cloud database of people critical of BJP/RSS, including students, activists, journalists, comedians, etc. together with their personal information such as religion, language, gender, sexual orientation, age and in some cases, physical attributes such as skin complexion and other personal attributes. This information is then used to specifically target individuals for trolling and abuse based on their characteristics from multiple accounts on Twitter by replying to their posts. The replies use abuses, threats or derogatory misogynist phrases kept in google sheets linked to the app. The most frequently targeted individuals are, predictably, women and Muslims.

Yet another feature of this sophisticated app is the ability to add code to the URL of an existing published real news article on a mainstream platform, resulting in the unsuspecting user getting redirected to a similar-looking but fake news article on a different website. This exploit is in some ways similar to URL injection attacks used by hackers to break into websites and probably takes its inspiration from such well-known modes of attack.

As we can see, the TekFog app is effectively a cyberweapon that is being actively used by people affiliated with the BJP daily to further its agenda and silence its critics. Creating such a tool clearly requires a high level of technical sophistication. The Wire report points to the involvement of a publicly-traded software company – Persistent Systems – in developing this app. According to The Wire report, a source working in the company shared screenshots of internal documents confirming the company’s active development of the app. Persistent Systems has heavily invested in acquiring government contracts since 2015. Their executives have publicly boasted about being ‘bullish on government spending on information technology to boost its revenues’. Persistent Systems ended up landing a massive contract to build a digital data hub that would record, store and process health information across ten Indian states. If Persistent Systems is indeed working with BJP’s troll brigade and helping automate their tools, the availability of private personal data through Persistent Systems’ access to the digital data hub is dangerous for people’s privacy.

The social media companies such as Twitter, Facebook and an Indian company called ShareChat also seem to be complicit in allowing such activity on their platforms by turning a blind eye to these activities, which have been happening on a well-organised basis on a large scale. This platform typically has systems to detect automated activity, referred to as bot activity, and shut them down. And yet all these platforms failed to take action on such activities, which have gone on for years.

The TekFog investigations show that the ruling party employs highly sophisticated tools to engage in hate speech and misinformation and in silencing its critics through online trolling, abuse, and threats. This is illegal and amounts to cyber warfare against the country’s citizens. And all this is being done with the active or tacit connivance of tech corporates and social media companies. The general public needs to be educated about these nefarious activities. We also need to demand legal action against the ruling party and the corporates who have enabled them to acquire and use such cyber weapons on our people.