Why it is a grave error to call arrested BrahMos engineer an ISI agent
Nishant Agarwal, a 27-year-old senior system engineer working with the research and development wing of the BrahMos Aerospace Private Limited was arrested from Nagpur for allegedly supplying sensitive information to Pakistan-based operatives.
As soon as the details of his arrest were made public, Agarwal was immediately designated as an ISI agent and ISI mole by the mainstream media. According to the probe so far, the investigators suspect that Agarwal was honey-trapped through ISI-managed Facebook accounts.
He also reportedly got a lucrative job offer through one of these contacts and was asked to submit his professional details through a link which installed malware into his system and may have been used to extract data through a programme called remote access Trojan (RAT).
The question that arises is — is it okay to call Agarwal an ISI agent?
Well no, not yet. Here’s why:
The social engineering
To start with, the Defence Research and Development Organisation (DRDO) engineer didn't seemingly even know that his three Facebook friends may have any relation or affiliation with Pakistan.
(BrahMos Aerospace is a joint venture between India’s DRDO and Military Industrial Consortium (NPO Mashinostroyenia) of Russia.)
According to sources familiar with the investigation, it has been found that Agarwal was in touch with at least three individuals through Facebook, each of these Facebook accounts represented a young female of Indian origin, who lived and worked in US, Europe and Canada.
As much as the investigators and my fellow journalists would like to use the classical spicy phrase of ‘honey trap’ in each espionage case, the professionals in this field have a different term for it, they call it "social engineering".
Social engineering, according to an insider is "a process under which a person's social profiling is used to target the vulnerable aspects using (often) virtual identities".
Clearly in this case, identities of three independent NRI girls were used, who promised Agarwal a better career and life. One of the profiles used to target Agarwal was that of an aspiring musician from Mumbai, who studied and worked in the US.
These accounts have been active for four-five years and have no signs of any relationship with Pakistan.
The technology tango
In these cases, what starts as a casual conversation with a friendly woman on a social media platform, soon leads to a trap which often goes unnoticed by the victims.
Sometimes, it only takes a PDF attachment or a simple picture in your email attachment to turn somebody's laptop and mobile phone into a spy device where the compromised device's data is extracted by remote command.
Pakistan's intelligence agency, ISI, has a history of using technology with social engineering for espionage. Amnesty International and US-based security firm Lookout earlier this year published independent reports on how Pakistan-based actors used 'similar' technology to spy on foreign diplomats, military institutions and its own civilians.
The honeytrap factory in Pakistan
An India Today report from 2016 reveals how ISI with help of independent technology experts has set up full-time facilities in Karachi to run operations targeting Indian defence personnel using technology and social engineering.
To make these spy operations fullproof, people were also deployed at these centres. These people would occasionally talk to their targets over VoIP calls to establish their credibility.
In March 2016, Japanese cyber security and defence company Trend Micro published a report called “Op C Major” where it was revealed that a Pakistan-based actor was targeting Indian military and diplomatic targets using a combination of Android and Windows-based malware to perform a “long running and successful surveillance campaign against Indian diplomats and military personnel”.
Around the same time a US-based security firm Proofpoint also came out with a similar report named, Operation Transparent Tribe, with similar findings. It has been established that most ISI operations were based on dual use of technology and social engineering, which made sure that the victims would never have the slightest of idea that they are working against their country.
So far, it seems that Agarwal is just the another victim of ISI's sophisticated espionage matrix, who had no clue of who he was working for.
So who is responsible?
ISI's use of such tactics against Indian targets is a well-established fact now, the high offices handling Indian intelligence and defence sectors are fully aware about these attempts but it's the middle-level officials who are the usual targets.
Although some institutions have taken the initiative to start training their human resources against such threats, there is still a lack of general awareness. It's also important to remember that every compromised ISI target is a lost Indian asset.
It's the duty of the government of the day to ensure that our defence institutions are not reduced to an ISI hunting ground. Branding the victims of ‘viruses and malwares’ as ISI agents is neither wise nor productive. On any given day, the lives of young talented Indian engineers are worth more than the medals earned through a spy hunting program, lest we forget the case of ace ISRO scientist Nambi Narayanan, who was accused and arrested on accusations of spying and lost the most crucial years of his extraordinary career.
And to my colleagues in journalism, a person who was most likely tricked by a complex espionage infrastructure should be called a compromised person, not an ISI agent.