Tatsat Chronicle Magazine

Espionage: Hooked On Facebook, Booked By The Law

Two of Meta’s most popular products, Facebook and WhatsApp, have emerged as favoured tools to honeytrap those working in India’s defence production sector and civilians living in border areas. These cases also highlight the laxity with which cyber security protocols are implemented at India’s premier defence production establishments
June 25, 2024
Facebook
Indian security agencies have flagged concerns about people working in the defence production sector violating use of social media guidelines. Photo: Thomas Ulrich | Pixabay

India’s security agencies believe that social media platforms—especially Facebook—have become the most effective tool for Pakistan’s intelligence agency, Inter-Services Intelligence (ISI), for recruiting officials from the country’s defence production sector and civilians from sensitive border areas.

Over the past few years, a dangerous pattern has emerged where foreign intelligence agencies have used social media to trap people working in the defence production sector. Investigations seem to reveal that the ISI has used these platforms quite effectively to compromise unsuspecting victims. The standard modus operandi is to create fake profiles of attractive women to trap the target. Once the target accepts a ‘friend request’, the conversation turns personal, progressing from late night chats to sharing explicit videos to nude video calling, which is surreptitiously recorded at the other end. Once the target is firmly entrapped, the process of information extraction begins.

The most disturbing aspect is that the compromised person is arrested after they have transmitted sensitive information to ISI operatives posing as Indian women. Indian intelligence officers say that there is no way of knowing to what extent or how many people working in India’s defence sectors the ISI has managed to target. It is not even properly known how many active operations are still underway in India.

The case of Nishant Agarwal, who worked as a junior scientist for BrahMos Aerospace Private Limited (BAPL) at its Wardha Road facility in Nagpur, is instructive in mapping how the ISI sets up a honeytrap in the virtual world and then extracts sensitive information from the computer of the victim, using malware.

He was arrested in a joint operation by the Anti-Terrorism Squads of the UP and Maharashtra police in October 2018. According to the charge sheet, he was in touch with Pakistani ISI agents, posing as women, through social media from July 1, 2017, to September 2018. He was convicted by the Court of Additional Sessions Judge-1, Nagpur, on June 3, 2024.

According to one of the investigators, who spoke to Tatsat Chronicle on condition of anonymity, on an afternoon in 2017, Agarwal was casually surfing his Facebook timeline, when a friend request from an attractive girl called ‘Pooja Rajan’ popped up on his Facebook timeline. Agarwal, a DRDO Young Scientist Award winner, was instantly smitten by the looks of the ISI operative’s virtual cutout and accepted the request to connect.

Agarwal and Rajan started chatting and exchanging pictures regularly. It seemed pretty harmless at the beginning but, over a period of time, according to the investigator mentioned above, their ‘virtual relationship’ deepened. Soon, another girl named ‘Neha Sharma’ also sent Agarwal a friend request on Facebook. This person’s modus operandi was exactly the same as Rajan’s. Yet, it did not raise Agarwal’s suspicions. Rather, he got even more deeply immersed in his fantasy world.

Agarwal also connected with another girl called ‘Sejal Kapoor’ on LinkedIn — a social networking site for professionals, which is often used to search for jobs. According to the evidence submitted in the court, Kapoor posed as a recruiter who offered to help Agarwal find a better job for which he shared his CV on LinkedIn chat. Between December 2017 and February 2018, Kapoor shared a few web links with Agarwal, asking him to download messaging apps for continuing their online conversations. Court documents and the testimony of experts from the Indian Computer Emergency Response Team (CERT-In) show that the links contained data-stealing malware that was found on his laptop. These were identified as Trust-X, that had two versions of Chat 2 Hire and X-Trust Q-Whisper. An expert witness from CERT-In testified in the court that malware inserted into Agarwal’s personal laptop, which had 4.47 lakh documents, were used for outward transmission of classified information.

However, it is not clear from the prosecution’s case why Agarwal had stored some of the most sensitive and top-secret information on his personal laptop after extracting them with pen drives and external hard drives from a computer that he used at work when he was posted at the BAPL facility in Hyderabad prior to his posting in Nagpur.

During his Hyderabad stint, Agarwal worked on the leak check and fuelling system of various variants of the BrahMos missile. In Nagpur he worked on the mechanical aspects of warhead integration. The pattern of copying information from the work computer at the Nagpur facility continued without raising any alarms. During his stint in Nagpur, Agarwal worked on the delivery of 72 to 80 missiles, according to the copy of the judgment that has been seen by Tatsat Chronicle.

It is also not clear from the evidence submitted in the court how a company working on a highly sensitive and strategic weapon system like the BrahMos missile left USB ports active on the computers on its office and factory premises. Evidence suggests that external storage devices like pen drives and external hard drives were regularly connected to the desktop computer that was assigned to Agarwal, though it was not connected to Local Area Network. This appears to be a serious cyber security failure on the part of BAPL. The investigation and judgment convicting Agarwal are silent about this critical security failure at the enterprise level.

“This is shocking,” said the investigating officer mentioned earlier. “Officials who have got arrested in recent years for espionage have been deployed in very sensitive defence establishments. ISI trapped these officials, who otherwise are highly intelligent people. It is very surprising that they got trapped so easily.”

Agarwal was sentenced to a life term after being found guilty by the Nagpur court under Section 235 of the Criminal Procedure Code for an offence punishable under Section 66(f) of the Information Technology Act and Sections 5(1) (a) (b) (c) (d) and 5(3) of the Official Secrets Act, 1923.

The ongoing investigation and court proceedings against Dr Pradeep Kurulkar is another case highlighting how scientists and engineers in India’s defence sector are being targeted. Kurulkar was arrested by the Anti-Terrorism Squad of the Maharashtra police on May 3, 2023 under various sections of the Official Secrets Act. At the time of his arrest, Kurulkar was also an active member of the Rashtriya Swayamsevak Sangh (RSS) and was the director of the Research & Development Establishment (Engineers) — India’s top defence laboratory under the Defence Research and Development Organisation (DRDO). He was the project leader and systems manager for the Akash Ground Systems — part of the indigenously developed surface-to-air missile system — and played a key role in the design, development, and production of Akash launchers and ground systems for mission control. He was also a Facebook addict.

According to the Maharashtra Police charge sheet, an ISI operative who created a cutout of a woman named Zara Dasgupta, purportedly a software engineer based in the UK, entrapped Kurulkar through social media. The ISI agent allegedly trapped Kurulkar by “sending obscene texts and videos”. The charge sheet claims that the two also talked regularly on WhatsApp through its calling and video calling features. The ATS investigators allege that the IP (internet protocol) address of the calls originated from inside Pakistan. They also found out that the same IP address was used to get in touch with one Nikhil Shende, who worked in the Indian Air Force in Bengaluru, which is the base of the critical Yelahanka Air Force Station. The police charge sheet states that Kurulkar stored classified and highly sensitive information on his phone. The electronic data trail recovered during the course of investigation revealed that he allegedly shared this information with the Pakistani intelligence operative.

Though the police complaint was lodged against Kurulkar by the DRDO’s internal vigilance and security department after it suspected him of having compromised national security, the big question, yet again, remains unanswered: how did he manage to transfer top-secret information about India’s most critical defence systems from the secure computer systems of DRDO to his phone? Both Agarwal and Kurulkar violated the communication and security protocols that are regularly issued by the government’s internal security apparatus. These protocols prohibit use of social media and messaging apps that are publicly available.

The ISI is not just targeting people who work in India’s defence establishment, it is also using Facebook for recruiting civilians living in sensitive border areas — as in the case of Narendra Kumar, a 22-year-old bike mechanic from Anandgarh Khajuwala in Bikaner, close to the international border.

He was arrested for sharing sensitive information by the intelligence wing of the Rajasthan police in October 2023 under the Official Secrets Act.

According to S. Sengathir, Additional DIG (Intelligence), Kumar was contacted by two Facebook accounts being run under the names of “Poonam Baweja” and “Sunita” in 2021. Baweja claimed to be working as a data entry operator for the Border Security Force (BSF) in Bathinda in Punjab, while Sunita claimed to be a journalist. During the course of their interaction on Facebook, Baweja asked for Kumar’s WhatsApp number through which they remained in constant touch. She even promised to marry him in the future.

As their “virtual friendship” deepened, the two ISI operatives posing as women started demanding pictures and videos of border infrastructure such as roads, bridges, Army and BSF posts, observation towers, movement of Army vehicles and convoys, and visuals of restricted places. During the course of investigation, the IP address was traced to an ISI office in Islamabad.

In August 2021, the Andhra Pradesh police arrested a Central Industrial Security Force (CISF) constable, Kapil Kumar Jagdish Bhai Devmurari, posted at the Visakhapatnam steel plant, for sharing security-related information with a woman named “Tamisha” who had befriended him on Facebook. During the investigation, it was found that Devmurari allegedly passed on information regarding security protocols at the steel plant to his handler, who, investigators believe, operated out of Pakistan. He is facing charges under Sections 4 and 9 read with 3 under the Official Secrets Act.

Over the past five years multiple cases have come to light where social media, especially Facebook and WhatsApp, have been used by foreign agents to trap people in India’s security establishment. These cases show in poor light the security protocols that are not only outdated but also not implemented properly or ignored by those who work in the security sector. 

Jasvinder Sidhu

Jasvinder Sidhu

Jasvinder Sidhu is a freelance investigative journalist who worked for newspapers like The Greater Kashmir, Amar Ujala and The Hindustan Times