Revealed: Malware from Fake Source, Whistleblower's Gratitude and the Story of the Tek Fog Story
Days after The Wire’s exclusive on the Tek Fog app, an intriguing email from a person claiming to be a Persistent Systems insider arrived. It had a malware payload and Protonmail successfully got rid of it.
21 January 2022/
Last week, The Wire revealed the existence of a highly sophisticated secret app called ‘Tek Fog’, used by cyber troops affiliated with India’s ruling party to hijack major social media and encrypted messaging platforms. The 20-month-long investigation shows how the app automates hate and targeted harassment, spreads propaganda and is a marriage of big tech and dirty politics. Read all the three parts of the investigation here, here and here.
New Delhi: Tek Fog may be an app that aims to dehumanise and divide people, but our investigation into its use in 2020 also marked the beginning of our friendship.
On March 1, 2020, Ayushman and I met for the first (and only) time in person, outside a local market in Noida. The purpose of this meeting was to discuss a report I had independently published a few months earlier that highlighted the massive tweet volumes and complex hierarchies of the BJP and Congress IT Cells on Twitter. Ayushman was interested in finding common ground between his work as a research analyst at a digital forensic lab and the dataset that I had used to analyse the network of IT Cells. A day before we met, he was working on a two-part investigation into neo-Nazi groups on Telegram and was amazed at how the BJP network graph looked in one of my reports.
We planned to meet briefly over filter coffee at Lakshmi Coffee House, but the topic of studying dis- and misinformation in India was so intriguing that we kept discussing its different angles on the street for at least two hours afterwards. We finally decided to document our conversations, track the lifecycle of one of the bot accounts in the BJP and Congress networks, and meet again in a month to share and corroborate our findings. Little did we know that the country would come to a standstill in just three weeks, thanks to the series of COVID-19 lockdowns.
We, however, kept working parallely to expand this research and regularly chatted about our ‘discoveries’ on a WhatsApp group. In the following months, we also spent around Rs 54,000 on three new servers to monitor, archive and analyse around 85,000 ‘highly suspicious’ accounts, most of which propagated the right-wing agenda.
Tek Fog makes an
At around 4 pm on April 28, 2020, Ayushman sent me a WhatsApp message asking “Do you know anything about Tek Fog?” Simultaneously, I sent him the Twitter link of Aarthi Sharma’s tweet that I had received from another WhatsApp group, which mentioned Tek Fog as one of the apps used by BJP IT Cell to bypass verification codes, automate replies and manipulate hashtag trends.
Ayush had already searched for the keyword “Tek Fog” on Google and couldn’t find any results matching such an app. I was intrigued about the mention of another app called “Tasker” in Aarthi Sharma’s tweet. Tasker is an Android app that is well known in the ‘niche’ tech community for automating tasks like sending a message. Tek Fog, on the other hand, was a ghost app. Even if Tek Fog was a figment of someone’s imagination, why would a person who knows about Tasker and its functions come up with that unique and specific word, we wondered.
Ayushman decided to message them on Twitter. For the next 24 hours, there were no replies. It was my turn next. No one replied until 48 hours later. At 2 am, we both received a reply. The person behind the account had no way of knowing we were working together. They thought we were two different individuals reaching out for information separately. We figured this was a better way to cross-verify information and see if two versions of the story match, and if there are any discrepancies. So we kept this going, asking them to provide an overview of their background, their daily tasks, the app capabilities and the infrastructure behind the application.
We both proceeded cautiously; after all, the claims made by the whistleblower were quite incredible from the get-go.
In our initial conversations with them, we could sense a dissonance in their chats. It appeared that they were bitter and resentful towards the Indian media community at large. Unsurprisingly, they showed hesitation in sharing confidential information all at once. They claimed that they had tried to get the story out before and had been either ignored, threatened or disregarded by the media persons concerned. The whistleblower mentioned a few reporters but we are withholding their names.
At this moment, Ayush and I decided to take it slow and not rush them to present all their evidence. Slowly, they started sending us screenshots of the app. We discussed each and every screenshot with them in detail. We asked them to provide us direct access to the Tek Fog app instead. They said it wouldn’t be possible and claimed that this was due to the presence of various security restrictions – including the requirement of three one-time passwords (OTPs) to login to the app dashboard and the use of a local firewall that prevents access to external users.
We decided to collect as much information as we can, so we asked them to share their daily tasks. Since the Tek Fog app was accessible only inside a specific firewall, the source claimed they had to share these screens from their office premises – a factor that forced them to be extremely cautious when responding to our requests.
As part of its regular workflow, the Tek Fog homescreen shows a list of 'daily trends' that operatives are required to amplify across Twitter and Facebook using the automation features built into the app. To verify this feature, we asked the whistleblower to send some of these hashtags ahead of time, before they have automated them through Tek Fog. We followed it by asking them to send screen recordings of their device showing all the screens of their workflow. In these screen recordings, we noticed a dynamic cloud database of private citizens categorised according to their occupation, religion, language, age, gender, political inclination and even physical attributes. We asked the source to drill-down in some of these categories, one of which was female reporters. The derogatory and abusive keywords that the app suggested in this category made us uncomfortable and question the intention of the app for the first time.
Was Tek Fog just a digital marketing tool? The answer was clearly no.
That night of
The investigation would move at an agonisingly slow pace for months, before rapidly accelerating into a cyber dystopian crime drama – which sounds appealing, as long as one avoids finding oneself slapbang in the centre of the whole sordid affair.
The night that the whistleblower provided an impromptu demonstration of the ‘inactive’ WhatsApp hijack, sending messages to five of our contacts and followed it by sending us the screencast of the exploit in six minutes, helped ratchet up our levels of paranoia. The following session, where they sent us a manipulated AI-generated version of an article Ayushman had published for The Print and claimed ‘we can make you say whatever we want you to say’ didn't help us calm down either.
Eventually, after eight months of building their trust and comfort, the source revealed their identity to us, sharing bank statements with a name and address and following it up with a medical prescription which showed they were being treated for trauma. That information allowed us to use direct means to reconfirm their identity.
During these conversations, when we asked the source their intentions, they said that they had decided to come forward after their alleged handler – Devang Dave, ex national social media and IT head, Bharatiya Janata Yuva Morcha (the youth-wing of the BJP) and current election manager for the party in Maharashtra – failed to deliver on a lucrative job offer promised in 2018 if the BJP was able to retain power in the 2019 Lok Sabha elections. (In an email to The Wire, Dave has denied any knowledge of or involvement with Tek Fog.)
The source explained that Persistent Systems employs them as a 'social media incharge' based out of the company's corporate office in Nagpur, India. However, their current project to operate the Tek Fog app required close collaboration with Sharechat and the person they identified as their immediate supervisor, Devang Dave. To further corroborate the authenticity of these documents, we compared them to payslips sourced from other employees working at Persistent Systems and found them to be a match.
This is when we started independently investigating the role of these companies in Tek Fog. The first was an Indian-American publicly traded technology services company, Persistent Systems. We started locating friends/friends of friends who worked at Persistent. Many people at Persistent said that they had seen some of these features in one way or another. But no one wanted to take the risk of searching for and sending us internal documents of this nature, with a fear that the company might be saving logs or search histories. Eventually, one person took that risk, went to the office of Persistent on a non-working day and shared the screens of their internal collaboration tool showing around 17,000 assets in the search results of the keyword 'Tek Fog'. This second source got so scared that they decided not to go to the office for a week. We suggested otherwise. “You should go to the office, else people might be suspicious,” we said.
This evidence became a key factor in our investigation, thanks to the courage of this one person.
The final piece
in the puzzle
Over the next few months, we ran multiple experiments to find a link between Sharechat, the Bharatiya Janata Yuva Morcha and Tek Fog. I parsed 3.8 million publicly available posts uploaded in the popular 'Hindi' and 'Marathi' trending communities on Sharechat, and found that the platform was plagued by fake news and hate speech issues. Ayushman unearthed every document, social media post, company filing and almost every news article that was written about Devang Dave and his company, Social Central. He also began reaching out to other journalists and political analysts to find more background information on Dave. Interestingly, some of these associations of Dave’s were revealed by Alt News, right after we had a lead.
Though many of these findings were interesting stories in themselves, none of them connected Sharechat and BJYM to the app. That’s when we decided to contact our original whistleblower and see if they could verify these links for us. After remaining silent for many weeks, the source connected us via email to another current BJYM office-holder. This individual sent us a piece of code via their official email id, that helped us identify the various external websites and tools connecting to the secure server hosting the Tek Fog app.
This script helped us to locate a live Tek Fog server and verify that metabase.sharechat.com (Sharechat’s internal dashboard), bjym.org and isupportnamo.org (managed by Dave) were accessing this private app. As an additional step, we corroborated the authenticity of the script by having it reviewed by an independent expert, currently employed as a lead software architect at Microsoft.
For 14 months, we kept waiting for a counterfactual – for the source to embellish a claim, for our independent analysis to run counter to their primary testimony, for one of the many technical experts we reached out to with evidence to find an error in our methodology and tell us we had just spent the better half of the last two years on a wild goose chase led by a foriegn adversary, a renegade digital marketing executive or maybe just a really bored teenager who thought it would be hilarious to take two unsuspecting researchers for the ride of their lives. And yet the information continued to hold up to scrutiny, and we had no option but to keep on going.
Six months into the investigation, I had informed Siddharth Varadarajan, Founding Editor of The Wire, about our findings. Siddharth and Anuj Srivas, our tech and business editor, suggested many ways to verify our sources and follow the money trail. Privately, they were also involved in the Pegasus investigation, which was released right at the same time when we located the final piece in our investigation.
While the Pegasus story was unfolding, Ayushman and I worked together on creating a cheat sheet that centralised everything we knew, the verification method and what else we wished to know. Here is that list:
1. Twitter trends are manipulated using the Tek Fog app.
How do we know? Few hashtags like #CongressAgainstLabourers and #कर्मयोगी which showed in the task list of the Tek Fog app were sent to us by the source before the amplification. Both the hashtags indicated inauthentic and suspicious on-platform activity from many accounts. We also sent a list of the top 5,000 of these accounts to the Twitter Global Public Policy team, following which many of the accounts in the network have either been suspended or deleted. We have withheld making this list public as it is likely Twitter itself may do so.
What else do we wish to know? How does Tek Fog bypass the security limits set by platforms like Twitter, Facebook? Does this process utilise the creation of ‘temporary’ accounts from the Tek Fog app or is it done by the integration of existing accounts belonging to real BJP workers?
2. Inactive WhatsApp accounts can be hijacked by Tek Fog operators.
How do we know? One of the authors' WhatsApp account was hijacked in real time and was used to send a message to the researchers' 'frequently contacted' users on the platform.
What else do we wish to know? The precise mechanism through which Tek Fog is able to compromise WhatsApp accounts.
3. Tek Fog operators can modify existing stories to create fake news.
How do we know? The whistleblower gave us a link (generated by a URL shortener) that redirected to a manipulated version of an article. Analysis by the team and other independent experts showed that an embedded code (payload) in the query string of the URL can trigger an XSS injection on many blogs and websites.
What else do we wish to know? Is there any other method to morph URLs?
4. Female journalists were abused and targeted.
How do we know? The network of ‘suspicious’ accounts that amplified hashtags shown in the Tek Fog app also abused the top 280 most retweeted journalists almost a million times between January 1, 2021 and May 31, 2021. The keywords used in the tweets matched one of the many derogatory keywords shown in the Tek Fog app.
What else do we wish to know? Is this abuse based on categorisation as shown in app screenshots or individual targeting?
5. Persistent Systems is involved in this operation.
How do we know? An independent source shared screenshots (via their official email id) of the company's Microsoft Sharepoint, indicating the app's active development through around 17,000 assets identified by the search term 'Tek Fog'.
What else do we wish to know? The contents in these documents.
6. Sharechat and BJYM are involved in the Tek Fog operation.
How do we know? We located a live Tek Fog server. A BJYM office-holder sent us a piece of code via their official email id, that helped us identify the various external websites and tools connecting to the secure server hosting the private Tek Fog app. Three of the URLs were metabase.sharechat.com (Sharechat’s internal dashboard), bjym.org and isupportnamo.org (managed by Devang Dave).
What else do we wish to know? What is the nature of data that Sharechat and BJYM websites are requesting from the Tek Fog app?
7. Tek Fog operators were employed during communalisation of COVID-19 and Delhi violence.
How do we know? The hashtags related to COVID-19 communalisation and the February 2020 Delhi violence presented in the Tek Fog app showed accounts demonstrating ‘highly suspicious’ levels of activity, amongst a range of other indicators. Many of these accounts also showed suspicious behaviour in sharing tweets with other hashtags that originated from Tek Fog.
What else do we wish to know? What are the other events of national significance where Tek Fog was employed?
8. What we couldn’t verify.
We also had a clear sense of claims the whistleblower made which were impossible for us to verify without physical access to the app, or rather the premises where Tek Fog was being used, especially Tek Fog’s ability to erase traces. The Wire’s editors made an editorial call, based on the whistleblower’s reliability – and the fact that all their other claims had checked out – to mention this auto-delete feature in the story, with the caveat that it was not possible for us to confirm it.
This cheatsheet helped us to make a decision on whether the proof we received and verified was enough and credible, in order for us to publish. The Wire’s editors also decided to clearly highlight the limitations of this investigation to our readers for transparency. After 20 months of investigation, it was finally decided to release this story in the new year after getting it translated into three other languages – Hindi, Marathi and Urdu. We also left an email, email@example.com, at the end of our article for people to contact us with more information.
The aftermath: Malware ‘scoop’ from a ‘fake source’
and feedback from the original whistleblower
A day after we published the first part of the story, we received an email from an individual using a Protonmail account who claimed to be a Persistent source and shared a Tor link to download files that were part of the company’s Sharepoint screenshots. The same source also reached out to one of The Wire’s founding editors asking where they could send some material.
"Read your articles on tek fog. I work at persistent and have access to many of the docs you’ve shown in your share point screenshot. What’s the secure method to send it across to you? Is your phone still infected with pegasus?"
We created a separate Linux server to download those files – which clocked in at 20 GB – in the background and went back to finalising the second and third parts of our story. Three days later, we started receiving security emails from Protonmail and our email id became inaccessible for a few hours. On reaching out, the Protonmail security team confirmed that there had been a surge of ‘Denial-of-Service’ attacks on our email, and added that the email with the Tor link contained malware. The issue has been resolved since then, and none of the contacts or email data has been compromised, thanks to the time-based one-time passwords associated with the account.
Clearly, this was an attempt by a sophisticated player to undermine The Wire’s investigation and also perhaps discover the whistleblower’s identity.
Ten days later, the original whistleblower, whose Twitter account was hacked a day before we published the story, emailed us with their thoughts. The email is reproduced below after making minor syntax changes.
“Finally read all the three pieces that were published on The Wire. It was hard and shivering to revisit all those memories again but I could breathe at the end of it, because you both hit the nail on the coffin. Other pieces of investigation which you both did, like finding Persistent internal documents and showing graphs of delhi riots, were solid.
“Tbh, I didn’t behave well enough with both of you during the process. misbehaved a couple of times. My experience working on this app made me bitter and rude. I knew what I was doing, but initially I had no option. It was a good company, the salary was good, I made a few good friends, and they always said I will be promoted to a government job. When that didn’t happen and when I started complaining about it, then only I realised the fear and continuously being in the state of trauma, overlooking my sides and checking who is my friend or not. I wasn’t sure who to trust or not. I received emails from many reporters from Reuters and Times of India but I didn’t follow up with them as they demanded information that I wasn’t comfortable sharing with them initially. That bitternesses reflected on our interaction as well. I am sorry for that.
“I also want to apologise to hundreds of women whose life I made hell. I didn’t realise the personal trauma l caused to them, until I suffered from the same. I thought it was normalised and these people don’t care about abuses from unknown accounts on social media. I was wrong. After reading tweets of many women who responded to the story, I can see I was so wrong.
“I am thankful that you all covered the story and thankful to your editors, video creators. I am safe. my Twitter account is hacked and every day 20-30 emails I receive harassing me on this email. I will close it in a few days.”
In the last 20 months, Ayushman and I have taken a path of friendship and mutual respect. Indeed, we reached out to our sources with care and empathy, but that doesn’t mean that we were not stern and direct in clearly communicating about what we need from them to verify their claims.
It appears that during the same time, the whistleblower has taken a journey of self-transformation – towards acceptance and self-help. Only time will tell whether they will be able to redeem themselves, and whether the people they have hurt will forgive them for their actions.
What we do know is that this is our first step forward, and we are not going to stop, come what may. We have shown that Tek Fog, like Pegasus, threatens our democracy. The next step is to work with partners and other investigative agencies to probe the unanswered questions in our wishlist.
Note: If you are working with Persistent Systems, Sharechat or the BJYM and are using/ have used or know more about the Tek Fog app and the broader operation underpinning its use, please contact us at firstname.lastname@example.org. We will ensure your anonymity and privacy at all costs.