Ulrik McKnight
The Extent of the Compromise
by Ulrik McKnight
Since 2009 there has been repeated evidence of severe hacking of Indian government and military organizations, industries, and even journalists’ email accounts. The evidence shows successful long-term cyber-attacks and cyber-espionage, with strong indications that nation states are involved.
The list of compromised Indian targets reads like a spy’s fantasy: TATA, DLF, the National Security Council Secretariat, Indian embassies around the world, the Air Force Station at Race Course Road, the Army Institute of Technology, the Institute for Defence Studies and Analysis, prominent journalists and academics writing on Kashmir, and many more.
Confidential materials have poured out of India like water from a bucket full of holes.
March 2009: Researchers at the Munk Centre for International Studies, University of Toronto and the SecDev Group in Canada conducted an investigation into cyber attacks called Tracking Ghostnet: Investigating a Cyber Espionage Network. They found a global network of compromised computers of high-value targets. This included about a dozen compromised India-related targets, including the National Informatics Centre, Indian embassies around the globe, the Tibetan Government-in-Exile and the private office of the Dalai Lama. They called their report a “wake-up call”.
April 2010: The same researchers released a follow-up report, Shadow in the Clouds: Investigating Cyber Espionage 2.0, after hacking the hackers they were investigating. They managed to gain access to some of the documents the hackers had pulled out of infected computers. Astonishingly, they found 13 Indian government documents classified as Secret, Restricted or Confidential. China was viewed as the most likely culprit.
July 2011: Evidence emerged suggesting the Italian cyberpolice, the National Anti-Crime Computer Centre for Critical Infrastructure Protection, had hacked one or more Indian embassies and stolen documents relating to defence deals.
August 2011: The computer security company McAfee released Revealed: Operation Shady RAT, a report indicating, amongst other things, that they had found an Indian government agency to have been hacked.
It is inexplicable that India – a country so rich in technical expertise – has had its IT systems so thoroughly compromised. Cyber attacks are the new norm globally, and most countries have faced humiliating losses of data, but India seems to have been particularly slow to react to this new everyday reality. This must be primarily a failure of leadership rather than a shortage of technical ability. How many MPs or senior bureaucrats even begin to understand the technology that they are expected to protect?
In an exclusive interview from Helsinki, the renowned virus hunter Mikko Hypponen, told The India Site:
“I don’t know if the Indian government even realizes that modern technology is used to conduct espionage. Spying is collecting information, and information can now be collected from anywhere in the world because it’s all online. I don’t think they’ve understood this or taken steps to ensure that they are not vulnerable to attacks.”
Not only has India been hacked, but the attacks have been exposed by people outside of India. They include Canadian researchers, an American anti-virus company, and the activist hackers of “Anonymous”. In fact, there seems to be no one domestically who is ringing the alarm bell about weak cyber-security and the grave risks it creates for the country and its citizens.
Eugene Kaspersky, one of the world’s best known cyber-security experts and the co-founder of the anti-virus company Kaspersky Labs, views India as being under constant attack from many different sources. Speaking from Moscow, he told The India Site:
Eugene Kaspersky
“I believe that massive attacks on the Indian government and corporations happen all the time, and that they are mostly successful. There is no one particular enemy, but dozens of different sources of attacks. It could be secret services of other countries, competitors of Indian companies, hacker groups who sell stolen data, and hacktivist groups interested in the public disclosure of information.”
Citizens are exposed at least four times over – India’s national security (e.g. military plans), economy (e.g. corporate partnership plans), their personal interaction with the government (e.g. PAN, Visa, and passport details) and personal dealings with corporates (e.g. bank accounts, loans) are all at risk from weak cyber-security. Hacking is made more attractive by India’s low security and a disturbing lack of awareness and concern about attacks.
An illustration of this is a statement on hacking that Sachin Pilot, Minister of State for Communication and IT, gave to IANS on March 6, 2009: “‘There have been attempts, but I can categorically say that not one attempt was successful,’ Pilot said. ‘The government’s computer network system, maintained by the National Informatics Centre (NIC) is highly efficient and safeguards have ensured that national security has not been breached.’”
Later that month, Pilot’s statement was completely undermined when the Shadows in the Clouds report showed evidence of severe breaches of national security, including a compromised machine at the NIC itself. Far from being secure, even third party researchers in Canada had spent months leafing through India’s secret documents while the government remained in denial.
Sachin Pilot with Bill Gates at NASSCOM in 2009
Experts around the world view Indian cyber-security and awareness as very weak. From Mumbai, security consultant Vijay Mukhi told The India Site:
“In terms of cyber-security, India is one of the most vulnerable countries in the world. I know of many hacking cases in the state and the corporate sector of data being stolen. But we love pretending that the problem doesn’t exist. If a laptop gets stolen, we register a complaint, if our data gets stolen we do nothing.”
Vijay Mukhi’s concerns are echoed by security researcher and founder of the Deadpixel.org security think-tank Sahir Hidayatullah, who points out the endemic weaknesses of Indian government cyber-security:
“Most government systems just about make the grade in terms of functionality. Security is an after-thought. It’s easy to find ‘gov.in’ domains that are vulnerable to extremely well-known attacks. Even worse, you’ll often find obvious traces that [these sites] have been previously attacked, and that nobody seems to have noticed.”
Governments and corporations in the West with flawed security have come under attack from activist hackers such as Anonymous and LulzSec, and open information groups such as Wikileaks. As despised as they are by governments and corporates, these groups are arguably doing the public of the relevant countries a huge service by exposing sloppy security policies.
Any important information that a group such as Anonymous or Wikileaks gains access to can be assumed to have already been compromised by someone who will be using it for less altruistic purposes. Leaving an IT system so openly vulnerable is little different from leaving the front door of your office unlocked – and the consequences are likely to be the same. The significant difference is that offshoots of the Indian state appear not to realize that their data and operational secrets have already been stolen.
By all accounts, Indian cyber security is significantly weaker than that of the US and Europe. Virginia-based security advisor and author Roger Grimes who has consulted with many Indian firms and teaches computer security says: “Indian firms, on average, have far worse computer security that the US. So if the US is very hacked, I would think the same thing of India.”
Without policy makers or activists calling attention to it, the gates to the vault have remained silently open to any who wish to abuse it. That may be beginning to change in the Anna Hazare era of activism. On September 2 a hacktivist announced, via reporters at a well-known hacking news site, that he had hacked and stolen data from both India’s IT Department and the Prime Minister’s Office. He claims security was so weak that it was broken using the simplest of hacking methods. The hacker equated the corruption of the Indian government with the corruption of its computer systems. This hacker alleges to have tried not to release data that could harm the nation, but has threatened to release all the information if the Indian government does not improve its data security on critical systems by mid-September.
Whether this particular hacker’s claims are true or not, Indian citizens have good reason to worry. Not only is their national security and economy at risk, but so is their personal identity and bank balance.
An accomplished Mumbai-based hacker told us that up until very recently, one of the country’s largest government service providers had a security flaw that allowed anyone, even someone with little technical skill, to extract names, addresses and PAN card details of users. This is more than enough information for identity theft, and the fraudulent loans, emptied bank accounts, and transferred property that can come with it. Whatever measures are now being taken are clearly insufficient if this type of confidential information remains available for the taking in 2011.
The irony that a country that is a software superstar is a repeat victim of even inexperienced hackers would be amusing if it were not so serious. As security consultant Vijay Mukhi points out: “Our programming skills are in writing business software and not cyber-security. We do not have an ecosystem of hackers as the better ones leave the country. Nothing seems to wake up the state and the corporates.”
In Part II of India Hacked, we explore the danger of state-level cyberwarfare on India’s national security. As one Indian techie told us, “If there is a cyber war, India will be caught with its pants down.”
Ulrik McKnight co-founded and ran BackOps Engineering, a Mumbai based internet enabled company, and now works with tech firms in the US, India and Europe. He is a regular contributor to The India Site (including the article “Fast Enough to Follow, But Not Fast Enough to Lead”). You can follow him on Twitter: @umcknight.
This Failed UPA Govt. is so busy hoarding money in their personal accounts. They have no time to check on such important issues !!!
This self serving Indian Government has compromised our Nations well being in a multitude of ways.
THE NEED TO BE BOOTED OUT.
Very interesting and scary article. Looking forward to reading more on the subject!
Heres the hilarious video of Vishwa Bandhu Gupta http://youtu.be/ApQlMm39xr0 which really goes to show the level of knowledge in government officials about IT related matters. No wonder our country’s institutions get hacked on a regular basis. The hackers have probably had a field day selling our nations secrets to the highest bidder.
Amazing. I think this is an underappreciated problem everywhere, not just India. I’d love to hear more about the ramifications of this kind of cybercrime. For example, there are identity-theft horror stories about people spending years to get their lives back after being subject to fraud, and I think this really helped raise awareness and consumer safety. What are the analogous stories from the cybercrime world? I can only imagine the stakes are much higher at the government level, even if it is “merely” spending millions of taxpayer dollars to clean up after sloppy security … but I’m sure it’s a lot worse. I’d love it if you could shed more light on the impact of all this in subsequent posts.
A wake up call indeed. I have been in application and security testing for a few years now and have been aware of the dangers of App/infra security – especially in country such as India where the people who rep India in Gov are low-tech savvy!
At the end of the day… the issue I feel is that most Indian’s don’t care about it as long as it doesn’t affect them (NIMB syndrome).