Ulrik McKnight
By Ulrik McKnight
In Part I of India Hacked, The Extent of the Compromise, we explored the extensive hacking of corporate and political India. In Part II we examine the national security implications of this trend.
State-Level Hacking
China has repeatedly been found to use its expertise as a cyber-power to access highly confidential information relating to the national security of other nations, including India. India should take note, not only because of its historically contentious relationship with China, but also because of China’s undeniably close ties with Pakistan, a country that continues to sponsor terror across India.
Just as armies fight on land, and navies at sea, national cyber-forces now fight in the online world. Cyber warfare is the new battlefront. But it is a battle that India, like many countries, is ill-equipped to wage. This has left the country under-defended against sustained, damaging state-level attacks.
The renowned virus hunter Mikko Hypponen told The India Site: “We’ve traced most of the cases of hacking against India not to Pakistan, not to Russia, not to anywhere else, but to China.”
China has a large cyber army and also uses a network of patriotic and mercenary hackers that allows the state to deny responsibility. China has extensive control over its Internet, leading many to take for granted that these attacks are government sanctioned. That being said, many countries conduct cyber-espionage, and attributing attacks can be difficult. Looking at who benefits from the espionage offers a good indication of who may be responsible.
Mikko Hypponen
To illustrate this, Hypponen gives an example of the reasoning that led him to blame China for an attack in Norway:
“China protested vigorously when the 2010 Nobel Peace Prize was awarded to Chinese dissident Liu Xiaobo. A week later the website of the Prize was hacked so that anyone who visited it would get a virus. The site had a clever IT manager who found the attack and fixed it. A few days later he got an email from the Nobel Prize Committee thanking him, with an invitation to the Peace Prize Award Ceremony itself. The email included a PDF of the official invitation. It turns out that the mail was fake – opening the invite also secretly unleashed a new attack. The Nobel Prize Committee obviously didn’t send the email, but the PDF was the real invite to the ceremony. The current, official, Nobel Prize invitation is not the kind of file that you find by Googling. Who else would have, or could have, launched this attack but China?”
Just as there is a physical border between India and other countries, there is also a cyber-border. Foreign troops crossing the physical border would be an act of war. Why then do troops crossing India’s cyber-border go nearly unnoticed?
‘Break the people, break the system’
State-level hacking often involves social engineering. Hackers trick users on high value networks and infect their machines. Breaking the weakest link in the chain compromises the entire network.
Humans, not surprisingly, are the weakest link.
The most junior staff in the private office of the Dalai Lama were targeted – once their machines were compromised the rest of the network crumbled, giving the attackers at least a year’s worth of the Dalai Lama’s emails.
A Mumbai-based hacker specializing in network penetration says: “If I was attacking the Government today, I would send every email address in every government department a malicious link or attachment. I have no doubt that it would be opened by over 75% of people, and that I would have control of government systems at multiple levels by the end of tomorrow afternoon. Sadly, this is neither a sophisticated nor a novel attack.”
He’s right. This has already been done to the Indian government, and not even to junior staffers.
In August 2011, newspapers reported that these types of emails had been sent to many senior government officials, including the head of the foreign service. The attacks were so successful, that in the Ministry of External Affairs even offline machines, which should be the safest, were compromised and their data sent to the adversary. In this case the National Technical Research Organisation (NTRO), the apex group under the Prime Minister’s Office tasked with India’s cyber-security, responded to the attack and neutralized it – but not before discovering that some of the machines had been under hostile control for over 2 years.
Pukhraj Singh, a cyber-warfare specialist and Officer on Special Duty (OSD) at NTRO, was recruited out of the private sector after 26/11 and has worked on the investigation of these attacks. In a paper about cyber warfare to be published in the inaugural edition of the Jindal Journal of International Affairs Singh estimates that terabytes of data were stolen, and describes the scale of the operation as “mind-numbing.” He hypothesizes: “One can imagine a nondescript safe-house with thousands of geopolitical analysts, linguists, military experts and hackers busy processing this data, scouting for potential moles or war-gaming the readiness of India’s defence forces. The case of this being an independent enterprise should simply be ruled out for once and ever – there has to be tacit patronage from China.”
Singh told The India Site: “After our investigation an inter-ministerial task force on cyber-security was established and reports on cyber-attacks started trickling to the top echelon of the establishment. Like any other institution, the progress is extremely slow but it is happening. We are very vulnerable, a lot of damage has been done to our national security but the government has now taken notice. How quickly or efficiently we can put corrective systems in place remains to be seen.”
This kind of vulnerability is not a unique Indian phenomenon; it happens all around the world. The US Department of Homeland Security ran an experiment placing infected CDs and USB drives in the parking lots of government contractors. They found that up to 90% of the infected items that were picked up would be inserted into target computers.
But who needs social engineering? Senior Indian politicians and organizations voluntarily choose to expose themselves.
Security expert Sahir Hidayatullah told us, “Many government bodies and even senior officials use Gmail and Yahoo accounts to transact official business, moving highly confidential data beyond the boundaries of any controls that may have been put in place.”
Hypponen put it in sharper perspective: “If a government is using Gmail for official state business, you have big problems. Why would the Government of India want to trust their secrets to a private company headquartered in the United States? It makes no sense.”
A weak security culture opens the door to attack.
Sahir Hidyatullah
Hidayatullah described an experience: “I was sitting in the office of a senior government official who was using his work computer to download software that was definitely infected. When I made clear the risks, he responded, ‘but what secrets do I have?’”
Despite efforts to ramp up a cyber army, the Indian government’s cyber defences are only as strong as their weakest link. Do you trust every MP and government bureaucrat not to use a new iPad they have been gifted? Do you trust their teenage office boy to not to open a CD with a racy title that he one day finds next to his scooter?
National security threatened
The main goal of state-level hacking has been to gain confidential information, but an alarming new type of threat has emerged.
Iran’s uranium enrichment program was targeted with a very sophisticated worm called Stuxnet that set it back years. Stuxnet did as much damage to Iran’s nuclear ambitions as a missile strike might have – but without bloodshed or evidence of who was responsible.
Eugene Kaspersky, founder of Kaspersky Labs, told us: “Stuxnet is the first known example of a Cyber Weapon – something that solves a problem that would previously have been addressed by military force. A Stuxnet-like threat is a threat to national security.”
- Eugene Kaspersky
Hypponen painted an even bleaker picture: “I don’t think any country is ready for a Stuxnet kind of attack. It’s like someone opened Pandora’s box.”
Stuxnet spread around the globe, but only attacked the Iranian systems. Anti-virus firm McAfee found that India was very heavily infiltrated by Stuxnet, but still had not put up defences. According to Pukhraj Singh, discovering that the majority of Stuxnet compromised machines were in India served as an eye opener, making the Indian government understand what was at stake rather than living in a state of denial.
Stuxnet demonstrated the devastating impact that a cyber weapon can have on even a minimally networked nation. As Hypponen put it: “Modifying Stuxnet, which can now be found online, is much easier than trying to create it from scratch. This opens the world up not just for future attacks from the same source, but also to copycat attacks from other parties, other countries, and potentially extremist or terror groups. And that’s worrying.”
Modern societies run on computers – the kind that control factories and power plants. A Stuxnet-like attack on these resources could be devastating. Imagine a hostile entity gaining control of a nuclear power plant’s cooling system, or a hydroelectric dam’s release controls; a terror attack accompanied by the crashing of all military, police and civilian communications; a foreign power gaining read/write permissions in the Unique Identification Authority database, or compromising India’s Electronic Voting Machines.
Nation state-level cyber warfare is the new reality. Hypponen told us:
“The main reason we haven’t seen a real cyber war is because there’s yet to be a war between two developed nations.”
But India faces a different reality than most of the developed world, being a high tech country in a volatile environment. Prominent security expert Dmitri Alperovitch, who leads McAfee’s Internet Threat Analysis Group and has worked with the Indian government, told The India Site: “A state-funded terrorist group, perhaps pushed by some element of a government, could be a danger. For the foreseeable future the threat from Stuxnet like attacks will come from nation states. India is definitely at risk as it is in a very unstable part of the world with a constant threat of war. India should assume that it will be compromised, and ask how to make sure that it doesn’t break the country or the economy, or damage national security.”
In Part III, we explore what India and other countries are doing to combat and conduct cyber warfare. As Dmitri Alperovitch told The India Site: “The advantage always goes to the adversary.”
Ulrik McKnight co-founded and ran BackOps Engineering, a Mumbai based internet enabled company, and now works with tech firms in the US, India and Europe. He is a regular contributor to The India Site (including the article “Fast Enough to Follow, But Not Fast Enough to Lead”). You can follow him on Twitter: @umcknight
One of the issues not being addressed is India’s boy wonder ‘Ethical Hacker’ Ankit Fadia, and how the Indian media has yet to fact check anything out his mouth or press releases since he appeared on the Indian security scene. A group of Western security professionals have done the fact checking and have found his first book was over 32% plagiarized and a second was over 90% in the first chapter alone.
The mere fact that he seems to have the ear of the Indian Government and Military and consults with knowledge that is at best over 10 years old, has also garnered the attention of MTV and Dell who consider this ‘Ethical Hacker’ a youth icon.
Take a look at hxxp://attrition.org/errata/charlatan/ankit_fadia/ replacing the xx with tt and decide for yourself who is to blame for listening to this amateur and spending Rs on worthless security training and certificates.
What a fascinating report! Astonishing the computer security situation in India is this bad!