Chinese hackers baiting Indian govt, corporate employees: report
Hackers using fake subject headings to get users to open virus-laden email attachments.
This article by Moulishree Srivastava and Anirban Sen was published in Livemint on August 9, 2013. Sunil Abraham is quoted.
Using faked subject headings as diverse as Gujarat chief minister Narendra Modi and the Jallianwala Bagh Massacre, Chinese hackers have been baiting Indian government officials and corporate employees to open virus-laden emailed attachments and expose themselves to the risk of cyber attacks, a new report says.
The report on “advanced persistent cyber attacks” is based on an investigation conducted by security research firm Research Bundle in collaboration with CERT-ISAC. ISAC is a certification body for information technology (IT) security professionals that handles India’s National Security Database (NSD). CERT (Computer Emergency Response Team)-ISAC deals with mobile and electronic security.
“Some time back, there were a couple of high-profile cyber attacks that came to our notice when we were approached by corporates as well as government entities to look into them,” said Rajshekhar Murthy, director at CERT-ISAC, NSD, at the report’s release on Friday.
“First we thought it might be just these few incidents, but as we went deeper into it, it came to light that these threats were far more (widely) spread than we had initially perceived. During the course of our research, we got proof that the threats originated from China,” he said.
NSD, managed by ISAC and the government, is a programme that provides certification to IT professionals who have capability to protect critical infrastructure and the economy.
“Chinese hackers have been persistent in their attacks. According to our analysis, they have also made a separate wing for these operations,” Murthy said.
The report says, “It’s also a known fact the Indian government and other important sectors from India were heavily targeted during this campaign...focused on stealing confidential documents and sensitive information.”
The threat came in the form of emails with attached documents targeting government and corporate entities. “These documents exploited previously known vulnerabilities to drop ‘Travnet’ malware on to the systems,” said the report, prepared by 20 Internet security professionals over a period of six months.
“These emails showed that China has been gathering information about India and keeping up with current issues, and using those to entice people to open the attachments,” Murthy said.
Some of the attachments had names such as Army Cyber Security Policy 2013.doc, Jallianwala bagh massacre - a deeply shameful act.doc, Report - Asia Defense Spending Boom.doc, His Holiness the Dalai Lama’s visit to Switzerland day 3.doc, and BJP won’t dump Modi for Nitish NDA headed for split.doc.
The malware Travnet was specifically designed to search for “doc, docx, xls, xlsx, txt, rtf and pdf” files on the hacked computer.
“This provides enough hints that this malware was designed to steal confidential information, unlike the usual botnet variants that focus primarily on providing remote access to the system,” the report said. “The malware initially collects system information, a list of files on the victim machine among others, then sends this data to the remote Command & Control server...”
According to industry estimates, losses due to cyber theft from reported attacks alone amount to $8-10 billion (Rs.48,800-61,000 crore). But experts say the figure could be much higher as many threats go unreported.
Worryingly, the security infrastructure of Indian government websites has reportedly failed to keep pace with cyber attackers, who are becoming more focused on stealing information.
“Many of the servers that host ‘gov.in’ sites are running outdated software versions, with poorly managed Web servers that do not follow even the most basic Web application security guidelines,” said the report. “Even important government sites, access to which can lead to much deeper intrusion, seem to be managed with little care. While defacements are usually carried out by hackers just for fun or fame, serious hackers can cause much more damage and remain unnoticed for a very long time...”
“Slowly but steadily, serious APT (advanced, persistent attacks) campaigns are on the rise,” the report added. “It’s very important for the nation to start upgrading its IT infrastructure to keep up with the latest security guidelines and practices.”
“Cyber security has become one of the crucial areas for us and we are focusing on putting capacity and capability in place to strengthen the cyber security infrastructure,” said Alok Vijayant, director of the National Technical Research Organisation. “We want to bring IT security professionals under one entity to enhance our existing capability instead of just focusing on putting in additional security infrastructure.”
“India has one of the largest talent pools of IT professionals, but our biggest concern remains the young talent in IT, as most professionals prefer to go abroad to work,” he added.
Additionally, the use of proprietary rather than open-source software increases the vulnerability of Indian entities, according to Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society. “There’s a lack of use of Linux and other kinds of free software at both the desktop level and also the front end... They’re using Microsoft both at the server end and on the client end. Most of these attacks take advantage of that operating system dependency. If one were to look at it at a macro level, we’re vulnerable across the board—vulnerable to the US, we’re vulnerable to attackers from Europe, Pakistan, etc.,” Abraham said.