Business Today
Loading...

Trojan warfare

Pierre Mario Fitter | Print Edition: May 13, 2012

On May 8 last year, Reliance ADAG boss Anil Ambani received a Microsoft Word document from what appeared to be the account of a journalist. However, when company officials contacted the reporter, it became clear he had not sent the email. Fearing a breach, the officials alerted the Mumbai Police cyber crimes cell. The investigators had alarming news - the document had a worm designed to steal data.

SPECIAL: How safe is India's IT network?

10,135 Cyber attacks reported to central response agency, CERT-In in 2010 10,315

8,324 Number of phishing attacks recorded in India by cybersecurity firm RSA in 2011

Rs 171.9 cr Total losses caused by phishing attacks in India, in 2011, according to RSA

Reliance ADAG denied any data was compromised but one investigator who spoke to Business Today on condition of anonymity, believes otherwise. Hiding a worm in an MS Word document is "extremely difficult", says the cyber-sleuth, but the hackers persevered, as the flaw they exploited had only just been discovered and few computers were likely to be patched for it. Once the document was downloaded, the worm went after the hard drive, hunting for data. "Anti-virus programs could not detect it," says the source. The investigators could not even establish what data was stolen. They only know that it was the work of Romanian hackers. Reliance ADAG declined comment. 'Social engineering' is the term experts have coined to describe attacks like the one on Ambani. It is the act of deceiving an insider to gain access to a secure network - in much the same way the Greeks used a wooden horse to get past Troy's defences and defeat their rivals. Hence the name for such worms: Trojan.

A Bangalore-based software firm faced a similar attack in the summer of 2008. An employee had downloaded what he thought was a clean program onto his office laptop. In reality, it hid a virus that swept through his folders and uploaded his data on the hacker's server. This data included the source code to his company's products. Fortunately, the hacker was not as skilled as the ones who targeted Ambani and was tracked down.

 Tips to Stay Safe

  • Do not download any attachment or software unless you have confirmation it was sent by someone you trust
  • On business trips and vacations, carry a secondary laptop and mobile phone
  • Do not email or copy sensitive data to your laptop, especially if you have to access this data outside a secure network
"Earlier, hackers targeted servers, so organisations set up firewalls," says Dhruv Soi, Director of Torrid Networks. "So, hackers are now targeting employees." Soi - and every cyber security expert BT spoke to - considers social engineering the biggest threat to a company's data.

Since such attacks do not set off alarm bells at the firewall, most companies remain unaware of the breach. A study released by US-based internet and telecom firm Verizon this March said 85 per cent of hack victims were not aware of the breach for several weeks. Worse, 92 per cent of the victims found out about it only after a third party alerted them.

The Indian government has itself been the victim of three such social engineering attacks, all from China. The most recent was LuckyCat, which targeted Indian and Japanese government computers beginning June 2011. In all, it hit 233 computers.

LuckyCat mirrored a 2009 campaign called GhostNet, which targeted Tibetan officials and Indian embassies. The ShadowNet campaign, one year later, was even more devastating. It first hit India's TRACK II diplomacy teams:members of think tanks or the media. They interact regularly with diplomats, as well as defence and intelligence officials. "It's almost like a social network," says a former intelligence officer, requesting anonymity. "Once they got into the think tanks and media, they targeted their contacts in government." Three years after the attacks took place, "even the GhostNet botnet is still operational," he says, referring to the network of hijacked computers the hackers used to carry out the attack.

While the people behind the GhostNet and ShadowNet campaigns were never found, investigators identified Gu Kaiyuan, a former student of China's Sichuan University, as the mastermind behind LuckyCat. Sichuan University is a favoured hunting ground for China's cyberspy recruiters.

"Everything critical was lost. Our anti-Naxal strategy, our posturing towards Sri Lanka… It is extremely frustrating to see the same old attack vectors working [repeatedly] against sensitive government systems," says the former intelligence official, who also investigated GhostNet and ShadowNet and is familiar with LuckyCat. Some experts blame Microsoft for China's hacking success. In 2003, and again in 2010, the company handed over sections of its Windows operating system's source code to the Chinese government. Russia was another recipient.

The company defended the decision, saying it gave governments "insight and a deeper understanding of Microsoft products" so they could be confident of security. However, Western experts warn that hostile governments now have access to potential flaws in Windows.

Social engineering is also used by 'phishers' to make money. This breed of scamster indulges in fairly simple duplication by copying the webpages of banks and fooling people into entering account information and passwords. RSA, a US-based cybersecurity firm, recorded 8,324 such attacks in India in 2011. Total losses were estimated at Rs 171.9 crore.

Telecom is another vulnerable sector. One threat lies in common apps such as games or ringtones, popular among India's 911 million mobile phone connections. These are often created by small, thirdparty developers with razorthin profit margins. They have little to spend on security. Most only use a username and password to access the telecom company's online store servers to upload new apps.

Hackers who crack the app developers' accounts not only replace genuine products with malwarelaced ones, they also gain access to the telecom company's server. "I'll be surprised if any telecom company has an idea of who fully controls its [app] servers," says a cyber security expert, formerly with the military, and now in the private sector. "They're five per cent of the revenues but 95 per cent of the problem."

With millions of subscribers to target, mobile phone hackers are not just a threat to privacy and finances, they automatically become a national security problem as well. Such cyber attacks are costly. Out of 200 Indian organisations surveyed by computer security firm Symantec for its 2011 State of Security Survey, 144 reported hacks over the previous 12 months; 92 per cent reported financial losses. On average, companies lost Rs 41.3 lakh in revenues and Rs 33 lakh in reputation costs. As for non-monetary damages, 37 per cent reported down times, 31 per cent lost confidential customer information and 28 per cent had intellectual property stolen.

Training is an essential first step to protect corporate networks from attack. Firewalls are not enough. "Companies build [network security] like a fortress: a wall on the outside and nothing much inside. One breach is all it takes," warns Sundar Ramakrishnan, Director of Engineering at networking company Cisco Systems. Monitoring systems are expensive but provide good protection- they can spot potential hacks. For example, data leaving a network that was not moved by a user is likely the work of a worm.

Dhruv Soi, Director, Torrid Networks
Earlier, hackers targeted servers, so organisations set up firewalls. Now, hackers are targeting employees: Dhruv Soi
The government has a security agency to tackle these issues. The eight-yearold CERT-In (Computer Emergency Response Team) issues warnings and probes each attack. But it is understaffed; CERT-In's website lists just 23 officers as "scientists". In 2010, the last year for which there are figures, these 23 men and women had to investigate 10,315 reported cyber crimes and 14,348 defacements of Indian websites. However, they are often assisted by experts from over 60 empanelled organisations. Ultimately, even computers with the latest security features are vulnerable to what techies call zero-day attacks. This, says R. Srikanth, a cyber strategies researcher at the Takshashila Institution, is "where malicious hackers find and exploit bugs in the code before anyone realises their existence".

Data for some graphics courtesy Symantec

Youtube
  • Print

  • COMMENT
BT-Story-Page-B.gif
A    A   A
close