PUBLISHED : March 12, 2015
While FireEye claimed the cyberattacks by the Pakistani firm were still active, the Indian government denied any knowledge of this.
BENGALURU: A Pakistani cybersecurity firm with close ties to Islamabad has been found stealing information from Indian government and defence establishments, according to a two-year investigation by a US-based IT security firm.
The Pakistani company targeted Indian establishments using leased US hosting services, the US security firm, FireEye, said, the findings revealing that India remains a vulnerable target for cyberattacks even after documents leaked by whistleblower Edward Snowden exposed widespread spying on the country by the US National Security Agency.
While FireEye claimed the cyberattacks by the Pakistani firm were still active, the Indian government denied any knowledge of this. “It is incorrect. We have only seen cases of website hacking. However, they hold only public data,” said Dr Gulshan Rai, director-general of the Indian Computer Emergency Response Team, or ICert, and who will shortly take charge as the country’s first cybersecurity chief.
A senior Indian intelligence official confirmed Indian establishments were targets of cyberspying, but said the attackers could not be traced. “We have seen many such attacks targeting Indian government and defence establishments coming from different parts of the world, but in cyberspace it is very hard to ascertain the actual source of an attack.”
According to FireEye, an Islamabad-based IT security firm called Tranchulas, which claims to have helped prepare the Pakistani government for cyberwarfare, bombarded officials in Indian government organizations with emails containing malicious software, or malware. The firm used ‘Sarabjit Singh’, Devyani Khobragade’, ‘Salary hikes for government employees’ and other terms in the subject line of the emails to lure officials into opening attachments containing the malware, which would then infect the computers and collect an assortment of data that it would send to the cyberattacker.
“They are essentially penetrating Indian government accounts to find out what the Indian government is up to,” Manish Gupta, senior vice president at FireEye said. “They are also targeting defence organizations. Some of the things that could be important to them could be what kind of weapons does India have, where are these weapons deployed, how many people are deployed in these regions, what is the organization structure, are there any military exercises planned.”
Tranchulas CEO Zubair Khan, in an email response neither confirmed nor denied the involvement of his firm in the cyberespionage. “We’ve had no contact with (FireEye) so I have no idea about their motivations vis-a-vis their reporting on us. Clearly, they are one of the best security research companies out there and we respect their talents in this regard.”
Khan said his company offers both government and private clients a special service, called the offensive cyberinitiative “to help select customers build sustainable strategies for cyberwarfare and cyberdefense that will keep them relevant in the information age.”
The malware identified by FireEye has been active since early 2013 with the name of a Tranchulas employee, Umair Aziz, in its code. FireEye said that after it confronted Khan over this issue in July 2013, different variants of the malware with modified names have surfaced.
“Once we confronted Tranchulas, the malware was modified and all references to the company were removed and replaced with some strings with Cert-In (Indian computer emergency response team) to masquerade themselves and show that the attacks were being carried out by Indian Cert,” said Michael Oppenheim, a threat intelligence analyst at FireEye who discovered the malware.
Tranchulas exclusively used VPSNOC, a Pakistan-based virtual private server service provider, which leased US hosting services to control phases of the attack, Oppenheim said. The senior Indian intelligence official mentioned earlier in the story said it was common for cyberattackers to use servers sublocated in a different country to avoid detection.
India has been trying to improve its cyberdefence capabilities in response to an increasing number of attacks, including by the United States, as revealed by the Snowden leaks. Earlier this month, prime minister Narendra Modi called upon the Indian IT Industry to focus on meeting the global challenge of cybersecurity. Cyberattacks on Indian websites have increased nearly five times in the past four years. Until mid-2014, more than 60,000 incidents were recorded by the ICert.
“India’s data is in great demand across the world. It has been snooped across the continents but what is snooped is very important.
What Pak agencies claim they snoop many a times is of far less importance as they end up in snooping data which has never traversed any physical form,” said Prashant Mali, an advocated and independent cybercrime expert in Mumbai. But “India lacks concerted and coordinated efforts between all central agencies in managing these attacks,” he said. “One umbrella organization to defend the cyberboundaries of India is the need of the hour.”