A Report on Indian Cyberattack and APT under Computer Security
With the development of computer technology, political and economical competition and wars among nations are becoming more and more complex and furious via the invisible tool internet. Accompanying with this, security of information and national benefits are endangered also via the advanced technology of internet. “Cyberattack”, a popular term also referred as cyber terrorism is a kind of computer intrusion to destroy a specified target by hacking into a susceptible system. According to the report by Norman Shark, (Sherman, 2009) a pioneer in proactive network security solutions and forensics malware tools, national security interest (such as Pakistan) targeting and espionage against Norwegian telecom corporation Telenor and other civilian operations have happened. Based on the result of Norman Shark’s report, this paper is to probe into the Indian Cyberattack and the phenomenon of APT (advanced persistent threat) in the context of computer security and under its aims; discuss the global threat implications of the cyberattack and analyze surveillance and countermeasures through which to provide some implications for new attacks and countermeasures needed. This paper is constituted with five parts. Part one is the introduction of the existing problem and the related information of the company. Part two is a data analysis on the sample of Indian cyberattack and APT (advanced persistent threat). In part three, global threat implication will be discussed based on the sample data as well as other cyberattack matters. Part four is about the surveillance and countermeasures under the aims of computer security. And the last part is the conclusion part, giving some implication for further cyberattack measurement and relative research.
Table of Contents
Executive summary........................................................................... 1
I. Introduction..................................................................................... 4
II. Sample analysis............................................................................. 5
III. Global threat implications of the cyberattack............................. 8
IV. Surveillance techniques and appropriate countermeasures....... 12
V. Conclusion................................................................................... 14
This part is about a description of the problem of cyberattack and an introduction of the related company, which is the base for further discussion of the global threat implication and the surveillance and measurement in accordance with the aims of computer security.
On March 17th 2013, security analysts at Norman Shark, uncovered a previously unknown and sophisticated infrastructure that appears to have originated from India for targeted attacks on Norwegian telecom giant Telenor via “spear phishing” emails to upper management, thus causing the infection (Stephen, 2005).
On May 1st 2013, it is reported that A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany.
Both the industrial espionage and political cyberattack from India on the other nations are unveiled by a computer security company Norman Shark, which is a pioneer in proactive network security solutions and forensics malware tools. Powered by patented Norman Shark Sandbox technology, Norman Shark offers Enterprise customers security solutions for building defensible networks against emerging cyber threats.
The unveiling of the Indian cyberattack as well as advanced persistent threat matter is not only significant for maintaining of computer system security for constitutions or enterprises, but also beneficial for developing surveillance techniques and countermeasures.
II. Sample analysis
There is a common refrain in computer security world is that “It’s always the Chinese.” But after they dug into the data, researchers can find nothing related to the Chinese traces. Instead, they started seeing Indian names and the attacks seem to have lasted for at least three years before Norman Shark’s unveiling them.
The sample of Norwegian telecom uncovered by Norman Shark is said to have lasted for three years since created in September of 2010 and there is no sign of slowing down in the year of 2013, which predicts new continuous attacks. (Norman, 2013) Decoy emails and documents, in a technique called "spear phishing," are use by the hackers to trick employees of specific government and business institutions into running malicious software, known as malware. In that way, data is stolen from computers, then sent back to computers around the world.
According to the evidence found by Norman Shark, the hackers used more than 600 different websites, many of them registered in India, to distribute their malware and receive stolen information. Uncovering of recent attacks shows that the trace of the hackers is disguised in the form on false name registration, such as in the name of stars, which puts the hackers under the protection of privacy. Or they will use others’ computers for disguise.
In the Telenor case, the cyberattackers make it perfect by choosing the way of sending emails with .doc attachments that exploited a remote code execution vulnerability in the Windows common controls (CVE-2012-0158) patched by Microsoft in April 2012. However, Web-based exploits, including one for a remote code execution vulnerability in Internet Explorer (CVE-2012-4792) and one for a similar vulnerability in Java (CVE-2012-0422), have also been found on domains associated with this operation. The number of infected computer is determined by Norman Shark through calculating the IP address, which can not correctly define the exact number of victims for different use of IP addresses on one computer. All of this adds more complexity to the detection of cyberspying and industrial espionage as well as political intrusion. (Division on Engineering and Physical Sciences, 2009) According to the report, the APT campaign and related, malicious infrastructure has served "primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States." The working principle is that vulnerabilities in software is exploited by the hackers so as to plant Trojans in computers across the world, primarily in Pakistan, and then information can be extracted and sent back over the Internet to India for spying or terrorism activities and benefit share or intrusion.
While the Indian origin of the attacks was uncovered and analyze by Norman Shark in its report through project and debug paths. For the threat actors are unaware of leaving traces or do not mind of it. For example, many of the Visual Basic keyloggers contained the name “Yash”, which might be an abbreviation for several Indian names. The trojans used against Telenor did not contain any such person name, but the Visual Basic project name is clearly related to others: Telenor case (02d6519b0330a34b72290845e7ed16ab,bfd2529e09932ac6ca18c3aaff55bd79)“C:miNaPro.vbp”. And also the continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin. Another clue for Indian origin is the word “Appin”, showing some connection with the Indian security company called Appin Security Group. (Norman, 2013) For example, the strings“Appin”, “AppinSecurityGroup”, and “Matrix”are frequently found inside executables, etc.
III. Global threat implications of the cyberattack
According to the report of Norman Shark on May 20th 2013, a diverse cyberespionage campaign out of India has lasted for at least three or more years, targeting multiple national-interest and industrial entities around the world, mostly Pakistan and U.S. organizations, but also Norwegian telecom provider Telenor and the Chicago Mercantile Exchange, even China’s Qinghua University. From this we can see that the endanger of the attack has expanded its influence to a global domain, covering political, industrial as well as educational facets as a threatening “cyber spying” --or cyber espionage, which is the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware.
The cyberattack is called “the greatest transfer of wealth in human history,” which indicates lively the economic impact of cybercrime or cyber espionage, which raises significant security questions for intelligence and military computer systems as well as closed networks of the other nations, thus threatening their economic, military and intelligence interests.
The Norwegian Telenor case of industrial espionage and Pakistan security case of cyberattacks represent India’s expanded cyber warfare efforts. The incident also suggest that India has not just targeted Norway and Pakistan for industrial and national security interest attacks for years with its hackers, but also located its espionage in other countries including the United States, Iran, China and Germany.
According to the report by Norman Shark, Pakistan becomes the most obvious target with its computers most actively connected to malicious domains. And decoy files tailored towards Pakistan revolve around the ongoing conflicts in the region, regional culture and religious matters.
China is another country which is attacked to some extent by Indian hackers for academic interest with the amount not as is seen against Pakistan targets.
Indian cyberattacks are also involved in political secessionist movements as the Khalistan movement which aims to create a Sikh nation in the region of Punjab in India and the Nagaland movement aiming to create a sovereign homeland for the Naga people living in North-Eastern India and North-Western Burma.
A published incident report made by Context Information Security details how the Chairman of Bumi PLC, Mr Samin Tan, had been exposed to a spear-phishing attack in July 2012. Bumi is an international mining group listed on the London Stock Exchange.
Norman's researchers also found the APT attackers used command-and-control infrastructure to target the Chicago Mercantile Exchange, which reported publicly that a failure of phishing attempt had been made against it. The APT hackers are also said to use the malicious infrastructure to infect an Angolan activist's OS X systems with a Trojan backdoor, which wasn't discovered until the activist attended last week's Oslo Freedom Forum.
Besides the existing cyberattack cases, there are some likely targets, covering even restaurant industry, Porsche Holding’s webmail front in Austria and Chicago Mercantile Exchange, etc.
Through researching the cyberattack cases, we find out that they are apparently operated from India with the espionage activities having lasted for three years in the domain of business, government and political organizations around the world.
It is unclear what hackers aimed to do with the stolen information till now, but signs show that they have showed more interest in documents of research institutions and enterprises which include important information related to a certain nations’ security interest or enterprise’s economic benefits. The way they conduct their cyberattack is dangerous for its invisibility: emails and .doc attachment documents will be used by hackers to cheat computer users in research institutions or enterprises to operate the “malware”, thus with their private information stolen by Indian hackers unawarely. For example, there is a serious case related the malicious attacks on Pakistan and Israel through a espionage website created by Indian hackers according to the security analysis of Norman Shark.
The seriousness of global threatening implications can be described in the words of a top US intelligence official that cyberattacks on networks represent worse of a threat to the country than a ground attack by a ‘terrorist group’, a warning came in an annual report to the US Congress by Director of National Intelligence James Clapper. Apparently, destruction caused by cyberattacks can be invisible, latent and progressive and India has become the advanced actors for this kind of destruction against countries like US, Pakistan, Iran and China with targeted theft of confidential business information and proprietary technologies on an unprecedented scale, which will probably lead to extensive disruption with consistent intrusion, especially with the unclassified cyberattacks.
IV. Surveillance techniques and appropriate countermeasures
The former NSA official Mr. George claims that the hacker’s ability to attack underscores it is easy for new players to get into the “cyber” game. And the types of attacks being used is neither time-consuming nor expensive. The types of malware seen in attacks are affordable by any countries at the price of $5000. This gives large space for the popularity of cyberattack and APT activities in any domain. At the same time, there is a phenomenon a bout the cyberattack which can give some indication to the surveillance and contermeasures taken for the security of computer systems and website platform. The phenomenon shows that the hackers are not strictly in charge of the stolen information through their malicious deeds and APT activieties. Any users can share the stolen information via malware of the hackers for they have done nothing of protection with their computers.
The fast increasing and spreading cyberspying has largely endangers computer security and national interest as well as enterprise benefit. The serious situation calls urgently for technical surveillance and appropriate measurement. (LLC Books, 2010) Norman Shark, the global security leader in malware analysis solutions for enterprises, service providers and government entities, shoulders this kind of task at present, which can provide caution and implications for the relative users all over the world. The following examples can represent the efforts made by experts to counter the malicous cyberattacks.
On February 20th 2013, Norman Shark launched new Norman Shark Network Protection solution including SMTP relay, a new user interface, a faster scanning engine, and enhanced open APIs.
On July 29th 2013, Norman Shark anounced Malware Analyzer G2 (MAG2) version 4.0, which provides industry-leading hybrid analysis, and Network Threat Discyovery version 5.1 (NTD), a cyberattack discovery system that automatically collects and detects malicious files that have slipped past traditional security nodes (Norman, 2013).
Besides professional surveillance and measurement, it is also necessary for users of government and enterprises to enhance their awareness of the cyberattack as well as their technical competence. For example, users can try to prevent unnecessary attacks through <1> access ontrol, which including network permission control, content level control and system control, etc; <2> firewall control, insuring information security through permitting or preventing the transformation of data. (Norman, 2013) Eliminating security risks also requires people improve relative legal system, improve quality of employees and strengthen network surpervision, etc.
Through analysing the Indian cyberattack and APT against the business, government and political organizations around the world, as well as providing suggestions and information for technical surveillance and measurement, this paper aims to provide some threatening implications for relative entities. The analysis indicates that the present situation of computer security challenges organizations today to realize that it’s not a matter of whether they will be compromised but a question of when and have a plan in place for how to deal with those compromises. (James, 2013) At the same time, it also proves and encourages the efforts done and to be done by computer security companies such as the Norman Shark as well as push them to make improvement for the global counterattack of industrial and political espionage.
Sherman Alexie. (2009).The Absolutely True Diary of a Part-Time Indian. Little, Brown Books for Young Readers.
Stephen J. Lukasik. (2005). Protecting Critical Infrastructures Against Cyber-attack.Routledge.
Division on Engineering and Physical Sciences. (2009). Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. National Academies Press.
LLC Books. (2010). 2007 in Estonia: Aftermath of the Bronze Night, Baltic League 2007, 2007 Cyberattacks on Estonia, 2007-08 Estonian Cup. Books LLC.
Norman (2013). Attack on Telenor was part of large cyber espionage operation with Indian origins. http://normanshark.com/company/company-overview/
Norman (2013). Unveiling an Indian Cyberattack infrastructure- a special report. http://normanshark.com/company/company-overview/
James Andrew Lewis (2013). The economic impact of cybercrime and cyber espionage. http://www.google.com.