A report published by a group of Canadian researchers today, reports Indian government, Tibetan government and media institutions to have suffered a massive computer penetration attack over the last eight months.
The report, titled Shadows in the Cloud, lists systems and information of personnel and institutions like the Indian Embassies in the US and Afghanistan, the Indian High Commission in the UK, the National Security Council Secretariat, the Directorate General of Military Intelligence, the Indian Air Force Stations at Race Course, New Delhi and Vadodara, National Informatics Center, New Delhi Railway Station, FICCI (Federation of Indian Chambers of Commerce and Industry), the Institute for Defense Studies and Analysis and the National Maritime Foundation, amongst others, as penetrated.
Classified, restricted and secret information has been stolen from the Indian armed forces as well as the Ministry of External Affairs and the Tibetan Government in Exile. This includes documentation related to the Pechora Missile System, the Israeli Iron Dome Missile Defense System as well as Project Shakti, an artillery command and control system. “We recovered one document that appears to be an encrypted diplomatic correspondence, two documents classified as “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents contain sensitive information taken from a member of the National Security Council Secretariat (NSCS) concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists. In addition, they contain confidential information taken from Indian embassies regarding India’s international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence. The attackers also exfiltrated detailed personal information regarding a member of the Directorate General of Military Intelligence,” says the study, compiled by a collaboration between the Information Warfare Monitor and the Shadowserver Foundation.
The Information Warfare Monitor (infowar-monitor.net) is a joint activity of the Citizen Lab, Munk School of Global Affairs, University of Toronto, Canada and the SecDev Group, an operational consultancy based in Ottawa, Canada specializing in ‘evidence-based research in countries and regions under threat of insecurity and violence’.
The publishers of the report say, “By February 2010, we were able to find on our own what we thought was an appropriate contact in the Indian government, and gave a detailed notification to the National Technology Research Organization (NTRO). Our notification for take-down of the command and control infrastructure came later in the investigation, after we had collected and analyzed all of the information related to this report, but prior to its release. Our experiences illustrate the intricate, nuanced and often confusing landscape of global cyber security notification practices. The notification process will continue after the publication of this report.”
“Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers. The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009,” says the report.
According to it, India had 2945 of the 6902 compromised computers monitored in the sinkhole and 62 of the compromised 139 IPs in the Shadow Network. 35 of the 44 computers experiencing data theft were in India and 40 of them had documents who’s ownership was located in India.
The study says a computer at NSCS was compromised judging from the documents stolen by the hackers. “During the period in which we monitored the attackers, fourteen documents, including two documents marked “SECRET,” were exfiltrated. In addition to documents containing the personal and financial information of what appears to be the compromised individual, the exfiltrated documents focus on India’s security situation in the states of Assam, Manipur, Nagaland and Tripura as well as the Naxalites, Maoists, and what is referred to as ‘left wing extremism’.”
Indian embassies and consulates have also had their systems penetrated. “We assess that computers at the Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, 99 documents, including what appears to be one encrypted diplomatic correspondence as well as five documents marked “RESTRICTED” and four documents marked “CONFIDENTIAL,” were exfiltrated. In addition to documents containing personal, financial, and travel information on embassy and diplomatic staff, the exfiltrated documents included numerous visa applications, passport office circulars, and country assessments and reports. Confidential visa applications from citizens of Afghanistan, Australia, Canada, the PRC, Croatia, Denmark, Germany, India, Ireland, Italy, New Zealand, Philippines, Senegal, Switzerland, Uganda, and the United Kingdom were among the exfiltrated documents.”
Computers belonging to the the armed forces infrastructure agency, Military Engineer Services (MES), were also compromised at Bengdubi, Kolkata, Bangalore and Jalandhar and 78 documents reported to be stolen by the study. “While these documents included manuals and forms that would not be considered sensitive, they also included documents that contained private information on personnel, and documents and presentations concerning the financing and scheduling of specific engineering projects,” said the report.
Other military institutions were also targeted. “We assess that computers linked with the 21 Mountain Artillery Brigade in the state of Assam, the Air Force Station, Race Course, New Delhi and the Air Force Station, Darjipura, Vadodara, Gujarat were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, sixteen documents were exfiltrated. One document contained personal information on Saikorian alumni of the Sainik School, Korukonda, which prepares students for entry into the National Defence Academy. One document is a detailed briefing on a live fire exercise while others pertain to surface-to-air missile systems and moving target indicators,” says the report, which also adds, “We assess that computers at the Army Institute of Technology in Pune, Maharashtra and the Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, twenty one documents, including one marked ‘RESTRICTED’, were exfiltrated. There are documents and presentations detailing the finances of one of the institutions as well as personal and private information on students and their travel. There is also a document that describes ‘Project Shakti’, the Indian Army’s command and control system for artillery (India Defense 2007).”
Systems at the Institute for Defense Studies and Analyses (IDSA) as well as the National Maritime Foundation (NMF) also appear to have been compromised. The study reports 187 documents stolen from IDSA. “While many of the documents were published papers from a variety of academic sources, there were internal documents, such as an overview of the IDSA research agenda, minutes of meetings for the Journal of Defense Studies, budgets and information on a variety of speakers, visitors, and conference participants,” the report says, and adds, “We assess that computers at the National Maritime Foundation and the Gujarat Chemical Port Terminal Company Limited were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, 53 documents were exfiltrated. These documents include a summary of a seminar as well as numerous documents relating to specific shipping schedules, financial matters and personal medical information.”
Computers of media organizations like The Times of India, India Strategic and Force have also been reported to be compromised. “During our investigations we found that a variety of academic targets had been compromised, including those at the Institute for Defense Studies and Analyses (IDSA) as well as journalists at India Strategic defence magazine and FORCE magazine. The exfiltrated papers included those discussing the containment of the PRC, Chinese military exports, and Chinese foreign policy on Taiwan and Sino-Indian relations. More specifically, there were documents that focused on ethnicity, religion and politics in Central Asia, and the links between armed groups and the PRC,” said the report.
“We assess that computers at the India Strategic defence magazine and FORCE magazine were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, 58 documents were exfiltrated. While these documents include publicly accessible articles and previous drafts of those articles, there is also private information regarding the contact details of subscribers and conference participants. The documents also include interviews, documents, and PowerPoint presentations from conferences that detail national security topics, such as network data and monitoring for national security, and responses to combat cyber threats,” it adds.
Private institutions too were compromised and include DLF Limited, the real estate firm and the sponsors of the Indian Premier League cricket tournament and the Tata Group. “We assess that computers at YKK India Private Limited, DLF Limited, and TATA were compromised based on the documents exfiltrated by the attackers. During the period in which we monitored the attackers, five documents were exfiltrated. These documents include rules overseeing business travel, a presentation on roadmap and financial status, and an annual plan for a business partnership,” says the report.