'DNA' investigation: PMO fights largest cyber attack

On November 15, 2010, the additional secretary in the ministry of finance received an email with an attachment from the Indian high commissioner in Islamabad, Pakistan.

The attachment, unknown to the mail’s sender and the recipient, was a cyber attack carrying a malware designed to hack into as many systems as possible.

As investigators from the National Technical Research Organisation (NTRO), India’s technical intelligence agency, began their investigations, they learnt that the high commissioner was not even aware about the mail. It had an excel sheet as attachment, titled “G-20services.xls”.

Foreign secretary Nirupama Rao was one of the recipients among a host of other senior officials. As soon as they opened the attachment, the malware downloaded itself and began to spread through the system, creating ghost commands that would begin transmitting information to the attacker.

Had it not been for the NTRO’s timely intervention, many of these attacks would have succeeded and created havoc in India’s massive security architecture causing an incalculable loss of sensitive information.

Beginning in 2009, the number of cyber attacks on India’s vital systems has risen sharply in quality and quantity. Investigators have concluded that this kind of selective targeting of key senior departments, like the July 12, 2011, attack on the PMO, can only be done by a state-sponsored agency.

But finding the real culprit is not easy. Officials familiar with several such investigations told DNA that the actual attacker is rarely known or traced. They use third party protocols as fronts to launch an attack, direct the information stored on the victim’s computer towards a secret website that serve as a “drop box”, from where the information can be recovered.

Conventional wisdom said most of the attacks were from China until the investigators made a stunning discovery. Written into the code of the malwares were Chinese characters that immediately confirmed their initial suspicion. But working on a hunch, they removed the Chinese characters and discovered that the malware was still working at peak efficiency. “Obviously this was a red herring meant to mislead us,” a senior official said.

While there is little doubt that many of these attacks could emanate from China, investigators are also convinced that an ally in the West could be behind some of these cyber espionage operations.

The ingenuity and range of some of the cyber attacks has left investigators astounded. In one case they found a whole sub domain created under the government-owned National Informatics Centre (NIC).The NIC operates the backbone of the government’s IT platform and it was shocking to find a fake sub domain called www.indexnews.indmin.net registered with NIC operating without raising any alarm.

In another case, a mail was sent out from the official id of an IPS official, Pranab Ray, in the home ministry. The only problem with the mail was the id — pranabray@nic.in — was sent long after Ray had retired from service. Once again, the mail had an attachment with malwares that could hack into sensitive systems and pry information out.

But the most stunning attack happened when the NTRO detected that information from computers not even linked to the internet was leaking out. These were secret e-grams, sent over secure networks carrying sensitive diplomatic communiqués to India from its embassies abroad.

An elaborate investigation led them to an Indian Foreign Service officer working as a director in the ministry of external affairs’ Western Europe desk. At some point, her computer had been infected with a unique malware that worked only on pen drives or removable storage disks.

Once it lodged itself on a pen drive, it would wait till it was connected to a standalone computer with sensitive data. The malware would then deploy from the pen drive, pick up all sensitive folders and return to the pen drive. As soon as it was connected to a computer with an internet connection, it would immediately download all the sensitive files and transmit them to the attacker.

In cyber espionage terms, this operation is described as “bridging the air-gap”. Such expertise, investigators concluded, could only come from a hostile state with tremendous cyber capabilities.