The recent news in the Indian media about Indian defense documents being stolen by Chinese hackers is a pretty disturbing one. The news is based upon the research report published by the Information Warfare Monitor and Shadowserver Foundation, titled “SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0”. You can read the actual report here
The most interesting observation from this report is the shift in the focus and the nature of the attackers, the face of attackers are changing from lonely kids in their parents basements trying to impress their friends to well knowledgeable professional doing organized crimes for financial benefits. There has been incidents in the recent times that even state actors are promoting hacking for there own profit.
The research is started on the lines of earlier research works done, which revealed that computers of His Holiness Dalai lama was compromised along with that of several others to form a eave dropping network that they called ‘GhostNet’. The findings given in the report is shocking as far as Indian Computer Security is concerned. There has been clear evidence that, its a cleverly plotted one tailored to compromise Indian defense systems and to steal sensitive data.
It has been confirmed by them that the malware used in these attacks have uploaded a number of documents from the compromised systems to few Central servers controlled by the attackers.They were able to recover documents( mainly in pdf ) from one of these control servers, few of them are marked SECRET, CONFIDENTIAL etc.The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.
Compromised systems includes that of National Security Council Secretariat India, Diplomatic Missions ( Indian Embassys ), Institute for Defence Studies and Analysis,
Defence-oriented publications like FORCE and United Nations. From the nature of the targets selected, it is clear that the attack was indeed intended to collect intelligence on India military and related organizations.
Researchers identify the attackers to hail from PRC.Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC. Though there are no evidence to suggest a tie between the hackers and PLA, considering the mode of operations of PLA and the patriotic hacking activities in PRC, there is a high probability that the documents that were siphoned from the compromised systems can end up in with PLA.
They were not able to clearly identify the exact method used by the attackers to infect the target machines, but the evidence suggested that exploits are used against PDF and MS office files which will install a trojan leading to first level infection. Attackers have used a well know services like google groups and twitter to control the infected systems.This attack is the latest example of using trusted sites for malicious purpose in order to circumvent easy detection.
It can be concluded that this incident should not be seen as an isolated one, but should seen in connection with previous attacks. The underground hacking community has become a well organized crime unit. In order to combat the terror mutual co operation between various governmental/non-govt agencies and even between counties are required.