Proliferation of Cyber Warfare Capabilities in South Asia

Recent reports of Russian hacks of the American Democratic Party's election campaign staff to influence the outcome of US elections have brought international cyber espionage in sharp focus once again. How many nations have such capabilities? What are their names? Are India and Pakistan among them?

Pakistan is believed to be among a couple of dozen nations with serious cyber espionage capabilities. This belief has been strengthened among the cyber security community since Operation Arachnophobia is suspected to have originated in Pakistan.

Bloodmoney: A Novel of Espionage:

Washington Post columnist David Ignatius frequently writes about the activities of intelligence agencies and often cites "anonymous" intelligence sources to buttress his opinions. He is also a novelist who draws upon his knowledge to write spy thrillers.

Ignatius's 2011 fiction "Bloodmoney: A Novel of Espionage" features a computer science professor Dr. Omar who teaches at a Pakistani university as the main character. Omar, born in  Pakistan's tribal region of South Waziristan, is a cyber security expert. One of Omar's specialties is his deep knowledge of SWIFT, a network operated by Society for Worldwide Interbank Financial Telecommunication that tracks all international financial transactions, including credit card charges.

Omar's parents and his entire family are killed in a misdirected US drone strike. Soon after the tragedy,  several undercover CIA agents are killed within days after their arrival in Pakistan.  American and Pakistani investigations seek the professor's help to solve these murders. Ignatius's novel ends with the identification of the professor as the main culprit in the assassinations of CIA agents.

Operation Arachnophobia:

In 2014, researchers from FireEye, a Silicon Valley cyber security company founded by a Pakistani-American,  and ThreatConnect teamed up in their investigation of "Operation Arachnophobia" targeting Indian computers. It features a custom malware family dubbed Bitterbug that serves as the backdoor for stealing information. Though the researchers say they have not identified the specific victim organizations, they have spotted malware bundled with decoy documents related to Indian issues, according to

The reason it was dubbed "Operation Arachnophobia" has to do with the fact that variants of the Bitterburg malware detected by the researchers included build paths containing the strings “Tranchulas” and “umairaziz27”, where Tranchulas is the name of an Islamabad-based Pakistani security firm and Umair Aziz is one of its employees.

Operation Hangover:

Operation Arachnophobia targeted Indian officials. It appears to have been Pakistan's response to India's Operation Hangover that targeted Pakistan. Investigations by  Norway-based security firm Norman have shown that the Operation Hangover attack infrastructure primarily was used as a means to extract security-related information from Pakistan and, to a lesser extent, China.

"Targeted attacks are all too common these days, but this one is certainly noteworthy for its failure to employ advanced tools to conduct its campaigns," said Jean Ian-Boutin, malware researcher at ESET security company. "Publicly available tools to gather information on infected systems shows that the attackers did not go to great lengths to cover their tracks. On the other hand, maybe they see no need to implement stealthier techniques because the simple ways still work."

Attack Easier Than Defense:

The fact that cyber attacks so often succeed suggests that it's easier to attack a system than to defend it.  By the time such attacks are detected, it's already too late. A lot of valuable information has already been lost to attackers.

However, it's still very important to possess the cyberattack capability as a deterrent to attacks. Those who lack the capacity to retaliate invite even more brazen cyberattacks.

Need for International Treaties:

Cyberattacks on infrastructure can have disastrous consequences with significant loss of human life. Disabling power grids and communication networks can hurt a lot of people and prevent delivery of aid to victims of disaster. It's important that nations work together to agree on some norms for what is permissible and what is not before there is a catastrophe.


About 30 nations, including US, UK, France, Germany, Russia, China, India, Iran, Israel and Pakistan, possess cyber espionage and attack capabilities.  Growth and proliferation of such technologies present a serious threat to world peace.  There is an urgent need for nations of the world to come together to agree on reasonable restrictions to prevent disasters.

Haq's Musings

Revolution in Military Affairs: Cyberweapons and Robots

Cyber Warfare

Pakistani-American Founder of Fireeye Cyber Firm

Pakistan Boosts Surveillance to Fight Terror

Pakistan's Biometric Registration Database

Operation Zarb e Azb Launch

Ex Indian Spy Documents RAW's Successes in Pakistan

Intelligence Failures in Preventing Daily Carnage in Pakistan

What If Musharraf Had Said NO to US After 911?

Pakistani Computer Scientist Fights Terror

Pakistani Killer Drones to Support Anti-Terror Campaign

3G 4G Rollout Spurs Data Services Boom in Pakistan


Riaz Haq said…

A NEW REPORT from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.

The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.

Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.

Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.

Rand’s researchers found that there was no pattern around which exploits lived a long or short life — severe vulnerabilities were not more likely to be fixed quickly than minor ones, nor were vulnerabilities in programs that were more widely available.

“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,” write lead researchers Lillian Ablon and Andy Bogart in their paper “Zero Days, Thousands of Nights.”

Rand, a nonprofit research group, is the first to study in this manner a database of exploits that are in the wild and being actively used in hacking operations. Previous studies of zero days have used manufactured data or the vulnerabilities and exploits that get submitted to vendor bug bounty programs — programs in which software makers or website owners pay researchers for security holes found in their software or websites.

The database used in the study belongs to an anonymous company referred to in the report as “Busby,” which amassed the exploits over 14 years, going back to 2002. Busby’s full database actually has around 230 exploits in it, about 100 of which are still considered active, meaning they are unknown to the software vendors and therefore no patches are available to fix them. The Rand researchers only had access to information on 207 zero days — the rest are recently discovered exploits the company withheld from Rand’s set “due to operational sensitivity.”

While it’s not known how many of these exploits are in the U.S. government’s arsenal, Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, believes the U.S. government’s zero-day stockpile is comparable in size to Busby’s.
Riaz Haq said…
The global war in Cyberia has begun — and will never end


To each American administration, its war. For Truman and Eisenhower, Korea. For Kennedy, Johnson and Nixon, Vietnam. For Carter and Reagan, the culmination of the Cold War. For both Bushes, Iraq. For Clinton, ex-Yugoslavia. For Obama, Afghanistan.

Which will be Donald Trump’s war? There is good reason to fear it could the Second Korean War. Or it could be yet another quagmire in the Middle East. His most excitable critics warn that the Third World War will happen on his watch. But I am more worried about the First Cyber War — because that war has already begun.

Last week’s cyber-attack was just the latest directed against the US by WikiLeaks: the release of a vast cache of documents stolen from the CIA.

In a tweet, WikiLeaks claimed these revealed “CIA hacker malware a threat to journalists: infests iPhone, Android bypassing Signal, Confide encryption”.

Actually, none of the documents mentions Signal, but that’s not the point. In the strange land of Cyberia — the twilight zone inhabited by Russian intelligence operatives — cyber-warfare is mainly about the spread of disinformation under the guise of leaking classified or confidential information.

To visit the WikiLeaks website is to enter the trophy room of Cyberia. Here is the “Hillary Clinton Email Archive”, over there are “The Podesta Emails”. Not all the leaked documents are American, but you will look in vain for leaks calculated to embarrass Russia. Julian Assange may still skulk in the Ecuadorean embassy in London but he lives in Cyberia, Vladimir Putin’s honoured guest.

Computer scientists have understood the disruptive potential of cyber-warfare since the earliest days of the internet. At first it was adolescent hackers who caused mayhem: geeks such as Robert Tappan Morris, who almost crashed the internet in 1988 by releasing a highly infectious software worm.

It is still the case that a lot of cyber-attacks are carried out by non-state actors: teenage vandals, criminals, “hacktivists” or terrorist organisations. However, the most striking development of the past year has been the advent of Cyberia.

As the country that built the internet, the US was bound to lead in cyber-warfare. During the 2003 Iraq invasion, US spies penetrated Iraqi networks and sent messages urging generals to surrender. Seven years later the US and Israel unleashed the Stuxnet virus on Iran’s nuclear facilities. The problem is not just that two can play at that game. It is that no one knows how many people can play at any number of cyber-games.

In recent years, the US has found itself under cyber-attack from Iran, North Korea and China. However, these attacks were directed against companies (notably Sony Pictures). The Russians are the first to wage war directly against the US government. They learnt the ropes in attacks on Estonia, Georgia and Ukraine. Last year, using WikiLeaks and the blogger Guccifer 2.0 as proxies, they launched a sustained assault on the US political system, using the Clinton emails and those of her campaign manager John Podesta to undermine the credibility of the Democratic Party’s presidential candidate.


Like the financial network, our social, commercial and infrastructural networks are under constant attack from fools and knaves. There is nothing we can do to stop them. The most we can do is to design networks so that the ravages of Cyberia can’t cause a total outage.

Trump’s war has begun: it is the First Cyber War. Like all wars, its first casualty was truth. Unlike other wars, it will have no last casualty, as it is a war without end. Get used to it. Or get rid of your computer.
Riaz Haq said…
Let’s leave aside the question of whether that interference decided the election in favour of Trump. The critical point is that Moscow was undeterred. For specialists in national security, this is only one of many perplexing features of cyber-war. Accustomed to the elegant theories of “mutually assured destruction” that evolved during the Cold War, they are struggling to develop a doctrine for a different form of conflict, with countless potential attackers and numerous gradations of destructiveness.

For Joseph Nye of Harvard’s Kennedy School, deterrence may be salvageable, but that can only be true now if America is prepared to make an example of an aggressor. The three other options Nye proposes are to ramp up cyber-security, to try to “entangle” potential aggressors in trade and other relationships (so as to raise the cost of cyber-attacks to them), or to establish global taboos against cyber, like those against biological and chemical weapons.

Nye’s analysis is not very comforting. Given the sheer number of cyber-aggressors, defence seems doomed to lag behind offence. And the Russians have proved themselves to be indifferent to both entanglement and taboos, even if China seems more amenable to Nye’s approach.

How scared should we be of Cyberia? For Princeton’s Anne-Marie Slaughter, our hyper-networked world is, on balance, a benign place and America “will gradually find the golden mean of network power”. At the other extreme is Joshua Cooper Ramo, whose book T he Seventh Sense argues for the erection of real and virtual “gates” to shut out the Russians and other malefactors. But Ramo himself quotes the three rules of computer security devised by the NSA cryptographer Robert Morris Sr: 1. Do not own a computer; 2. Do not power it on; 3. Do not use it. If we all ignore those rules, how will any gates keep out the Cyberians?

An intellectual arms race is on to devise a viable doctrine of cyber-security. My 10 cents’ worth is that those steeped in the traditional thinking of national security will not come up with it. A realistic goal is not to deter attacks or retaliate against them but to regulate all the various networks on which our society depends so that they are resilient — or, better still, “anti-fragile”, a term coined by Nassim Taleb to describe a system that grows stronger under attack.
Riaz Haq said…
Can Cyber Warfare Be Deterred? by Joseph Nye

Fear of a “cyber Pearl Harbor” first appeared in the 1990s, and for the past two decades, policymakers have worried that hackers could blow up oil pipelines, contaminate the water supply, open floodgates and send airplanes on collision courses by hacking air traffic control systems. In 2012, then-US Secretary of Defense Leon Panetta warned that hackers could “shut down the power grid across large parts of the country.”
None of these catastrophic scenarios has occurred, but they certainly cannot be ruled out. At a more modest level, hackers were able to destroy a blast furnace at a German steel mill last year. So the security question is straightforward: Can such destructive actions be deterred?
The Year Ahead 2017 Cover Image
It is sometimes said that deterrence is not an effective strategy in cyberspace, because of the difficulties in attributing the source of an attack and because of the large and diverse number of state and non-state actors involved. We are often not sure whose assets we can hold at risk and for how long.
Attribution is, indeed, a serious problem. How can you retaliate when there is no return address? Nuclear attribution is not perfect, but there are only nine states with nuclear weapons; the isotopic identifiers of their nuclear materials are relatively well known; and non-state actors face high entry barriers.
None of this is true in cyberspace where a weapon can consist of a few lines of code that can be invented (or purchased on the so-called dark web) by any number of state or non-state actors. A sophisticated attacker can hide the point of origin behind the false flags of several remote servers.
While forensics can handle many “hops” among servers, it often takes time. For example, an attack in 2014 in which 76 million client addresses were stolen from JPMorgan Chase was widely attributed to Russia. By 2015, however, the US Department of Justice identified the perpetrators as a sophisticated criminal gang led by two Israelis and an American citizen who lives in Moscow and Tel Aviv.
Attribution, however, is a matter of degree. Despite the dangers of false flags and the difficulty of obtaining prompt, high-quality attribution that would stand up in a court of law, there is often enough attribution to enable deterrence.
For example, in the 2014 attack on SONY Pictures, the United States initially tried to avoid full disclosure of the means by which it attributed the attack to North Korea, and encountered widespread skepticism as a result. Within weeks, a press leak revealed that the US had access to North Korean networks. Skepticism diminished, but at the cost of revealing a sensitive source of intelligence.
Prompt, high-quality attribution is often difficult and costly, but not impossible. Not only are governments improving their capabilities, but many private-sector companies are entering the game, and their participation reduces the costs to governments of having to disclose sensitive sources. Many situations are matters of degree, and as technology improves the forensics of attribution, the strength of deterrence may increase.
Moreover, analysts should not limit themselves to the classic instruments of punishment and denial as they assess cyber deterrence. Attention should also be paid to deterrence by economic entanglement and by norms.
Economic entanglement can alter the cost-benefit calculation of a major state like China, where the blowback effects of an attack on, say, the US power grid could hurt the Chinese economy. Entanglement probably has little effect on a state like North Korea, which is weakly linked to the global economy. It is not clear how much entanglement affects non-state actors. Some may be like parasites that suffer if they kill their host, but others may be indifferent to such effects.
Riaz Haq said…
As for norms, major states have agreed that cyber war will be limited by the law of armed conflict, which requires discrimination between military and civilian targets and proportionality in terms of consequences. Last July, the United Nations Group of Government Experts recommended excluding civilian targets from cyberattacks, and that norm was endorsed at last month’s G-20 summit.
It has been suggested that one reason why cyber weapons have not been used more in war thus far stems precisely from uncertainty about the effects on civilian targets and unpredictable consequences. Such norms may have deterred the use of cyber weapons in US actions against Iraqi and Libyan air defenses. And the use of cyber instruments in Russia’s “hybrid” wars in Georgia and Ukraine has been relatively limited.
The relationship among the variables in cyber deterrence is a dynamic one that will be affected by technology and learning, with innovation occurring at a faster pace than was true of nuclear weapons. For example, better attribution forensics may enhance the role of punishment; and better defenses through encryption may increase deterrence by denial. As a result, the current advantage of offense over defense may change over time.

Cyber learning is also important. As states and organizations come to understand better the importance of the Internet to their economic wellbeing, cost-benefit calculations of the utility of cyber warfare may change, just as learning over time altered the understanding of the costs of nuclear warfare.
Unlike the nuclear age, when it comes to deterrence in the cyber era, one size does not fit all. Or are we prisoners of an overly simple image of the past? After all, when nuclear punishment seemed too draconian to be credible, the US adopted a conventional flexible response to add an element of denial in its effort to deter a Soviet invasion of Western Europe. And while the US never agreed to a formal norm of “no first use of nuclear weapons,” eventually such a taboo evolved, at least among the major states. Deterrence in the cyber era may not be what it used to be, but maybe it never was
Riaz Haq said…
US scientists at U of Michigan hack' #India electronic #vote17 machines - BBC News. #UPElection2017

Scientists at a US university say they have developed a technique to hack into Indian electronic voting machines.
After connecting a home-made device to a machine, University of Michigan researchers were able to change results by sending text messages from a mobile.
Indian election officials say their machines are foolproof, and that it would be very difficult even to get hold of a machine to tamper with it.
India uses about 1.4m electronic voting machines in each general election.
'Dishonest totals'
A video posted on the internet by the researchers at the University of Michigan purportedly shows them connecting a home-made electronic device to one of the voting machines used in India.
Professor J Alex Halderman, who led the project, said the device allowed them to change the results on the machine by sending it messages from a mobile phone.

"We made an imitation display board that looks almost exactly like the real display in the machines," he told the BBC. "But underneath some of the components of the board, we hide a microprocessor and a Bluetooth radio."
"Our lookalike display board intercepts the vote totals that the machine is trying to display and replaces them with dishonest totals - basically whatever the bad guy wants to show up at the end of the election."
In addition, they added a small microprocessor which they say can change the votes stored in the machine between the election and the vote-counting session.
India's electronic voting machines are considered to be among the most tamperproof in the world.
There is no software to manipulate - records of candidates and votes cast are stored on purpose-built computer chips.
Paper and wax seals
India's Deputy Election Commissioner, Alok Shukla, said even getting hold of machines to tamper with would be very difficult.
"It is not just the machine, but the overall administrative safeguards which we use that make it absolutely impossible for anybody to open the machine," he told the BBC.
"Before the elections take place, the machine is set in the presence of the candidates and their representatives. These people are allowed to put their seal on the machine, and nobody can open the machine without breaking the seals."
The researchers said the paper and wax seals could be easily faked.
However, for their system to have any impact they would need to install their microchips on many voting machines, no easy task when 1,368,430 were used in the last general election in 2009.
Riaz Haq said…
India, Pakistan cyber war intensifies

NEW DELHI: Indian hackers claimed to have hacked Islamabad, Peshawar, Multan International and Karachi airport

The hack comes just days after Pakistani hackers, identifying themselves as 'Alone Injector', posted offensive content on NSG's official homepage. As most were preparing to celebrate New Year, hackers from India and Pakistan were busy firing shots across the online border in the ongoing cyber war between the two countries.

Indian hackers allegedly infected three Pakistan airport websites with ransomware claiming that this was to avenge hacking of the official website of the elite National Security Guard (NSG) by their counterpart in Pakistan.

Indian hackers on Monday night claimed to have hacked Islamabad, Peshawar, Multan International and Karachi airport website. Not only they have hacked and brought the website down, but have also injected it with ransomware malware which restricts the owners use of their website. Indian hackers locked the access to the websites and are demanding bitcoins (virtual money) in exchange for unlocking it. However, an Indian hacker told Mail Today that last time the money they got from Pakistan to unlock their computer was donated to needy kids but this time, they will not share the key to unlock the sites.

The move came just a day after Pakistani hackers, identifying themselves as 'Alone Injector', posted the offensive content on NSG's official homepage. The website belonging to the 'black cat' commandos is maintained from the NSG headquarters and gives out basic information about the force, its origin and operations.

The matter has been brought to the notice of the National Informatics Centre, and remedial action is in process. Retaliating immediately, Indian hackers have launched a massive attack on crucial Pakistan establishment and warned both Pakistan hackers and the government against attacking India further.

This hacking group in past had infected the Pakistan government systems, taken control over hundreds of computers and locked its complete data, making it inaccessible - using a malicious programme. The hacking group also leaked details of Pakistan army officers and banking details.

However, there was no confirmation by any security agency about it as the hackers from both the countries are not officially. This fighting started last week after Pakistan cyber attackers hacked

Thiruvananthapuram airport's website, a group of cyber experts from Kerala - the 'Mallu Cyber Soldiers' - decided to respond in kind: by hacking the website of a Pakistani airport. The hacker obtained the login information for the website of the Sialkot International Airport in Pakistan's Punjab province. They changed the password and shared the new login details with the public. Experts believe the hacking of airport websites can be used to get out crucial information about flights, which can have serious consequences.

Moreover, leaking of details about the individual airports - from logistics to facilities - is also dangerous. Experts believe that intelligence-gathering process has increased as hackers are not only defacing the sites but are silently spying on critical networks. 'Indian hackers have only replied after observing malicious intention of Pakistani hackers.

'Techies across the border targeted Indian sites result of which NSG's website was hacked. Such fights are common but now the intensity of attacks have increased many fold as hackers from both the countries are targeting crucial websites,' said Kislay Choudhary, a cyber crime expert.
Riaz Haq said…
America must defend itself against the real national security menace

by Fareed Zakaria

1. Punishment
2. Defense
3. Taboo

Since the North Korean government’s 2014 attacks on Sony Pictures Entertainment, many in the intelligence community, including Adm. Michael S. Rogers, have warned that “we’re at a tipping point.” Rogers, head of the National Security Agency and U.S. Cyber Command, testified to Congress in 2015 that the country had no adequate deterrent against cyberattacks. He and many others have argued for an offensive capacity forceful enough to dissuade future threats.

But the digital realm is a complex one, and old rules will not easily translate. The analogy that many make is to nuclear weapons. In the early Cold War, that new category of weaponry led to the doctrine of deterrence, which in turn led to arms-control negotiations and other mechanisms to foster stable, predictable relations among the world’s nuclear powers.

But this won’t work in the cyber realm, Joseph Nye says in an important new essay in the journal International Security. First, the goal of nuclear deterrence has been “total prevention” — to avert a single use of nuclear weapons. Cyberattacks happen all the time, everywhere. The Defense Department reports getting 10 million attacks a day. Second, there is the problem of attribution. Nye quotes defense official William Lynn, who observed in 2010, “Whereas a missile comes with a return address, a computer virus generally does not.” That’s why it is so easy for the Russian government to deny any involvement with the hacking against the Democratic National Committee. It is hard to establish ironclad proof of the source of any cyberattack — which is a large part of its attractiveness as an asymmetrical weapon.

Nye argues that there are four ways to deal with cyberattacks: punishment, entanglement, defense and taboos. Punishment involves retaliation, and although it is worth pursuing, both sides can play that game, and it could easily spiral out of control.

Entanglement means that if other countries were to harm the United States, their own economies would suffer. It strikes me as of limited value because there are ways to attack the United States discreetly without shooting oneself in the foot (as Russia has shown recently, and as Chinese cybertheft of intellectual property shows as well). And it certainly wouldn’t deter groups such as the Islamic State, al-Qaeda or even WikiLeaks.

The other two strategies merit more consideration. Nye contends that the United States should develop a serious set of defenses, beyond simply governmental networks, that are modeled on public health. Regulations and information would encourage the private sector to follow some simple rules of “cyber hygiene” that could go a long way toward creating a secure national network. This new system of defenses should become standard in the digital world.

The final strategy Nye suggests is to develop taboos against certain forms of cyberwarfare. He points out that after the use of chemical weapons in World War I, a taboo grew around their use, was enacted into international law and has largely held for a century. Similarly, in the 1950s, many strategists saw no distinction between tactical nuclear weapons and “normal” weapons. Gradually, countries came to shun any use of nuclear weaponry, a mutual understanding that has also survived for decades. Nye recognizes that no one is going to stop using cyber-tools but believes that perhaps certain targets could be deemed off-limits, such as purely civilian equipment.

Of course, the development of such norms would involve multilateral negotiations, international forums, rules and institutions, all of which the Trump administration views as globaloney. But at least it is working hard to prevent Yemeni tourists from entering the country.
Riaz Haq said…
Wikileaks reveal #American #Spy Agency #NSA #Cyber Weapons Used to Hack #Pakistan mobile system via @techjuicepk

New information about the involvement of US in hacking Pakistan mobile system has been found in a release by Wikileaks. This leak points to NSA’s cyber weapons which include code related to hacking of Pakistan mobile system.

NSA’s interest in Pakistan
NSA, National Security Agency responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes in the USA, has allegedly spied on Pakistani civilian and military leadership in the past. Edward Snowden, a former NSA employee, has also suggested in the past that NSA used wiretapping and cyber weapons to spy on many international leaders.

Scope of new information
On Saturday, Wikileaks revealed hundreds of cyber weapons variants which include code pointing towards NSA hacking Pakistan mobile system.

The link shared in the tweet by Wikileaks’ official account points to a Github repository containing the decrypted files pertaining to NSA cyber weapons. A complete analysis of these files by a cyber security expert is needed to further highlight the severity of the situation. Initial impressions, however, seem to indicate that these leaks will certainly provide more substance to previous allegations against NSA.
Riaz Haq said…
#Cyberattack Hits #Ukraine Then Spreads Internationally. #NSA #hackingtool #WannaCry #Petya #Russia

Computer systems from Ukraine to the United States were struck on Tuesday in an international cyberattack that was similar to a recent assault that crippled tens of thousands of machines worldwide.

In Kiev, the capital of Ukraine, A.T.M.s stopped working. About 80 miles away, workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed. And tech managers at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.

It was unclear who was behind this cyberattack, and the extent of its impact was still hard to gauge Tuesday. It started as an attack on Ukrainian government and business computer systems — an assault that appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union. The attack spread from there, causing collateral damage around the world.

The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the National Security Agency and leaked online in April by a group called the Shadow Brokers.

Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec.

The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency help the rest of the world defend against the weapons it created.

“The N.S.A. needs to take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that they’ve unleashed,” said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agency’s hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon.

The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix.

“Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president for security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.”

Because the ransomware used at least two other ways to spread on Tuesday — including stealing victims’ credentials — even those who used the Microsoft patch could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others.

A Microsoft spokesman said the company’s latest antivirus software should protect against the attack.

The Ukrainian government said several of its ministries, local banks and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted.
Riaz Haq said…
The Opinion Pages | EDITORIAL

When Cyberweapons Go Missing

Twice in the past few months, powerful cyberattacks have wreaked havoc on the world, shutting down tens of thousands of computers, including critical machines in hospitals, a nuclear site and businesses. The attacks were initially thought to be schemes to collect ransom, but their goals — whether money, politics or just chaos — have become increasingly blurred. One thing seems clear: The weapons for the attack were developed by the National Security Agency and stolen from it.

That’s chilling. After the first attack, Brad Smith, the president of Microsoft, said the theft of the cyberweapons was equivalent to Tomahawk missiles’ being stolen from the military, and he issued a scathing critique of the government’s stockpiling of computer vulnerabilities. The N.S.A. has not only failed to assist in identifying the vulnerabilities its weapons were designed to exploit but has also not even acknowledged their existence or their theft.

It remains a mystery whether the N.S.A. knows how its weapons were stolen. What is known is that a group called Shadow Brokers started offering them for sale in August and made them public in April. It promised a fresh batch last month, offering them to monthly subscribers. Former intelligence officials said it was clear the weapons came from an N.S.A. unit formerly known as Tailored Access Operations.

Once publicly available, the weapons can be reconfigured for many purposes and used by anyone with some computer savvy. North Korea was thought to be a culprit in the first wave of attacks, and Russian hackers may have been behind the second. Other forces may be at work, too. A cybersecurity officer with the IDT Corporation in Newark, Golan Ben-Oni, has made waves with warnings that ransom demands could be a cover for far deeper invasions to steal confidential information.

Secrecy, of course, is the N.S.A.’s stock in trade, and acknowledging authorship of stolen cyberweapons runs counter to everything the spy agency does. A spokesman for the National Security Council at the White House was quoted as saying that the administration “is committed to responsibly balancing national security interests and public safety and security.”

Fixing this deadly serious problem is certain to be complex, but the task is urgent. The N.S.A. clearly needs to do a better job of safeguarding the cyberweapons it is developing and also neutralizing the damage their theft has unleashed. Microsoft, whose software vulnerabilities were exploited in the attacks, and companies that use its software will have to strengthen their defenses.

Beyond that, the federal government may want to offer grants as incentives to groups doing malware analysis. Once conclusively identified, the culprits behind the attacks must be penalized in some way, such as with sanctions. While the immediate focus needs to be on concrete responses, it is also worth thinking seriously about more global cooperation, such as the Digital Geneva Convention proposed by Microsoft as a way to prevent cyberwarfare.
Riaz Haq said…
Pakistan military access metadata, texts, photos from hacked phones of Australian diplomats

The Pakistani military is alleged to have hacked information from Australian diplomats potentially gaining access to sensitive metadata, texts and photos and tracking their movements.

The hacking is thought to have occurred after the Australians interacted with those whose phones were compromised after they downloaded apps or had their phones physically accessed by the hackers.

A just-published report by a United States mobile phone data security company, Lookout, detailed the hacking which it said it had reported to the appropriate authorities and may have links back to an individual previously associated with a Sydney-based company.

Lookout’s report said it had identified over 15 gigabytes of compromised data that included call records, audio recordings, device location information, text messages and photos.

It said analysis of the exfiltrated data found details of trips to the Pakistani cities of Quetta, and Balochistan by Australian diplomats.

The report contains an image of what appears to be a document detailing an itinerary for Australian diplomats.

“Visit of Australian diplomats” is the heading of the document which has been redacted by Lookout but appears to reference the names of the individuals undertaking a visit and discuss security arrangements.

The report says the tools were part of a “highly targeted intelligence gathering campaign we believe is operated by members of the Pakistani military” using surveillanceware families Lookout referred to as Stealth Mango (Android) and Tangelo (iOS).

“Our research shows that Stealth Mango is being actively managed by Pakistani based actors that are likely military,’’ it says. “We determined that government officials and civilians from the United States, Australia, the United Kingdom and Iran had their data indirectly compromised after they interacted with Stealth Mango victims.’’

It says the Australians may have had their data stolen after they associated with users who had been compromised by the Stealth Mango surveillanceware.

“We further identified content from other countries officials and diplomats, including the United States, Australia, the United Kingdom and Iran, however we believe this data may have been stolen when these victims interacted with Stealth Mango victims,’’ it said.

Among data that is believed to be uploaded and tracked from infected phones was installed packages and device information, changes in SIM card or phone numbers on the device, picture, video and audio files, SMS logs and deleted incoming messages, GPS tracking, functionality to detect when a victim is driving, calendar events and reminders and contact lists for various third party applications such as Yahoo and Google Talk among others.

The report notes that the developer of the spyware may have at one point been associated with a company headquartered in Sydney that develops similar legal applications that track devices.

It suspects the developer is part of a group of developers selling mobile surveillance ware and is based in a specific area in the Pakistani capital Islamabad — potentially a government building associated with the Pakistani ministry of education.

The company says it has shared information about the breaches with the appropriate authorities.

“The actor behind Stealth Mango has stolen a significant amount of sensitive data from compromised devices without the need to resort to exploits of any kind,’’ it says.

“The actors that are developing this surveillanceware are also setting up their own command and control infrastructure and in some cases encountering some operational security missteps, enabling researchers to discover who the targets are and details about the actors operating it that otherwise are not as easily obtained.

Riaz Haq said…
Stealth Mango & Tangelo Selling your fruits to nation state actors

Lookout Security Intelligence has discovered a set of custom Android and iOS surveillanceware tools we’re respectively calling Stealth Mango and Tangelo. These tools have been part of a highly targeted intelligence gathering campaign we believe is operated by members of the Pakistani military. Our investigation indicates this actor has used these surveillanceware tools to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. To date, we have observed Stealth Mango being deployed against victims in Pakistan, Afghanistan, India, Iraq, Iran, and the United Arab Emirates. The surveillanceware also retrieved sensitive data from individuals and groups in the United States, Australia, and the United Kingdom. These individuals and groups were not themselves targeted, but interacted with individuals whose devices had been compromised by Stealth Mango or Tangelo. We believe that the threat actor behind Stealth Mango is also behind Op C Major and Transparent Tribe.

Key findings Lookout researchers have identified a new mobile malware family called Stealth Mango. • Our research shows that Stealth Mango is being actively managed by Pakistani based actors that are likely military. • Stealth Mango is being used in targeted surveillance operations against government officials, members of the military, and activists in Pakistan, Afghanistan, India, Iraq, and the United Arab Emirates. • We determined that government officials and civilians from the United States, Australia, the United Kingdom, and Iran had their data indirectly compromised after they interacted with Stealth Mango victims. • The actors behind Stealth Mango typically lure victims via phishing, but they may also have physical access to victims’ devices. • The attacker has multi-platform capabilities. We know of the Android component and there is evidence of an iOS component. The evidence is as follows: • A sample Debian package on attacker infrastructure called Tangelo • EXIF data from exfiltrated content showed data from iPhones • WHOIS information from the attackers show registrations for the following domains: iphonespyingsoftware[.]org, iphonespyingapps[.]org, and iphonespyingapps[.]info We have identified over 15 gigabytes of compromised data on attacker infrastructure. • Exfiltrated content includes call records, audio recordings, device location information, text messages, and photos. • We found attacker infrastructure running the WSO web shell, which provides a third party with complete control over the server. • The actor deploying Stealth Mango appears to have a primarily mobile-focused capability. Stealth Mango and Tangelo appear to have been created by freelance developers with physical presences in Pakistan, India, and the United States. • These individuals belong to the same developer group. • We linked their tooling to several commodity mobile surveillance tools suggesting that they are either sharing code or have engaged with several distinct customers who are being delivered tooling based off similar source code.

Popular posts from this blog

San Francisco Tech Firm to Invest $6 Million in Pakistan Game Development Studio

Pakistan's Human Development Ranking Hits New Low of 150 After Decade of Democracy

How Can Pakistan Build Up and Manage Dollar Reserves?