Proliferation of Cyber Hacking Tools in Pakistan

Many intelligence agencies are turning to the use of smartphone malware and spyware for the purpose of hacking and surveillance. The list of such agencies includes but not limited to US CIA, NSA, Mossad, RAW, MI6, ISI and others. Global proliferation of cyber hacking tools appears to have been accelerated with the US CIA's loss of control of its hacking tools including spyware, malware, viruses and trojans.

Stealth Mango and Tangelo:

Lookout, an American mobile security firm based in San Francisco, has recently published a report claiming that a "group or individuals that are believed to belong to the Pakistani military "has developed and released a "set of custom Android and iOS surveillanceware tools we’re respectively calling Stealth Mango and Tangelo".  The report says: "These tools have been part of a highly targeted intelligence gathering campaign we believe is operated by members of the Pakistani military". The countries affected by it include Afghanistan, India, Iraq, Pakistan and the United Arab Emirates, according to Lookout report.

Mango and Tangelo Spyware Targets. Source: Lookout


The targets in Pakistan include members of the foreign diplomatic corps who have visited conflict zones, particularly parts of Balochistan, and Pakistani officials involved in internal corruption investigations.

The goal of the Lookout report is to sell their security software as obvious from their concluding summary below:

"Stealth Mango and Tangelo is yet another example among the numerous campaigns we have uncovered (Dark Caracal, ViperRAT, FrozenCell, etc.) where threat actors are developing in-house custom surveillanceware. The actor behind Stealth Mango has stolen a significant amount of sensitive data from compromised devices without the need to resort to exploits of any kind. The actors that are developing this surveillanceware are also setting up their own command and control infrastructure and in some cases encountering some operational security missteps, enabling researchers to discover who the targets are and details about the actors operating it that otherwise are not as easily obtained. Relevant data has already been shared with the appropriate authorities. Lookout customers are protected against Stealth Mango and Tangelo and have been for several months since the beginning of the investigation."

Amnesty International Allegations:

Amnesty International has alleged that attackers are using fake online identities and social media profiles to "ensnare Pakistani human rights defenders online and mark them out for surveillance and cybercrime".  The report titled "Human Rights Under Surveillance: Digital Threats against Human Rights Defenders in Pakistan" claims that Diep Saeeda, a Lahore-based human rights activist, has been targeted by a "network of individuals and companies based in Pakistan that are behind the creation of some of the tools seen in surveillance operations used to target individuals in Pakistan".

Amnesty says that "over the course of several months, Amnesty International used digital forensic techniques and malware analysis to identify the infrastructure and web pages connected to online attacks on human rights activists in Pakistan".  "Amnesty International’s Technology and Human Rights team has been able to trace these attacks to a group of individuals based in Pakistan".

Proliferation of Hacking Tools:

In 2017, Wikileaks revealed that the American intelligence agency CIA has "lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation." The Wikileaks noted that that "the CIA made these systems unclassified".

Wikileaks said: "In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of "Vault 7" — the CIA's weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse".

FBI agents have since arrested 29-year-old former CIA software engineer Joshua A. Schulte as a prime suspect in the release of the CIA documents via Wikileaks, according to New York Times.

It appears that the CIA's "hacking arsenal" is now being modified and used by many state and non-state actors to carry out hacking and surveillance of their targets around the world. The proliferation of cyber hacking tools appears to be a lot easier than the proliferation of the nuclear weapons technology.

Summary:

A report by American mobile security software vendor Lookout claims that individuals and groups  connected to the Pakistani military are using spyware and malware tools on targets in Afghanistan, Pakistan, India and UAE. Amnesty International alleges that Pakistan intelligence agencies are "network of individuals and companies based in Pakistan that are behind the creation of some of the tools seen in surveillance operations used to target individuals in Pakistan".

Many intelligence agencies are turning to the use of smartphone malware and spyware for the purpose of hacking and surveillance. The list of such agencies includes but not limited to US CIA, NSA, Mossad, RAW, MI6, ISI and others. Global proliferation of cyber hacking tools appears to have been accelerated when the US CIA  lost control of its hacking tools including malware, viruses and trojans.

Related Links:

Haq's Musings

South Asia Investor Review

Pakistan Operation Arachnophobia

Social Media Tribalism

Revolution in Military Affairs: Cyberweapons and Robots

Cyber Warfare

Pakistani-American Founder of Fireeye Cyber Firm

Pakistan Boosts Surveillance to Fight Terror

Pakistan's Biometric Registration Database

Operation Zarb e Azb Launch

Ex Indian Spy Documents RAW's Successes in Pakistan

Intelligence Failures in Preventing Daily Carnage in Pakistan

What If Musharraf Had Said NO to US After 911?

Pakistani Computer Scientist Fights Terror

Pakistani Killer Drones to Support Anti-Terror Campaign

3G 4G Rollout Spurs Data Services Boom in Pakistan

Comments

Riaz Haq said…
Pakistan’s first-ever Cyber Security Centre launched
Aims to develop tools and technologies to protect cyberspace, sensitive data and local economy from the cyber-attacks

https://gulfnews.com/news/asia/pakistan/pakistan-s-first-ever-cyber-security-centre-launched-1.2225435

Pakistan government’s Cyber Security Centre has been inaugurated at Air University in Islamabad to deal with cyber security challenges in the digital age.

-------------

Faaiz Amir informed that Air University is also commencing a four year BS cyber security programme, which is designed to develop modern cyber security skills and apply them to manage computers, systems, and networks from cyber-attacks. The programme would increase the awareness and knowledge about cyber security in Pakistani students, he added.


------------

Cyber security encompasses technologies, processes and controls that are designed to protect systems, networks and data from cyber attacks. Pakistan’s Cyber Security Centre aims to develop advanced tools and research technologies to protect Pakistan’s cyberspace, sensitive data, and local economy from the cyber-attacks.
The headquarter of the National Centre for Cyber Security will be based at Air University Islamabad with labs at different universities of Pakistan including Bahria University Islamabad, National University of Science and Technology (NUST), Information Technology University Lahore (ITU), Lahore University of Managment Sciences (LUMS), University of Peshawar, University of Engineering and Technology Peshawar, University of Nowshera, Pakistan Institute of Engineering and Applied Sciences (PIEAS), NED University Karachi, University of Engineering and Technology Lahore and University of Engineering and Technology Taxila.
Cyber-attackspose an enormous threat to the national economy, defence and security, National Security Adviser, Nasser Khan Janjua, earlier said.
After repeated calls from experts to secure the cyber space, Pakistan government has finally launched the centre to protect the cyberspace, sensitive data, and local economy from the cyber-attacks.
Last week, country’s National Counter Terrorism Authority (NACTA) also established a cyber security wing on modern lines to evolve cyber security strategies and to meet emerging cyber terrorism threats.
Riaz Haq said…
https://gpinvestigations.pri.org/how-north-korean-hackers-became-the-worlds-greatest-bank-robbers-492a323732a6

How North Korean hackers became the world’s greatest bank robbers
Patrick Winn May 16
Asia correspondent for PRI and GlobalPost Investigations• RFK Award Winner • Author of HELLO, SHADOWLANDS, available on

The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.

It was among the greatest heists against a United States bank in history and the thieves never even set foot on American soil.

Nor did they target some ordinary bank. They struck an account managed by the Federal Reserve Bank of New York, an institution renowned for its security.

In vaults 80 feet below the streets of Manhattan, the bank holds the world’s largest repository of gold. Many of these gold bars belong to foreign governments, which feel safer storing their gold inside well-defended bunkers in America than at home.

By the same token, overseas governments also store cash with the Fed. But this is cash in the 21st-century sense: all ones and zeroes, not smudgy bills. The bank holds vast foreign wealth on humming servers wired up to the internet.

That’s what the thieves went after in February 2016: nearly $1 billion, sitting in a Fed-run account. This particular account happened to belong to Bangladesh. Having already hacked into the servers of the Bangladesh Central Bank, the criminals waited until a Friday — a day off in many Muslim-majority nations, Bangladesh included.

Then they started draining the account.

Posing as Bangladesh Central Bank staff, the hackers sent a flurry of phony transfer requests to the Fed totaling nearly $1 billion. The Fed started zapping cash into accounts managed by the thieves overseas, most of them in the Philippines. Much of the money was quickly pulled out as cash or laundered through casinos.

From there, the trail goes cold.

The hackers didn’t get the full billion they desired. Most of the bogus requests were caught and canceled by suspicious personnel. But they did end up with an amazing score: $81 million.

The culprits of this heist are loyal to one of the most impressive organized crime syndicates in the world. They don’t work for the Triads, nor the Sinaloa Cartel, nor Sicily’s Cosa Nostra. They are agents of the Reconnaissance General Bureau (or RGB), which is headquartered in Pyongyang. This is North Korea’s equivalent to the CIA.

Like the CIA, North Korea’s RGB is steeped in clandestine overseas plots: assassinations, abductions and lots of spying. But it is perhaps better understood as a mash-up between the CIA, the KGB and the Yakuza.

What distinguishes the bureau is its entrepreneurial streak — one with a distinctly criminal bent.

For decades, North Korea has been beleaguered by Western sanctions and barred from global markets. This has prodded the regime to seek revenue in darker realms that are beyond the law. These black-market enterprises have included heroin production, printing bogus $100 bills and counterfeiting name-brand cigarettes.

But all of those rackets have now been totally eclipsed by hacking. The bureau has trained up the world’s greatest bank-robbing crews, a constellation of hacking units that pull massive online heists.

These thieves also have one distinct advantage over other syndicates: They are absolutely confident that they’ll never be charged. So it goes when your own country sponsors your criminal mischief.

This is a new phenomenon, according to US intelligence officials. “A nation state robbing banks … that’s a big deal. This is different,” says Richard Ledgett. He was, until his recent retirement, the deputy director of the National Security Agency.
Riaz Haq said…
Pakistan army spokesperson accuses journalists of anti-state activity on social media
June 5, 2018 1:54 PM ET

https://cpj.org/2018/06/pakistan-army-spokesperson-accuses-journalists-of-.php

New York, June 5, 2018--The Committee to Protect Journalists today condemned comments from Major General Asif Ghafoor, spokesperson for Pakistan's military and intelligence agencies, who accused journalists of sharing anti-state remarks on social media.

At a press conference yesterday, Ghafoor derided the rise of social media troll accounts, which he said spread propaganda against the army and state, and said that Pakistan's spy agency, the Inter-Services Intelligence (ISI), was monitoring such accounts and those that engage with them, including journalists.

During his presentation, Ghafoor showed a graphic featuring an alleged troll account's Twitter activity and the journalists and other individuals allegedly connected to the account, who, Ghafoor said, redistributed anti-state and anti-army propaganda from the troll's account.

The journalists featured on the graphic include Ammar Masood and Fakhar Durrani, both with media Jang Media Group, Umar Cheema from the Jang-owned daily The News, Azaz Syed from the Jang-owned broadcaster Geo TV, and Matiullah Jan with the broadcaster Waqt News. Cheema received CPJ's International Press Freedom Award in 2011.

"Displaying photos of journalists alleged to help push anti-state propaganda in Pakistan is tantamount to putting a giant target on their backs," said Steven Butler, CPJ's Asia program coordinator in Washington, D.C. "General Ghafoor should apologize for his comments and explain how security forces might help promote journalist safety in Pakistan, where reporters and editors are routinely threatened, attacked, and killed for their work."

Pakistani authorities have cracked down on press freedom ahead of national parliamentary elections scheduled for July 25. Recently, CPJ documented disruptions to the distribution of Dawn newspaper and access to television channel Geo TV.
Riaz Haq said…
#Turkey's STM will organize training in #cybersecurity and #infornation #tech at #Pakistan Air #University; organize international conferences; give consultancy to research projects and support infrastructure for National Cyber Security Center at Air Uni. https://www.armyrecognition.com/ideas_2018_news_official_show_daily/ideas_2018_stm_signs_dou_for_pakistan_cyber_security.html

At IDEAS 2018, a Document of Understanding (DoU) was signed by STM and Pakistan Air University under the leadership of the Presidency of Defence Industries (SSB) of the Presidency of Rebuplic of Turkey. With this agreement, STM will provide significant solutions in integrated cyber security, big data and IT domains.

STM SavunmaTeknolojileriMühendislikveTicaret A.Ş. expands its business in Pakistan. Following the cooperation in naval programs under the leadership of the Presidency of Defence Industries, it now moves to different areas.

The signing ceremony was held with the participation of Mustafa Murat Şeker, SSB Vice President; Murat İkinci, STM General Manager; Air Vice Marshal Faaiz Amir, Vice Chancellor of Pakistan Air University; and officials. The agreement will increase the cyber security capabilities of Pakistan Air University, which sets up cyber security strategies of Pakistan and is responsible for the establishment of Pakistan’s National Center of Cyber Security (NCCS).

STM will organize special training and internship programs in cyber security and IT for Pakistan Air University students and faculty; organize international conferences and workshops; give consultancy to research projects in graduate programs; and support the infrastructure for the establishment of the National Cyber Security Center (NCCS) at the university. This agreement aims to increase the national cyber security capabilities of the friendly country Pakistan thanks to STM's integrated cyber security efforts and capabilities.
Riaz Haq said…
#Israeli #Cybersecurity Firm NSO Accused Of Helping #Saudis Spy On #Khashoggi. #Israel is actually involved in NSO in that Israeli government officials have to give the OK to let it sell its products abroad. This company has faced a lot of controversy. https://n.pr/2ANSZea

DANIEL ESTRIN, BYLINE: Hi.

MARTIN: Tell us more about these allegations, and what do we know about the Saudi dissident making them?

ESTRIN: His name is Omar Abdulaziz. He tells a very compelling story. He's a social media activist. He's a critic of the Saudi royal family. He lives in Montreal. And in his lawsuit, he says Saudi officials in Canada met him in May, told him Crown Prince Mohammed bin Salman was unhappy with his activism. They asked him to come to the Saudi consulate for further discussion, and he declined. And he says that he and Jamal Khashoggi started working together on an initiative to organize a group of Twitter activists against the Saudi regime. And then this dissident got a text message with a link, supposedly a DHL package delivery, and he clicked on the link and later, a Canadian group, Citizen Lab, said it believed that he fell victim to a cellphone spyware from an Israeli-based company, NSO. He spoke with NPR's Shannon Van Sant, and he said he thinks the Saudis intercepted his Whatsapp text messages with Khashoggi, and that was a deciding factor that led to his death. Here's what he said.

OMAR ABDULAZIZ: For sure, the conversations between us played a major role in what happened to Jamal. And they found out what we were working on and what are these projects and why Jamal was behind them.

MARTIN: What do we know about this company that makes the spyware?

ESTRIN: NSO is its name. It's a very secretive company. It doesn't have a website. It was founded by three Israelis. Their first names form the initials NSO. And there are Israeli reports that the company recently sold its spyware technology to Saudi officials. The company defends itself. It says its products are only sold to governments and to law enforcement to fight terrorism and crime, but Israel is actually involved in this company in that Israeli government officials have to give the OK to let it sell its products abroad. This company has faced a lot of controversy. Mexican human rights activists and others say Mexican government officials hacked into their phones using this company's spyware - same accusations from a human rights activist in the United Arab Emirates. Amnesty International also says the software was used against one of its employees, and Amnesty is accusing Israel of allowing the spyware to be sold to regimes that violate human rights.

MARTIN: Well, considering the company's connections to the Israeli government, is the suit likely to go anywhere?

ESTRIN: It seems like it's more of a symbolic lawsuit, Rachel, to draw public attention to this issue. I think it's going to be hard to prove these claims in court, and the Israeli Defense Ministry has constantly defended its vetting of NSO technology sales abroad. And I should add that Israel is not the only place in the world where companies are developing spyware technology, but it is - Israel is a big player in the field.

MARTIN: And presumably, Saudi officials aren't weighing in on whether or not they actually bought this technology, confirming any connection.

ESTRIN: They're not, and it's very interesting. Saudi and Israeli ties are kind of under the radar, but this may be an example of some of those ties.

Riaz Haq said…

#American software security firm #Symantec believe #Chinese did not steal the code used in #NSA's hacking tools but captured it from NSA's attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away. #China
https://nyti.ms/2H0Oekx

Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.

The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.

The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.

The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.

Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.

Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.
--------------------


The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including American business giants like Chevron. Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.
Riaz Haq said…
Indian cyber-spy ‘Confucius’ targets #Pakistan, #Kashmir: #Indian hackers using #malware to target Pakistani military officials, Pak's top #nuclear regulator and #Indian election officials in #Indian Occupied Kashmir, says San Francisco-based Lookout Inc.
https://www.smh.com.au/world/asia/indian-cyber-spy-confucius-targets-pakistan-kashmir-security-report-20210211-p571q3.html

Oakland, California: A hacking group with ties to the Indian military adopted a pair of mobile surveillance tools to spy on geopolitical targets in Pakistan and Kashmir amid persistent regional tensions between the nuclear-armed neighbours, according to a report from a cyber security company.

The group is known for commandeering legitimate web services in South Asia and embedding surveillance tools or malware inside apps and services to conduct espionage. Since 2017, and as recently as December, the hackers have relied on spyware to target Pakistani military officials, the country’s top nuclear regulator and Indian election officials in the disputed state of Kashmir, according to the report released by San Francisco-based Lookout Inc on Thursday.

The campaign appears to be just the latest example of hackers targeting sensitive security targets with social engineering tactics - luring victims to download malicious files disguised as benign applications. What’s unique about attacks by the group, dubbed Confucius, is the extent to which its operators go to veil their efforts, experts say.

Using knock-off web applications disguised as Google security tools and popular regional chat and dating applications, Confucius managed to access 156 victims’ devices in a trove of data recently discovered by the research team. The files and related logs were found in unsecured servers used by the attack group, according to the report. Most of the users who recently accessed those servers were based in Northern India.

Once the attackers penetrate a device, they scrape it for data, including call logs, contacts, geolocation, images and voice notes. In some cases, the hackers took screen shots of the devices and recorded phone calls. In at least one instance, intruders got inside the device of a Pakistani Air Force service member and viewed a contact list filled with other Air Force officials, said Apurva Kumar, Lookout’s staff security intelligence engineer.

“While their technical tools and malwares might not be that advanced, the Confucius threat actor invests human time to gain trust from their targets,” said Daniel Lunghi, threat researcher at the cyber security firm, Trend Micro. “And in certain sensitive fields where people are more cautious, it might be what makes the difference.”

In two cases, researchers discovered that hackers stole the contents of WhatsApp chat conversations from 2017 and 2018 between officials at the Pakistan Nuclear Regulatory Authority, Pakistan Atomic Energy Commission and unknown third-parties. Then in April 2019, in the midst of India’s latest national election, the attackers burrowed into the device of an election official in the Pulwama region of Kashmir, where months earlier an Indian security convoy was attacked by a Pakistan-based Islamic terrorist in a deadly explosion.

Kumar said she couldn’t disclose the details of the stolen data.

Her research indicates the espionage campaign ramped up in 2018 after unknown hackers breached the commercial surveillance-ware provider, Retina-X Studios. Hornbill, one of the malware tools used by the attackers, shares code similarities with Retina-X’s Mobile Spy products. Another piece of malicious software called Sunbird, which is capable of remotely commandeering a user’s device, appears to be rooted in code for a stalkerware service called, BuzzOutLoud, based in India.
Riaz Haq said…
Experts are unanimous in saying that the most important target of #Indian #cyber-#espionage & #cyberattacks by far is #Pakistan. Limited employment prospects of Indian techies have created a swarm of underground threat actors in #India| The Daily Swig
https://portswigger.net/daily-swig/indian-cyber-espionage-activity-rising-amid-growing-rivalry-with-china-pakistan


ANALYSIS India is sometimes overlooked by some in the threat intelligence community, even though the South Asian nation has advanced cyber capabilities – not least a huge pool of talent.

The country boasts a large number of engineers, programmers, and information security specialists, but not all of this tech talent was put to good use, even before the Covid-19 pandemic cast a shadow over the global economy.

Their somewhat limited employment prospects are said to have created a swarm of underground Indian threat actors eager to show off their hacking talents and make money – a resource that the Indian government might be able to tap into in order to bolster its own burgeoning cyber-espionage resources.

India is in catch-up mode for now, but has the technical resources to make rapid progress.

Who is being targeted by Indian hacking groups?
Geopolitical factors have fueled an increase in cyber threat activity both originating from and targeting India.

Experts quizzed by The Daily Swig were unanimous in saying that the most important target of Indian cyber-espionage by far is Pakistan – a reflection of the decades-long struggle over the disputed region of Kashmir.

China, India’s neighbour and an ally of Pakistan, is also a top target of state-sponsored Indian cyber-espionage.

Paul Prudhomme, head of threat intelligence advisory at IntSights, told The Daily Swig: “Indian cyber-espionage differs from that of other top state-sponsored threats, such as those of Russia and China, in the less ambitious geographic scope of their attacks.”


Other common targets of Indian hacking activity include other nations of the South Asian subcontinent, such as Bangladesh, Sri Lanka, and Nepal. Indian espionage groups may sometimes expand their horizons further to occasional targets in Southeast Asia or the Middle East.

Indian cyber-espionage groups typically seek information on Pakistan’s government, military, and other organizations to inform and improve its own national security posture.

But this is far from the only game in town.

For example, one Indian threat group called ‘Dark Basin’ has allegedly targeted advocacy groups, senior politicians, government officials, CEOs, journalists, and human rights activists across six continents over the last seven years.

India is currently considered to have a less mature cyber warfare armoury and capability than the ‘Big Six’ – China, North Korea, Russia, Israel, the UK, and US – but this may change over time since its capability is growing.

Chris Sedgwick, director of security operations at Talion, the managed security service spinoff of what used to be BAE System’s intelligence division, commented:

The sophistication of the various Indian cyber threat actors do not appear to be in the same league as China or Russia, and rather than having the ability to call on a cache of 0-day exploits to utilise, they have been known to use less sophisticated – but still fairly effective – techniques such as decoy documents containing weaponised macros.

Riaz Haq said…
#China Appears to Warn #India : Push Too Hard and the Lights Could Go Out in the Entire #SouthAsian Nation of 1.3 billion. Most of the #malware was never activated in the #Mumbai grid attack that was meant as a warning to #Modi. - The New York Times

https://www.nytimes.com/2021/02/28/us/politics/china-india-hacking-electricity.html

As border skirmishing increased last year, malware began to flow into the Indian electric grid, a new study shows, and a blackout hit Mumbai. It now looks like a warning.

Early last summer, Chinese and Indian troops clashed in a surprise border battle in the remote Galwan Valley, bashing each other to death with rocks and clubs.

Four months later and more than 1,500 miles away in Mumbai, India, trains shut down and the stock market closed as the power went out in a city of 20 million people. Hospitals had to switch to emergency generators to keep ventilators running amid a coronavirus outbreak that was among India’s worst.

Now, a new study lends weight to the idea that those two events may well have been connected — as part of a broad Chinese cybercampaign against India’s power grid, timed to send a message that if India pressed its claims too hard, the lights could go out across the country.

The study shows that as the standoff continued in the Himalayas, taking at least two dozen lives, Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant.


The flow of malware was pieced together by Recorded Future, a Somerville, Mass., company that studies the use of the internet by state actors. It found that most of the malware was never activated. And because Recorded Future could not get inside India’s power systems, it could not examine the details of the code itself, which was placed in strategic power-distribution systems across the country. While it has notified Indian authorities, so far they are not reporting what they have found.

Stuart Solomon, Recorded Future’s chief operating officer, said that the Chinese state-sponsored group, which the firm named Red Echo, “has been seen to systematically utilize advanced cyberintrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.”

The discovery raises the question about whether an outage that struck on Oct. 13 in Mumbai, one of the country’s busiest business hubs, was meant as a message from Beijing about what might happen if India pushed its border claims too vigorously.

News reports at the time quoted Indian officials as saying that the cause was a Chinese-origin cyberattack on a nearby electricity load-management center. Authorities began a formal investigation, which is due to report in the coming weeks. Since then, Indian officials have gone silent about the Chinese code, whether it set off the Mumbai blackout and the evidence provided to them by Recorded Future that many elements of the nation’s electric grid were the target of a sophisticated Chinese hacking effort.

It is possible the Indians are still searching for the code. But acknowledging its insertion, one former Indian diplomat noted, could complicate the diplomacy in recent days between China’s foreign minister, Wang Yi, and his Indian counterpart, Subrahmanyam Jaishankar, in an effort to ease the border tensions.

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
Riaz Haq said…
Suspected Pakistani spies use catfishing, stealthy hacking tools to target Indian defense sector

https://www.cyberscoop.com/pakistan-india-hacking-cyber-catfishing/


For years, suspected Pakistani hackers have sought to pry their way into Indian government computer networks as part of broader dueling cyber-espionage campaigns between the rival nations.

Over the last 18 months, a spying group known as Transparent Tribe has expanded its use of a hacking tool capable of stealing data and taking screenshots from computers, according to research published Thursday by Talos, Cisco’s threat intelligence unit. Hackers also are going after additional targets beyond Indian military personnel, including defense contractors and attendees of Indian government-sponsored conferences.

Talos did not mention Pakistan in its research, but multiple security researchers told CyberScoop the Transparent Tribe group is suspected of operating on behalf of the Pakistani government. Similarly, research from email security firm Proofpoint has previously linked a Pakistan-based company to the development of the group’s malicious code.

Talos’ findings reflect a relentless appetite for defense-related secrets among hacking groups with suspected links to Pakistan and India, two nuclear-armed neighbors prone to territorial disputes.

Transparent Tribe’s improved capabilities are also a case study in how governments not known for their hacking prowess can evolve. While U.S. officials regularly name China, Russia, Iran and North Korea as the most capable of cyber actors, governments the world over appear to be buying off-the-shelf hacking kits or developing their own tools.

A 2019 study backed by the Department of Homeland Security and the Office of the Director of National Intelligence found that countries such as Vietnam and the United Arab Emirates had made sharp advances in their hacking capabilities in recent years.

“A proliferation and commodification of cyber offensive capabilities is reshaping the cyber balance of power, enabling an expanded array of actors to use cyber for geopolitical impact or economic gain,” said the study, whose authors included government and private-sector executives.

Asheer Malhotra, a Talos threat researcher, said that Transparent Tribe “has become more and more aggressive in terms of targeting, expanding operations and evolving their tactics.”

For example, the group has recently used breached websites to deliver its malicious code to victims, rather than simply embedding the code in an email, according to Talos. That makes the intrusion attempts harder to detect. As of this week, the hackers were using a website that mimics an Indian government benefits portal to try to infect government employees, Malhotra said.

Transparent Tribe has also made a habit of appealing to their targets’ romantic desires. The hackers in 2019 and 2020 sent malware-laced photos of alluring women to targets, according to Talos. India’s defense minister warned about Pakistan’s alleged use of that broader tactic in 2019, and said that young military recruits were trained to spot the subterfuge.

Hackers with suspected ties to India have also repeatedly gone after Pakistani targets. In February, mobile security firm Lookout uncovered a years-long hacking campaign that aligned with Indian interests and sought to bug the phones of people in Pakistan and elsewhere. Among the suspected targets was a job candidate at the Pakistan Atomic Energy Commission.

“This is business as usual from an espionage perspective,” Malhotra said when asked if there was any fluctuation in digital spying that coincided with a spike in tensions between India and Pakistan. “There have always been military and political tensions between the two states since their inception.”
Riaz Haq said…
The ransomware pandemic
https://www.axios.com/colonial-pipeline-energy-oil-gas-ransomware-265fb398-4ff6-48a2-a49c-9ae43e745049.html




Why it matters: Crippling a major U.S. oil pipeline this weekend initially looked like an act of war — but it's now looking like an increasingly normal crime, bought off-the-shelf from a "ransomware as a service" provider known as DarkSide.



"We are on the cusp of a global pandemic," said Christopher Krebs, the first director of the Cybersecurity and Infrastructure Security Agency, told Congress last week. The virus causing the pandemic isn't biological, however. It's software.

Why it matters: Crippling a major U.S. oil pipeline this weekend initially looked like an act of war — but it's now looking like an increasingly normal crime, bought off-the-shelf from a "ransomware as a service" provider known as DarkSide.

Driving the news: Colonial runs the largest refined products pipeline in the country, transporting over 100 million gallons per day. It was shut down on Friday in response to a ransomware attack, and will be reopened in "an incremental process" over the course of this week, per a corporate statement.

That's faster than the market expected — energy prices fell after the statement was released, after rising on the initial shutdown news.
The big picture: No company is safe from ransomware, and often the lines between criminals and state actors can be fuzzy. Preventing even bigger future attacks will require a so-far elusive degree of coordination between the public and private sectors in dozens — if not hundreds of countries.

Threat level: Very high. "Cybersecurity will be the issue of this decade in terms of how much worse it is going to get," IBM CEO Arvind Krishna told reporters Monday.
Currently, per Forrester analyst Allie Mellen, companies' main strategy is to pay up if hit — and to try to be slightly less vulnerable to attack than their competitors. "What do security pros do right now to lower their risk in the face of future ransomware attacks? Outrun the guy next to you,” Mellen says.
Between the lines: If anything, Colonial Pipeline was lucky that it is so important to the functioning of the American economy. Its systemic status helped to mobilize the full resources of the U.S. government, and even elicited an apology, of sorts, from DarkSide.

“Our goal is to make money and not creating problems for society," said the group in a statement on the dark web. "From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences.”
What they're saying: "There is no silver bullet for solving this challenge," concludes a major report on combating ransomware from the Institute for Security + Technology. "No single entity alone has the requisite resources, skills, capabilities, or authorities to significantly constrain this global criminal enterprise."

The fight will require the active involvement of the National Security Council, says the report, as well as much more regulation of cryptocurrency, which is invariably used to pay the ransom.
It will also require a major upgrade of technology systems at the state and local level, very few of which have been migrated to cloud-based systems that can try to keep one step ahead of the bad guys.
The bottom line: The Colonial Pipeline attack was so big that it couldn't help but make headlines. But most attacks are quietly paid off with no fanfare and no publicity, making it extremely difficult to gauge the true scale of the problem.

Riaz Haq said…
Pakistan-linked hackers targeted Indian power company with ReverseRat

https://thehackernews.com/2021/06/pakistan-linked-hackers-targeted-indian.html

A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.

"Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan," Lumen's Black Lotus Labs said in a Tuesday analysis. "The potentially compromised victims aligned with the government and power utility verticals."

Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization. The covert operation is said to have begun at least in January 2021.

The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been careful to hide their activity by modifying the registry keys, granting them the ability to surreptitiously maintain persistence on the target device without attracting attention.

Explaining the multi-step infection chain, Lumen noted the campaign "resulted in the victim downloading two agents; one resided in-memory, while the second was side-loaded, granting threat actor persistence on the infected workstations."

The attack commences with a malicious link sent via phishing emails or messages that, when clicked, downloads a ZIP archive file containing a Microsoft shortcut file (.lnk) and a decoy PDF file from a compromised domain.

The shortcut file, besides displaying the benign document to the unsuspecting recipient, also takes care of stealthily fetching and running an HTA (HTML application) file from the same compromised website.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the CoWIN online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.
Riaz Haq said…
Pegasus was used to hack mobiles of Pak officials

https://www.sundayguardianlive.com/news/pegasus-used-hack-mobiles-pak-officials

New Delhi: Mobile phones of around 30 Pakistani government servants, who include serving army generals, officials attached with the ISI and senior bureaucrats, were hacked into by using Pegasus spying software during April and May 2019.

Pegasus takes control of the infected phone by entering the system through WhatsApp.


While the Pakistan government has so far kept the matter under wraps, possibly to avoid panic and public embarrassment, it, however, issued a special secret advisory to heads of departments, a copy of which was also sent to the secretary of Prime Minister Imran Khan, asking them to replace all phones purchased before 10 May 2019 immediately and prohibiting the transfer of official documents by using WhatsApp.

The hacking of the mobile numbers of around 30 officials—the exact number is known only to the group/individual/organisation that hacked into the phones—has sparked a frenzy among government officials because of speculation that key documents and vital information might have landed in unintended hands and offices across borders.

Information and classified documents that are generally found in the mobile phones of top government officials, are regarded as invaluable by both foreign government agencies and private operators as they give valuable insights into otherwise closely guarded policies and plans.

The Sunday Guardian reached out to the NSO Group, the Israel-based company that owns Pegasus, with a detailed questionnaire regarding the recent development. In a statement, the NSO Group said: “To protect the ongoing public safety missions of its agency customers and given significant legal and contractual constraints, NSO Group is not able to disclose who is or is not a client or discuss specific uses of its technology, as explained in its Transparency Statement of Principles. However, the company’s products are licensed only to government intelligence and law enforcement agencies for the sole purpose of preventing and investigating terror and serious crime. NSO’s technology is only licensed after a thorough vetting process that goes well beyond the legal requirements that we follow. All potential customers must meet strict export authority regulations before any sale, in addition to NSO’s internal vetting process that includes a focus on human rights. NSO’s governance framework aligns us with the UN Guiding Principles on Business and Human Rights and sets the highest standards in the cyber intelligence industry, embedding human rights due diligence into everything we do.”

This newspaper also shared its questions with the Pakistan high commission in New Delhi, and Pakistan’s Ministry of Information Technology & Telecom for response. However, no response was shared until the time the story went to press.

The NSO group gained some kind of notoriety after it emerged that Pegasus had infected at least 1,400 numbers across the world through WhatsApp. Facebook, the owner of WhatsApp, has already filed a suit against NSO in US courts for illegally breaking into WhatsApp.

Despite the controversy it has attracted in recent times, “Q Cyber Technologies”, the parent company of NSO, continues to remain active in the world of cyber espionage. It was one of the main sponsors of “ISS World Asia”—touted as the world’s largest gathering of law enforcement agencies, intelligence analysts, electronic surveillance and intelligence gathering—which was held in Kuala Lumpur, Malaysia in the first week of December.

In the said event, “Q Cyber Technologies” had defined itself as a company that equipped select intelligence agencies, militaries and law enforcement organisations around the world with the strategic, tactical and analytical technology capabilities required to ensure the success of their operations in fighting crime and terrorism.
Riaz Haq said…
India’s Gandhi and Pakistan’s Khan tapped as targets in Israeli NSO spyware scandal - Tech News - Haaretz.com


https://www.haaretz.com/israel-news/tech-news/.premium-india-s-gandhi-and-pakistan-s-khan-tapped-as-israeli-nso-spyware-targets-1.10012729

Prominent Indian politician Rahul Gandhi and Pakistani Prime Minister Imran Khan were selected as potential targets of the Israeli-made Pegasus spyware program by clients of the NSO Group cyberespionage firm, a global investigation can reveal Monday.

Additional potential targets included Pakistani officials, including a number once associated with Pakistani leader Khan. They also included Kashmiri separatists, leading Tibetan religious figures and even an Indian supreme court judge. Khan did not respond to a request for comment from the Washington Post.

Gandhi, who said he changes phones every few months to avoid being hacked, said in response: “Targeted surveillance of the type you describe, whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India, is illegal and deplorable.

According to an analysis of the Pegasus Project records, more than 180 journalists were selected in 21 countries by at least 12 NSO clients. The potential targets and clients hail from Bahrain, Morocco, Saudi Arabia, India, Mexico, Hungary, Azerbaijan, Togo and Rwanda.

----------

India is Israel’s biggest arms market, buying around $1 billion worth of weapons every year, according to Reuters. The two countries have grown closer since Modi became Indian prime minister in 2014, widening commercial cooperation beyond their longstanding defense ties. Modi became the first sitting Indian leader to visit Israel in July 2017, while former Prime Minister Benjamin Netanyahu held a state visit to India at the start of 2018

Popular posts from this blog

Turkish-Born Muslim Scientists Behind Pfizer's Successful COVID19 Vaccine

Karachi-born NED University Alum Leads Mercedes Entry into Electric Vehicles Market

Pakistani Women's Growing Particpation in Workforce