Countering surveillance
PIERRE FITTER
A few years ago, security officials in New Delhi were alerted to the existence of a mysterious hacking operation targeting key government officials. The attack was being run by unknown operatives based in China and seemed to have been set up to steal information from the Indian government. Over a period of several months, before it was detected and blocked off, ‘Operation Shadownet’ stole secret data from the Ministry of External Affairs (MEA), the Ministry of Defence (MoD) and even India’s intelligence agencies.
When the investigators studied the attack, they realized that while the government officials were Shadownet’s targets, the attack began outside the government. One cybersecurity officer who was involved in the investigation described, on the condition of anonymity, how the hackers gained access to the sanctum sanctorum of India’s secrets. ‘[Shadownet first] targeted members of our TRACK II diplomacy efforts – members of think tanks, the media, strategic affairs experts,’ he said. These individuals received an attachment via email, which was disguised to appear as if it came from someone they knew. The attachment – usually a word or PDF file – was typically named something like ‘India’s Ballistic Missile Defence’, to make it seem legitimate.
In fact, the documents contained a virus. Once the attachment was opened, the virus went to work. First, it would scan the hard drives of the TRACK II participants for sensitive information. If it found any sensitive documents, it would upload these to the Shadownet server. ‘Once they got into the think tanks and media, they then targeted their contacts in the government,’ says the investigator. Government officials who had interacted with these targeted TRACK II participants, began receiving copies of the virus-laden emails themselves. Soon, their computers too, were also turned over to the hackers. ‘That’s where the bad stuff happened. A lot of information got out from here,’ says the investigator.
The existence of Shadownet marked a turning point in cybersecurity for India. Shadownet’s creators knew that government networks were relatively well protected, so they got in by attacking the periphery – individuals outside of government who invariably employed fewer measures to protect sensitive information in their possession. For long, members in the wider, non-government security community had been given access to such information. Now, they too had become targets. They too would therefore bear equal responsibility for protecting sensitive information in their possession.
The worst part about Shadownnet is that New Delhi should have seen it coming. In 2009, anti-virus companies discovered the existence of GhostNet, Shadownet’s predecessor, which operated on very similar lines. GhostNet was a much more extensive operation that targeted not just Indian government officials but also members of the Tibetan Government-in-Exile who lived and worked in India and around the world. In all, GhostNet’s tentacles were traced to at least 103 countries from where it was extracting information. It was one of the most widespread online spy rings. Some of its controllers were traced to servers on Hainan Island, home to the Lingshui signals intelligence facility of China’s People’s Liberation Army.
I
ndia’s military has, for some time, been operating on a parallel network. In fact, machines with the most sensitive data are not even connected to the internet for fear of being breached. But even the best-laid plans are doomed to fail when you combine ignorance with carelessness. Hackers breached this so-called ‘air gap’ not by targeting the officers who worked within its protection, but targeting their spouses who worked outside it. They knew officers would frequently take work home with them from their protected office PCs to their unprotected home PCs on a pen drive. So the hackers took control of the home PCs by sending the officers’ wives an infected email. When the officer plugged in his pen drive at home, the virus transferred itself onto it and then waited. The next day, when the officer plugged in his pen drive to his office computer, the virus went to work, vacuuming up data and attempting to send it to the hackers. Pen drives were also the main tool used to spirit away secrets during the infamous Naval War Room leak. In that instance, critical secrets such as India’s plans for battlefield information systems were leaked, causing irreparable damage.Today’s spying viruses are much more advanced. In May 2012, anti-virus experts revealed the presence of a new worm called Flame. At more than 20 megabytes, Flame was at least 40 times larger than the average virus. This was for good reason. Vitaly Kamlyuk, the chief malware expert for Russian computer security firm Kaspersky, told Russia Today that Flame could do several things at once. It could detect passwords that were being typed, record audio from the PC’s microphone, take screenshots to capture information that was displayed on the computer’s monitor and even detect nearby bluetooth devices. The virus would then upload all this information to its creators.
We now know that Flame was most likely created by the US National Security Agency and Unit 8200, a cybersecurity wing of the Israeli Defence Forces, to spy on computers involved in Iran’s nuclear research programme. The information captured by Flame almost certainly contributed to the design of Stuxnet, the virus that destroyed the spinning centrifuges, which were refining nuclear materials at Iran’s Natanz plant.
M
ost worryingly, it’s not just India’s enemies that are hunting for her secrets. We now know that India was the fifth-most spied on country by the United States thanks to documents leaked by former NSA contractor Edward Snowden. In March this year alone, an NSA programme called Boundless Informant catalogued more than 6.3 billion pieces of data that had been siphoned off Indian networks. The rest of the top five included Iran, Pakistan, Jordan and Egypt. It is indeed eye-opening to see the company India keeps in the eyes of the US.Given such data, India’s External Affairs Minister Salman Khurshid’s reaction to Snowden’s revelations was almost stupefying. ‘This is not scrutiny and access to actual messages. It is only computer analysis of patterns of calls and emails that are being sent,’ he said. What Khurshid did not seem to appreciate is the grave threat that comes from even knowing who is communicating with whom. As we have seen, such information was exploited to dangerous effect by Shadownet’s creators and by the hackers who targeted India’s military officers.
Any government official who has ever used Gmail or Hotmail for work can be rest assured that their emails has been skimmed through by the NSA’s powerful data-mining computers. Of course the NSA is not the only threat. China and Pakistan are constantly looking for any information that will give them a tactical or strategic edge in their ‘engagements’ with India.
T
he most glaring example of this was an attack on the Indian government’s NIC email servers last July. 12,000 accounts were compromised. Investigators believe some of the information stolen included the deployment plans and communications of the Indo-Tibetan Border Police. This happened at a time when border relations between China and India have been rocky at best. Beijing is constantly testing India’s defences and preparedness to respond to border incidents, a ploy demonstrated quite startlingly this April when PLA soldiers camped well inside Indian territory at Daulat Beg Oldie in Ladakh.This is where it gets troubling. Albeit belatedly, the government has finally thought it wise to ban Gmail and other such email services for official use. This would avoid further snooping by the NSA. Unfortunately, it says it will rely on the very same NIC email servers that have been compromised time and time again by even unsophisticated hackers. There is still no word on how the government plans to improve security of NIC servers.
So what kind of threats would academics, researchers, analysts and journalists who work closely with the government face? For starters, both your computer and smartphone will be targeted by hackers. If an enemy state believes you are connected to government officials and that you possess sensitive documents, they will almost surely attempt to steal this information from you. Once your devices have been infected, you will then become a node in their operation to reach government systems.
T
he biggest problem – psychologically – with being under constant threat of surveillance is that it becomes impossible to know when the enemy has managed to find a way in. This can lead to a loss of confidence in the systems designed to feed us information and help us take decisions. Imagine a scenario where an enemy can take down the government’s information network during events such as war, terror attacks or other national emergencies. The government would be flying blind. Worse, the enemy could operate stealthily and modify or manipulate documents on government servers. Any decision that is then taken based on such doctored documents, would be flawed ab initio. One MHA official who has more than a decade of experience in computer security, called this an attack on the ‘speed of trust’. The term is borrowed from management guru Stephen M.R. Covey, but it encapsulates exactly what the enemy hopes to destroy in order to gain a tactical advantage – trust in the system.Another aspect of security that we rarely pay attention to is our smart-phones. Android phones in particular are notorious for the amount of malware and viruses that can infect them. Most viruses reach your phone while down-loading applications that appear to look like the original app. In fact, many are fakes created by hackers. These apps steal your private information to give hackers access to everything from email accounts to bank passwords.
One such programme that recently made news was the popular chatting app WeChat. A team of Indian cybersecurity researchers exposed how it was in fact designed by a Chinese company that has long been suspected of having ties to the PLA. These researchers believe WeChat poses a serious national security threat thanks to its ability to record audio, without the user being aware of it. Imagine what secrets could be leaked to the PLA if the app was installed on the phone of a journalist who is meeting an intelligence or defence officer; or if the app is on the phone of a bureaucrat attending a high-level cabinet meeting.
S
uch persistent threats require that everyone – journalists, academics, policy wonks, military officers, bureaucrats diplomats and even clerks – take precautions. Some of these safety measures are ‘common sense’ tips, but each will go a long way in keeping your information somewhat safer. Remember that if you are being specifically targeted by an advanced, well-funded hacker, there is very little you can do to protect yourself. So, if you possess really sensitive information, the best thing to do is not commit it to electronic form at all, either on a computer or over the phone.The most important thing is knowing what information needs protecting. Never move any document graded ‘top secret’, ‘secret’ or ‘confidential’ off protected and ‘air-gapped’ servers. Additionally, make sure you do not store any sensitive information on the same computer that you use for personal work. Separate these two machines and never transfer data between them by any means.
Two, make sure no one else has access to your work PC. Keep it under lock and key if you must and always use a strong, long log-on password. The best ones are a string of four to five words that have no logical connection to each other. Use capital letters, special characters and numbers to add a bit more complexity (example: ‘24PhotoMonkey42Delta SuitcaseBottle!#’). Three, update your anti-virus daily and run a full system scan at least once a week. Also, remember to download security patches for your operating system every time they become available.
F
our, do not open any attachments or documents on your office computer without first confirming with the person who ostensibly sent it to you. If you have any reason to suspect a document you downloaded, disconnect your internet cable or switch off your wifi and call IT security immediately. Five, encrypt all sensitive data in your possession. There are powerful and fairly easy-to-use programmes such as TrueCrypt available for free. These will make your data virtually indecipherable to all but the most determined and well-funded hackers. Six, do not use Gmail or similar services for official work. The NSA has the ability to scan all web-based email.Seven, try to use ‘open source’ software for sensitive work. Prefer Ubuntu to Windows, and Open Office or Libre Office to Microsoft Office. Open source essentially means that the programme’s code has been made available for everyone to inspect. With such scrutiny, it is extremely difficult to hide a backdoor or flaw in the programme that someone could use to spy on you. Finally, if you ever need to pass along sensitive information, do so in person and never on the phone or via any electronic means.