13-04-2010, Department of Information Technology (DIT), Ministry of comm. & IT
| No.1(31)/2010-PIO(RTI), 17-05-2010, from Dept.of IT
| Kindly
provide me answers to the following questions regarding the recent
hacking of computers in India. (Please refer to news reports on 7 April
2010, China cyber spies target India, Dala Lama- report at http://in.reuters.com/article/topNews/idINIndia-47473520100407)
Q1.
Has an investigation been launched by the Government into this hacking?
What is the process for interacting with the investigation team?
Q2. Of the total systems hacked, what percentage of them were running Microsoft Windows?
Q3.
What entities outside of government, in the NGO or private sectors,
were affected by this hacking, to the best knowledge of your
investigators?
Q4. By when can security recommendations emanating from the investigation be expected?
| Reference your request dated 13-04-2010 received on 16-04-2010 regarding recent hacking of computers in India on the above subject.
The requisite information as received from the concerned division is enclosed for your reference and records.
In case you intent to going for an appeal in connection with above, you may appeal to the Appellate Authority as under: Shri N.Ravi Shanker, Joint Secretary & Appellate Authority (RTI) (M/o Communications and IT), Electronics Niketan, 6 CGO Complex, New Delhi- 110003
No.3(15)/2006-CERT-In PtIII, DIT, 17-05-2010 Prof. Mehta has submitted an application to JD & PIO (RTI), DIT, MCIT in respect of the recent hacking of computers in India referring to news report on 7th April 2001, A report at http://in.reuters.com/article/topNews/idINIndia-47473520100407 requesting the following information: ............ Q1, 2, 3, and 4 ...............
2. Draft reply is placed below:
The article of Reuters is referring to report titled "Shadow in the cloud". Interview published by India Today with one of the authors of the report is attached as Annexure I. Excerpts of report indicating concerned agency of Government of India is attached a Annexure II. For further information the concerned agency may be approached.
If approved we may furnish the information to CPIO(RTI), DIT.
| Attachment: China cyber-spies target India, Dalai Lama- report
Wed Apr 7, 2010 7:55am IST
A
Chinese Internet user browses for information on the popular search
engine Google in Beijing January 25, 2006. A cyber-espionage group
based in southwest China stole documents from the Indian Defence
Ministry and emails from the Dalai Lama's office, a group of Canadian
researchers said in a report released on Tuesday.
Credit: Reuters/Stringer/Files
By Lucy Hornby and David Ljunggren BEIJING/OTTAWA
(Reuters) - A cyber-espionage group based in southwest China stole
documents from the Indian Defence Ministry and emails from the Dalai
Lama's office, Canadian researchers said in a report on Tuesday.
The cyber-spies used popular online services, including Twitter, Google
Groups and Yahoo Mail, to hack into computers, ultimately directing
them to communicate with command and control servers in China.
The report, entitled "Shadows in the Clouds", said the spy network was
likely run by individuals with connections to the Chinese criminal
underworld. Information might have been passed to branches of the
Chinese government, it added. "We
did not find any hard evidence that links these attacks to the Chinese
government," said Nart Villeneuve, who, like the other authors of the
report, is a researcher at the University of Toronto's Munk School of
Global Affairs. "We've actually
had very healthy co-operation with the Chinese computer emergency
response team, who are actively working to understand what we've
uncovered and have indicated they will work to deal with this ... It's
been a very encouraging development," Villeneuve told a Toronto news
conference. In Beijing, a Chinese
Foreign Ministry spokeswoman said Chinese "policy is very clear. We
resolutely oppose all Internet crime, including hacking."
A year ago, the same researchers described a systematic
cyber-infiltration of the Tibetan government-in-exile, which they
dubbed GhostNet. "The social
media clouds of cyberspace we rely upon today have a dark, hidden core,
There is a vast subterranean ecosystem to cyberspace within which
criminal and espionage networks thrive," said the Munk School's Ron
Diebert. Attacks using online
social networks to gain trust and access have garnered more attention
since Google announced in January that it, along with more than 20
other companies, had suffered hacking attacks out of China. Google
ultimately withdrew its Chinese-language search service from the
mainland. The data gathered by
the researchers showed that security breaches at one group can result
in the theft of confidential information from another organization, a
factor that makes it hard to distinguish the ultimate origins of the
cyber-spying. "Anti-virus systems
as they stand at the moment are not terribly effective with these kinds
of targeted attacks," said researcher Greg Walton, advising the use of
digital signatures and software that strips out all attachments from
emails. Stolen documents
recovered by the researchers contained sensitive data taken from
India's National Security Council Secretariat. They included secret
assessments of the security situation in northeastern states bordering
Tibet, Bangladesh and Myanmar, as well as insurgencies by Maoists.
Information supplied by visa-seekers to the Indian embassy in
Afghanistan and the Indian and Pakistani embassies in the United States
were also compromised, the report said.
"We have heard about the hacking report and the concerned department is
looking into the case," said Sitanshu Kar, a spokesman for the Indian
Defence Ministry. Some command and control centers listed in the GhostNet report went offline but provided leads for the latest probe.
Internet domains used in both attacks resolved to an IP address in
Chongqing, a large city in southwest China, while addresses in the
nearby city of Chengdu were used to control Yahoo Mail accounts used in
the attacks, the report said. It
traced part of the network to individuals in Chengdu who are graduates
of the University of Electronic Science and Technology of China and
alleged to have links with the Chinese hacking community.
The researchers said that taking emails from the Dalai Lama's office
allowed the spies to track who might be contacting the Tibetan
spiritual leader, who China accuses of seeking Tibetan independence.
(Additional reporting by Ben Blanchard and Bappa Majumdar in New Delhi;
Editing by Benjamin Kang Lim, Sugita Katyal and Rob Wilson)
| Annexure:
China's cyber espionage - tip of a very large iceberg: Investigator |
Sandeep Unnithan |
New Delhi, April 6, 2010
Associate Editor Sandeep Unnithan spoke to Greg Walton, one of
the Information Warfare Monitor investigators who put together the
'Shadows in the Cloud', a 10-month investigation detailing China's
espionage directed against Indian govt computers. Q)
Would you call this the largest cyber-espionage operations? In sheer
size, is it bigger than GhostNet (the cyber espionage network uncovered
in 2009)?
A) This is India's 0-day [zero day]. The most recent wave of
targeted malware attacks from Chinese servers which the Indian
government determined began on December 15, 2009 - incidentally, almost
simultaneous with the consensus timeline for the opening salvo that
lead to the Google breaches - but what our team has uncovered here is
the tip of a very large iceberg, that largely goes unreported outside
of the intelligence and security community. It's our view that it's
high time that policy makers, academics, civil society and other
stakeholders - including the general public became more aware of these
issues. The detection and takedown of criminal botnets by
inter-disciplinary teams of cyber security researchers is increasingly
commonplace, however, the exposure and takedown of what we characterize
in our report as cyber crime morphing into cyber espionage networks is
less widely reported on and analysed. It's hard to measure in terms of
sheer size or scale. I think a more appropriate assessment would be
based on factors such as the aggregation of actionable intelligence on
the basis of the institutions compromised - and the documents
exfiltrated.
Q) What kind of cooperation did you get from the Indian authorities? A)I
have had limited interaction with the Indian authorities at this stage,
but I must say, we found the government officers that we notified of
this very serious matter to be very professional and cooperated to the
fullest extent possible in the circumstances. My sense is that there is
a real concentration of very talented and dedicated specialists at that
agency working around the clock to protect India's critical digital
infrastructure from these sort of attacks. Moreover, we were relieved
to infer or to imply from our brief discussions that the government
agency was running a parallel investigation that was looking at closely
related command and control networks, also based in china. We very much
hope that the findings from our investigation will be of use to that
agency.
Q) Your study mentions the origin of these attacks being Chengdu, Sichuan province, also the HQ of the PLA's SIGINT bureau.
A) The Chengdu SIGINT station in Sichuan operates the PLA's Third
Department's collection targeting India, Pakistan, and Southeast Asia. Q) In your opinion, is there enough evidence to suggest that the Chinese government is behind these attacks? A) No, there is not. This is an ongoing investigation and attribution in these kinds of scenarios is very challenging.
Q) What use would the data recovered from hacked
computers-- classified presenatations, emails from foreign ministries
and defence depts-- be for ordinary hackers i.e. is there a precedent
to such information being sold to government et? Or is it safe to
assume that such information would be of use only to governments?
A) The majority of data stolen by Shadownet is - as
you say - of particular interest to an entity like the Third Department
of the PLA - but it could be of interest to many other actors - state
and non-state - in China and around the world. There is a growing body
of evidence to support the hypothesis that there is a criminal -
intelligence nexus or ecosystem where stolen data - of value to Chinese
intelligence is traded on black markets. |
|
|