28 May 2012
Bapsi logo


No investigation on Chinese hacking of sensitive Indian government computers


Until the invention of the airplane, the armed forces consisted of an army and a navy. But when attacks started to come from the air, they had to rethink their defenses. Now, with the invention of cyberspace, India is being battered by attacks from a new direction, and it is shocking to learn h

ow ill-prepared the Indian government seems to be, and indeed how callous it is, to the problem.

A clear indication of how dangerous a place cyberspace is, are viruses in the class of Stuxnet, that crippled nuclear reprocessing in Iran, and Flame, which has recently been shown to have caused considerable harm in Middle Eastern countries. Attacks on India have been well documented too.

In 2009 and again in 2010, researchers from the University of Toronto reported successful attacks on Indian computers by Chinese hackers, and even obtained copies of a large number of stolen, secret Indian documents.1 

Using the Right to Information we have established that no investigation has been launched by any of the key ministries of the Indian Government into these cases of cyber espionage, and hence no efforts were made to close security holes exploited by the hackers. It is likely that the Defense Minister even lied in response to a Parliament question. For an attack on India which was no less serious than Kargil, this lapse is shocking, to say the least.

The Honorable Minister of Defence Mr. A.K. Antony informed Parliament in reply to unstarred question no. 1840 of the Rajya Sabha on 11 August 2010 that “It was ascertained that only certain internet facing computers were compromised by the hackers ”. But even though they circulated copies of our RTIs to 17 departments, the Ministry was unable to identify a single compromised computer. Equally disturbing is the lack of clarity at the highest levels of government, as to who is responsible for investigation of, and protection from, cyber attack.

In 13 February 2012, we asked the Prime Minister's Office (PMO), “who in the Government of India is responsible for protection of the country from cyber attacks and for their investigations; and who is responsible to register FIRs from citizens about cyber crime against citizens and institutions of this country”. The query was forwarded to the Ministry of Communication and IT, with  advice “to approach above public authority for further information regarding the matter”. DoT forwarded it to Ministry of Home Affairs saying “information not available with DS unit, DoT”, which forwarded it to back to the Ministry of Communication and IT, DIT (HQ.). DIT informed us on 3 April 2012 that “Cert-In analyses the reported incidents and provides technical advisory to the reported parties for taking further steps for mitigation of such attacks in future” and “FIRs are to be registered only with the Police.”

India was incredibly lucky, because the Tibetans were agile enough to discover this hacking, the Canadians went beyond the call of duty to keep tracking, the Chinese were foolish enough to stop registering the domain names to which the viruses were sending information, which the Canadians then used. Next time around, and that may have happened many times already, India will never have so much information about the attack. These kind of crimes often leave no trace at all -- a file gets lifted from computer, nothing is deleted or changed.

Who knows, the attack might still be going on. The machines infected with the virus still might be  exporting secret documents, installing further virus code. We have demonstrable leaks in our cyber security, and the fact that these attacks were not even investigated is firstly a scandal.

Bapsi calls on the Government to notify an agency under Section 70(A) of the IT Act as responsible for protecting India from such cyber attacks. It has been four years since the amendments (Sub sec. A and B under Sec.70 has been introduced) under the Information Technology (Amendment) Act 2008 has come into force. It is time for the Government to take the matter seriously and notify an agency. This agency must immediately launch a detailed investigation into reports of hacking of sensitive Indian computers over the last few years, including asking for input from concerned and knowledgeable citizens. Recommendations emanating from the investigation should be made public, so that the private sector, NGOs, diverse government agencies etc. in possession of sensitive information can learn from these attacks and take preventive measures.

XXX

More info.: http://www.bapsi.org http://www.bapsi.org/Home/cyber-security-matters

Video in English:

·         China Hacks, India Ignores, part 1 http://www.youtube.com/watch?v=Mu9cNVVP2zE

·         China Hacks, India Ignores, Part 2: http://www.youtube.com/watch?v=QtQDnp0K51E

Video in Hindi:

·         Chini cyber humla beparwah bharat: http://www.youtube.com/watch?v=AZCavTicYU8

·         Citizen view on china hacking, Views of Mr. Jagdeep S. Chhokar in Hindi: http://www.youtube.com/watch?v=AOBeCdOP6vM&feature=relmfu

Contact: B-69, 2nd Floor, Lajpat Nagar-I, New Delhi-110024, +91 011 2981 7007, 98731 99898

Ref: (1) www.nartv.org/mirror/shadows-in-the-cloud.pdf (2) www.nartv.org/mirror/ghostnet.pdf (3) http://www.pcworld.com/article/256508/the_flame_virus_your_faqs_answered.html



More information on Chinese Cyber hacking


The report "Shadows in the Clouds: Investigating Cyber espionage 2.0" was released by the Canadian researchers in April 2010. It produced startling revelations that Chinese hackers from Chengdu had pilfered over 800 secret Government of India documents from computers in India and its embassies. The information includes (1) Secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland, Tripura, as well as concerning Naxalites and Maoists; (2) visa applications, passport office circulars and diplomatic correspondence; (3) detailed personal information of some key people (4) lot of defence related information and many more.

In the 2008 investigation, researchers in Canada (University of Toronto, Munk Centre for International Studies, Ottawa-based security firm SecDev Group and U.S. organization Shadowserver Foundation) uncovered GhostNet. They discovered nearly 1,295 computers were infected in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

After the Tracking GhostNet report was published, several control servers which were a part of the network went offline, and several of the domain names expired which the Canadian researchers got re-registered. They then found that hacked computers around the world were uploading information to these websites.


In 2010 they revealed systematic cyber espionage again, by Chinese hackers. The report “Shadows in the cloud: Investigating Cyber Espionage” released in April 2010, revealed that in 31 countries, 139 IP addresses of compromised computers were found, of which the highest 62 were from India.

 

Information picked by the hackers related to

·         Secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists.

·         Confidential information from Indian embassies on India’s international relations with and assessments of activities in West Africa, Russia/ Commonwealth of Independent States and the Middle East

·         Visa applications, passport office circulars and diplomatic correspondence.

·         Detailed personal information of a member of the Directorate General of Military Intelligence.

·         Academics and journalists regularly reporting on sensitive topics such as Jammu and Kashmir and People's Republic of China

·         Pechora and Iron Dome Missile System

·         Project Shakti - an artillery combat command and control system

·         on network centricity (SP’s Land Forces 2008) and network-centric warfare

·         on the containment of the PRC, Chinese military exports, and Chinese foreign policy on Taiwan and Sino-Indian relations.

·         Documents focussing on ethnicity, religion and politics in Central Asia, and links between armed groups and the PRC.

List of affected Institutions

·         National Security Council Secretariat

·         Diplomatic Missions - Embassy of India, Kabul, the Embassy of India, Moscow, the Consulate General of India, Dubai, and the High Commission of India in Abuja, Nigeria.

·         Military Engineer Services at Bengdubi, Kolkata, MES(AF) Bangalore, and Jalandhar.

·         Military Personnel – computers linked with the 21 Mountain Artillery Brigade in Assam, Air Force Station, Race Course, New Delhi and Darjipura Vadodara, Gujarat.

·         Military Educational Institutions - Army Institute of Technology in Pune, Maharashtra, Military College of Electronics and Mechanical Engineering in Secunderabad, Andhra Pradesh.

·         Institute for Defence Studies and Analyses

·         Defence-oriented publications- India Strategic defence magazine and FORCE magazine

·         Corporations- YKK India Private Limited, DLF Limited, TATA

·         Maritime - National Maritime Foundation, Gujarat Chemical Port Terminal Company Limited

·         United Nations - 1 computer at UNESCAP

Right to Information Queries (RTI)

RTIs to the Ministry of Communication and Information Technology

·         On 13 April 2010, we asked the Department of Information Technology (DIT) "if an investigation has been launched by the government   into the Chinese hacking, the process of interacting with the investigating team, what percentage of the computers hacked were running Microsoft Windows, and when are the security recommendations emanating". The reason we asked about MS Windows, was to suggest to the Ministry a way to improve their security. In our experience, such attacks are only possible on computers running MS Windows, not on those running Linux. The RTI was forwarded to CERT-In and we were supplied a copy of the Interview published by Indian Today and p.41 of “Shadows” Report.

·         In December 2010, we asked the same questions again. This time the letter was forwarded within DIT, and we received a copy of the Indian Today article and a copy of the complete "Shadows” Report.    

·         Same questions were asked again on 28 March 2011 to trace any updates. This time the Ministry forwarded the request to the concerned agency and said “information is awaited.”

·         We sent an appeal on 26 May 2011 pointing at "the lack of seriousness with which the IT Ministry deals with a matter of National Security" as "the information stolen could find its way to Pakistani and other elements that frequently target India and Indians." The Ministry said "the incident is a multi-agency activity and DIT is trying best to get the required information.    

·         In May 2011, we asked questions on progress to answers given in     response to Rajya Sabha starred question no. 486 of 29-04-2010, in which Minister of Communications and Information Technology Sri A. Raja has said "An agency of the Government has been investigating such types of attacks... an investigation has already been launched into the matter...". We asked if the investigation has been completed. The request was forwarded to the concerned agency and “information is awaited".

.     On 08 May 2012, we asked the Department of electronics and Information Technology, "which agency has been notified under section 70(A) of the IT Act 2000/2008 as national nodal agency in respect of Critical Information Infrastructure Protection". We also asked for a list of every computer resource declared to be a protected system by notification in the Official Gazette."   The Department vide letter no. 14(68)/2011-ESD dated 17 May 2012 informed that "Government has not yet notified any agency under Section 70(A) of the Information Technology (IT) Act 2000 as national nodal agency in respect of Critical Information Infrastructure Protection.” It further revealed that only the TETRA Secured Communication System Network, its infrastructure and software installed at some locations in Delhi have been notified to be Protected Systems under Section 70 of the Information Technology Act 2000. It does not seem therefore, that the government has even identified which computer it needs to secure. Please read the response here.

RTI to the Ministry of Defence

·         We sent a similar RTI inquiring about the information furnished in response to unstarred question No. 1840 in the Rajya Sabha on Chinese hacking, in which Minister of Defence Shri A.K. Antony, on 11-08-2010 had said- "The report of hacking Indian Defence Ministry documents put up by a group of researchers at the Munk School of global Affairs, University of Toronto, Canada was analysed thoroughly. It was ascertained that only certain internet facing computers were compromised by the hackers which had no sensitive defence data".

·         The RTI was forwarded to the Director(Coord) & CPIO saying "it is understood that D(IT/Coord) has dealt with the above mentioned question", which forwarded this to 13 departments saying "The reply of the ibid Parliament Question was furnished by this Division after consolidating the replies received from various Wings/ Directorates." The application found few more forwards within the Ministry.      

·         None of the responses supported the Honourable Defence Minister's response in the parliament. Hence we asked the basis on which the reply to the Parliamentary Question was formulated. This was     forwarded to Director (IT/Coord) saying "the reply …. was     furnished by the Division after consolidating the replies received     from ….". D(IT/Coord) forwarded this to 17 departments within MoD. This time HQ IDS informed ".. attempted hacking on two internet facing standalone computers of IHQ IDS. These computers did not contain any classified info." Since in response to the earlier RTI, HQ IDS had said "None of the Internet facing computer of HQ IDS were compromised", we asked them to confirm if the computers were running MS Windows. We were informed that "The machines were analysed and it was ascertained that the computers were not compromised and no documents were picked up by the hackers. The specifications of the computers cannot be disclosed."

RTI to the CBI cyber crime cell

·         We enquired if a formal FIR has been lodged in this matter, and the process of interacting with he Investigation team. We were informed that “no such matter is under investigation under the Cyber Crime Investigation Cell”.

RTI to the Ministry of Home Affairs

·         We asked if any agency has been authorized to investigate into the cyber espionage and with which agency an FIR could be filed. The application was transferred to Department of Information Technology saying "requested information does not fall totally within the jurisdiction of MHA". Later the Ministry informed "CPIO is neither concerned with the subject matter nor has any information to furnish."

·         Following this an appeal was sent stating "matter is related to the internal as well as external security of the nation". MHA in response said ".... was also concerned with Dept. of Information Technology. In MHA the matter came under jurisdiction of CS Division and hence the application was forwarded to the CPIOs..."

RTI to the Cabinet Secretariat

·         We asked in October 2011 about the agency appointed to investigate into the cyber security incidents in India and the process to interact with the team. The questions were forwarded to the Department of Telecom, and from there to the DIT.

RTI to the Ministry of External Affairs

·         We asked in June 2011, if any investigation has been conducted and the procedure to interact with the investigating team. The Ministry informed that it "did not conduct a separate investigation to verify the content of the report Shadows in the Clouds. The related investigation was carried out by National Technical Research Organization."

RTI to the PMO

·         In February 2012, we asked the PMO, who in the Government of India is responsible for protection of the country from cyber attacks and for their investigations, how can a citizen of India interact with the investigation team. The query was forwarded to the Ministry of Communication and IT (DoT) and we were “advised to approach above public authority for further information regarding the matter”. This was forwarded  to Ministry of Home Affairs, which forwarded it back to the Ministry of Communication and IT, Department of Information Technology (HQ.) They responded, that “Cert-In analyses the reported incidents and provides technical advisory to the reported parties for taking further steps for mitigation of such attacks in future” and “FIRs are to be registered only with the Police.”

 

Comments