In February 2014, a bunch of twentysomething cyber security researchers, slouched at their work stations in a decrepit highrise in central Delhi, were tapping away in the dead of the winter night. Their computer screens were aglow, the digits were dancing and the smell of warm pizza was in the air. Suddenly, one of the young men let out a loud war whoop, says an eyewitness. The hacker had cracked open the WiFi router at B-28, South Block, the office of the chief of naval staff on Raisina Hill, a stone’s throw from Parliament and Rashtrapati Bhavan. And, worse, also found that somebody a continent or two away was also looking at what he was.
In the Dilton Doiley world of computer geeks, it was a breakthrough moment, no question.
For over three weeks, the researchers had slogged 15 hours a day to break into the internet protocol (IP) addresses of the bold-faced names of Lutyens’ Delhi, to show how vulnerable their WiFi routers were—and every computer connected to them. At the end of Operation Sarkar as they informally called it, the hackers had managed to “test-scan penetrate” over three lakh routers in the heart of the capital and expose India’s best-kept secret: that 95 per cent of them, in such critical departments as defence, finance, space and communications, were leaking and being exploited by rogue entities based in China, Ukraine, Malaysia and elsewhere.
The router of the Defence Research and Development Organisation (DRDO) in Timarpur: unsafe. The router of the commanding officer at Coast Guard in Purana Qila: unsafe. The router of the National Thermal Power Corporation in scope complex on Lodhi Road: unsafe. And so it went on, as the researchers did high-five after high-five as router after router of banks, income-tax authorities, election officers, police, the narcotics bureau, phone service providers, public works departments succumbed to the overtures of their keystrokes. Why, even the router of the air force station on Race Course Road, bang opposite the PM’s residence: unsafe.
The message was simple: nobody—and nothing—was safe in the new, wall-less cyber age.
The most vital institutions in the national capital were unknowingly sending information to rogue servers on foreign soil. And this was being done not by the old-fashioned way of hacking into individual computers through malware and spyware but by plugging into the WiFi routers to which other computers are plugged in, and then redirecting users to malicious websites or stealing data. So, that February night when the young man broke into the naval chief’s router bearing the internet protocol (IP) address 126.96.36.199, he was not only getting into the chief’s computer but those of others who were simultaneously connected to the internet through it.
“Cyber security breaches are becoming routine in India yet the appropriate sensitivity is lacking. Reports like these raise sensitivity.”
Pavan Duggal, Advisor to IIC
In other words, pretty much the cream of the Indian establishment was being hacked wholesale, not retail.
For the record, Union home ministry officials downplay the data leak. “Most of these computers have no secret content. Sensitive information is stored in standalone or air-gapped computers, and most ministries do not have more than one or two such machines. Intelligence agencies at the level of joint director and above are the other ones who have these standalone machines,” says one official. But he admits that even standalone computers are not safe, “which is why pen drives were banned a year ago at the home ministry”. Even that is no consolation. In July, experts at the University of Negev in Israel wirelessly extracted data through electromagnetic waves using a simple smartphone with an FM radio receiver.
B.J. Srinath, director-general of India’s cyber security watchdog, CERT-In, says that the leakage of data due to the vulnerability of the routers in Delhi is “speculation”: “If a router is compromised, it starts generating abnormally more traffic. That happens because the command and control is with someone else outside. They turn the computer into a slave computer and use it at will for data leakage if the computer has sensitive information. We are not seeing any Denial of Service attacks from non-sensitive computers. That is not happening at the moment.”
Maybe, but industry experts say the danger is clear and present. Says Pavan Duggal, cyber expert and advisor to the Indian Infosec Consortium, “Cyber security breaches are becoming routine in our country and the appropriate sensitivity is strongly missing. In fact, it is not even given the importance it merits. And this when both state and non-state actors are interested in data from India.”
So how exactly were rogue servers situated on foreign soil gaining access to routers based in India? The cyber security researchers found that the DNS (domain name system) addresses of the sensitive systems were being changed to redirect traffic to rogue servers located abroad. “Researchers discovered that several sensitive systems in Delhi...have already been compromised by external entities and their data is being routed through external servers across the globe,” concluded their report, Espionage on Sensitive Indian Machines, presented to then Union IT minister Kapil Sibal.
“Router vulnerability is an issue. We have asked people to store sensitive information not on connected but on standalone computers.”
B.J. Srinath, Director-general, CERT-In
The researchers found that the espionage spanned continents, from Denver to Manchester, from London to Providence. In each case, the enemy targeting Indian institutions was unknown, as was the final destination of the data stolen: it could have been a foreign power, a business house, or even a band of playful hackers. The servers that had breached the navy chief’s South Block computers, for instance, were tracked to the United States. Another router designated for the chief of naval staff at Sena Bhavan was compromised by servers traced to Lithuania. The location of a server is no indication of who the spy is since the entity carrying out the spying is invariably located in a third country.
Says Dr Ashok Jhunjhunwala of IIT Madras, “Routers being compromised is an extremely serious issue, and not sufficient attention has been paid to this aspect. I am certain that these devices are designed to trigger listening in and it is extremely difficult to figure out that there has been a breach. A solution is that, for sensitive installations, we should have devices built by Indian companies or companies that we trust.”
A year-and-a-half after the initial exercise, a smaller group of researchers conducted what in cyber parlance is called Penetration Testing on a smaller group of routers. This time, over 25,000 routers were informally checked, again mostly in Delhi. Over 3,000 were confirmed to be compromised. It wasn’t clear if the routers were targets of espionage, but what was clear once again was that the systems were vulnerable to attacks. Says cyber expert Prof Arun Mehta, “Despite repeated attacks on Indian websites, the matter is not being investigated by the Indian government. For India, hacking mostly means defacing a website; stealing of sensitive files and information has never been investigated.”
This is not the first time sensitive Indian computer security systems have been shown up to be made of cheese and butter. The most high-profile cyber attack on India took place on July 12, 2012. It breached the e-mail accounts of about 12,000 people, including officials from the Union ministries of external affairs, home, DRDO and, surprisingly, the Indo-Tibetan Border Police (ITBP). This time, of course, the investigation found that the technique used for hacking was different. The modus operandi was to send fake e-mails with attachments apparently relevant to the recipients’ work. When opened, the attachments allowed hackers to monitor and search for data covertly.
On its part, CERT-In, which comes under the Union ministry of communications and information technology and is tasked with cyber security threats like hacking and phishing, says it has known of the problem for years. “One of our intelligence agencies had in 2010 discovered some of our modems were compromised in what was considered a major security breach. A study was undertaken and it was discovered that over 1,00,000 modems were vulnerable. Some gaps were plugged and some could not be,” admit officials. Which of the gaps were not plugged is anyone’s guess, but by 2012, the situation had worsened. This time the National Security Council secretariat, which falls under the PMO, came into the picture. “Service providers were told to disable remote management of routers over VAN and change default passwords,” say NSCS officials. They were also told to either get a security upgrade or change these routers. So far, no compliance report has been filed with CERT-In by service providers.
“The report holds as routers have not been changed. If someone was to do a test scan again, 95% comps would still be compromised.”
Prashant Mali, Advocate, cyber expert
It isn’t that the powers-that-be are unaware of the gravity of the threat of data loss via leaky computers and routers. Ten months after the naval chief’s router was breached, then cabinet secretary Ajit Seth said “the government is fully conscious of the threat to our cyber space”. The head of the BJP’s IT cell Arvind Gupta confessed at a hackers’ conference after Narendra Modi had come to power that the PM’s and the BJP’s websites were one of the most targeted. But privately cyber security experts are a worried lot. They point to the fact that most systems that were hacked in 2010 did not have updated security software.
Sceptics of the router leak suspect a determined ‘desi’ drive to hammer down Chinese manufacturers, but there is a clear economic rationale. The state-owned Mahanagar Telephone Nigam Limited (MTNL), for example, in its attempt to get the cheapest ADSL routers, chose to overlook a crucial security feature while awarding tenders to the lowest bidders. The routers were mainly bought from China as they are the cheapest at Rs 500 and did not have the crucial TR-69 interface, CERT officials say. The feature enables service providers to remotely plug or repair loopholes which would otherwise make these routers vulnerable. “Routers were not TR-69 compliant due to budget constraints.” Says advocate and cyber expert Prashant Mali, “When the leak was first discovered, the home ministry had recommended that we should stop buying routers and modems from companies like Huawei and zte. But countries like China objected and the issue got lost in red tape.”
A router enabled with the latest security features costs about Rs 2,000. But government agencies baulk at the thought of getting all ADSL routers of vendors like MTNL changed. Compromising a system through a router is a serious security breach since it connects to any number of computers. Security officials admit it not only corrupts other systems but it can also be used for spying further. “This exercise proves we are sitting ducks on a massive scale and the gravity hasn’t been judged by the institutions concerned,” says Jiten Jain of Indian Infosec Consortium, a group of cyber experts.
Despite the growing threat, the fact that India views cyber espionage as a low-priority area is reflected in the minuscule amount it spends on cyber security. The budgetary allocation towards cyber security (including CERT-In) is Rs 42.2 crore ($7.76 million) for 2012-13, up 19 per cent from Rs 35.45 crore in 2010/11. In comparison, the US spends seven billion dollars through the National Security Agency, $758 million through the Department of Homeland Security and $103 million through US Computer Emergency Readiness Team or US-CERT.
One estimate by US-based information systems giant General Dynamics stated that India’s cyber security budget should be at least 10 times larger than what it is now. Officials admit that more work needs to be done in areas such as capacity building and R&D. Among other things, the objective is to minimise the dependence on foreign IT products and to produce indigenous security solutions. A Cisco report says India needs at least four lakh cyber security experts. It is woefully short of that figure.
Little wonder then that Steve Santorelli, former director of investigations at Microsoft and a former Scotland Yard executive, says India is just one step below Vietnam as the mecca of hijacked routers.
Hack Attack: How Nations And Institutions Have Paid The Price For Data Leaks In Recent Times
Target Sony Pictures
Sony was victim of the worst cyber attack in corporate history when hackers brought operations of Sony Pictures to a halt, affecting business worth billions of dollars. The hackers, FBI alleged, were from North Korea and were demanding the cancellation of the release of a comedy film made by Sony, The Interview, about a plot to assassinate North Korean leader Kim Jong-un. North Korea denied involvement.
Former CIA employee Edward Snowden leaked classified data from the American National Security Agency (NSA). The leak unveiled a global surveillance program being run by the US NSA on internet and phone communication. It created tensions with its allies and the US charged Snowden with espionage and the biggest theft of US secrets ever.
Target Saudi Aramco
In August 2012, Saudi Aramco, Saudi Arabia’s national oil producer, reported an attack that damaged 30,000 computers on its network. Any disruption in production and distribution by the world’s biggest oil producer is a nightmare scenario for the global economy. It was believed to be
sponsored by Iran.
Target Government of India
Despite a clear warning from NTRO, government officials in India failed to secure their computers, resulting in 12,000 e-mail accounts of the home, defence, external affairs ministries, DRDO and NIC being hacked. The data stolen included deployment and location of troops and communication between ITBP, DRDO and MHA. Similar attacks were reported on the Indian navy’s Eastern Command systems. The Eastern Naval Command oversees maritime activities in the South China Sea as well as the development of ballistic missile submarines.
Target Government of Estonia
The entire Baltic nation was brought to its knees in the cyber attack alleged to have originated from Russia. The denial of service attacks were allegedly in protest against the government’s removal of the Bronze Soldier monument, a relic of the Soviet war. The Estonian parliament,
ministries, banks, telecommunication, defence and media came to a standstill for three weeks.
Target US government
Julian Assange, an Australian computer programmer, exposed to the world the real picture of US brutality in Guantanamo prison in Iraq, the Afghan and Iraq wars and other military secrets. Called the biggest leak in US military history, Wikileaks painted a grim picture of the most powerful democracy in the world. Assange was slapped with charges ranging from espionage to sexual assault and has been given asylum in Ecuador’s London embassy.