Three recent incidents have reignited the debate on cybersecurity as well as privacy in India. First one is the security breach at India’s largest nuclear power plant- Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu.
After reports in the media had caused alarm, Nuclear Power Corporation of India Limited (NPCIL) confirmed that the power plant’s administrative network was breached in the attack.
NPCIL also clarified that the attack did not cause any critical damage, and was limited to its administrative network, which is separate from “the critical internal network”.
The second incident was Facebook, filing a complaint in US against Israel-based NSO Group for alleged spying on the users of its private messaging platform Whatsapp.
Reportedly, the NSO’s software Pegasus was used to make its way into the phones of selected users, where it would potentially have had access to every bit of information. The complaint revealed that there were 20 Indians also among the 1400 people globally spied upon using the surveillance technology.
Earlier this year, in June, it was discovered that a Pakistani spy “Sejal Kapoor” on Facebook had hacked into the computer systems of more than 98 personnel of various defence forces, including the Indian Army and the Indian Air Force, between 2015 and 2018.
The nuclear powerplant breach
In an statement, the NPCIL said that the malware attack on KKNPP was noticed on 4 September by the CERT-In (Indian Computer Emergency Response Team).
The investigation by Department of Atomic Energy revealed that a malware-infected personal computer had been connected to the plant’s administrative network.
While NPCIL denied any critical damage, some reports suggested that there might be a second more serious target.
VirusTotal, a virus scanning website owned by Google’s parent company, Alphabet, has indicated that that a large amount of data from the KKNPP’s administrative network might have been stolen. This data could be further used to target the nuclear power plant’s critical systems more effectively.
Less than the worst-case scenario — a reactor meltdown which harms thousands of people— the cyberattack can be used for sabotage or theft of nuclear materials.
The NPCIL’s statement that “the critical internal network” was isolated from the administrative one, and the internet, isn’t quite enough for public to be complacent.
Such a physical isolation of a local network from the Internet to prevent any outside breach is called an “air gap”, and air-gapping makes a system immune from untargeted and unsophisticated attacks only.
In a 2016 report, the Nuclear Threat Initiative said that the targeted attacks go beyond network connections and generally leverage “witting or unwitting humans, or a long and difficult-to-defend supply chain, to deliver the attack.”
As highlighted by the Fissile Materials Working Group, in practice, “organisations must transfer data into and out of their operational networks for a variety of reasons.” This exposes the critical internal network in a nuclear power plant to a host of vulnerabilities.
Some researchers suggested that the attack was caused by a variant of the DTRACK virus, developed by the North Korea-linked Lazarus group. However, the NPCIL has neither confirmed, nor denied these reports.
North Korean nationals have considerable presence in India, and around one-fifth of the cyberattacks by the state-sponsored North Korean cyberoperations are perpetrated from India. Therefore, the attack could have been from Indian territory itself.
Honeytrap for the digital world
The Military Intelligence wing together with the Uttar Pradesh Anti Terrorist Squad had busted the “Sejal Kapoor” case leading to the arrest of BrahMos senior engineer, Nishant Agarwal.
Indeed, ‘sexpionage’ is an old trick of gathering intelligence. In his 3rd century BCE work on statecraft, Kautilya also talks about using charming women for spying. It wouldn't be a surprise if countries systematically recruited and trained men and women to lure persons occupying important positions.
Before the fall of the Berlin Wall, East Germany recruited men to seduce women in important positions in West Germany, and recently, an advertisement posted on behalf the Pakistan military on a Pakistani college website invited ‘only female candidates’ to "attract and interact with targeted virtual communities and network users."
This old trick has acquired a digital twist in the age of social media. Now, a single person can simultaneously lure multiple persons, while sitting in a foreign territory. The operations can be further scaled up by using bots.
One way to do it is via a fake social media profile, through which, the spy gains trust, and then access to other person’s devices and infects them. The second is to find someone on adult sites and inject malware into their phones and computers.
The scary part is that such attempts are not limited to a one-off intelligence grab, but can lead to long periods of blackmail and information-sharing. Even after a spying effort is uncovered, it is hard to estimate the number of people victimised and information compromised as malware can lie dormant for months or years before being detected.
Pegasus and state surveillance
The individuals targeted by the NSO software Pegasus consisted of government officials, journalists, activists, lawyers.
Among Indian targets, The Hindu reported, are lawyer Nihalsing Rathod, academic Anand Teltumbde, Dalit activist Vivek Sundara, and human rights lawyer Jagdish Meshram. Reportedly, WhatsApp has warned several Indian users who are expected to be targets of the illegal snooping spyware.
The Pegasus is a highly-advanced spyware that can gain access to someone’s cellphone after user clicks a link sent by it, or even with a missed call. After installing itself stealthily, Pegasus begins to contact control servers which allow it to send commands to gather data from the infected device.
Pegasus, therefore, can steal passwords, contacts, text messages, calendar info, as well as voice and video calls made through WhatsApp and even track live location.
The NSO says on its website, “NSO products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror.” Also, only those with deep pockets can afford the high-tech services of Pegasus. This points the fingers towards governments around the world to have sponsored the spying.
Increasing digitisation and integration means a debilitating attack not directly on security establishments or critical infrastructure like nuclear power plants, but also on banks, financial institutions like stock exchanges, public utility services etc can endanger national security.
Needless to say, India will have to increase its capability for both defensive and offensive cyberwarfare. This capability will have to focus on institutions, human resource, as well as technological capability.
In September 2018, Prime Minister Narendra Modi, during the Combined Commanders' Conference at Jodhpur Air Force Station, announced creation of Defence Cyber Agency. It is a tri-service command of the Indian Armed Forces. Headquartered in New Delhi, the agency is tasked with handling cyber security threats.
The Army has already described honey-trap cases as a weapon of hybrid warfare of the enemy across the borders. Regarding social media usage, a list of dos and don’ts have been prepared and suspected Twitter and Facebook accounts are being identified.
Outside the military infrastructure, Indian Computer Emergency Response Team (CERT-In), an office within the Ministry of Electronics and Information Technology is the nodal agency to deal with cyber security threats like hacking and phishing.
Formal institutions in place, Indian establishment will have to focus on arming the personnel with state of the art technology as well as training. A good institutional culture will go a long way. The technology upgrade in this regard would expectedly be costly and require adequate funding.
For example, a software can be embedded in all the sensitive data and devices which tracks the bad actors and destroys the documents with a programmed kill switch.
However, the most important aspect is the human error.
IBM’s “2014 Cyber Security Intelligence Index” stated that 95 percent of all security incidents involve human error. Luring an ‘insider’ is an attractive option has they can provide with the sensitive information, and can be easily convinced not disclose their private lives to others.
In the ‘Sejal Kapoor’ honey trap case, the investigation revealed that the fake accounts would generally like and comment on the photos of the army personnel. Comments like“Wow, Jai Hind!” or “Thank you for keeping us safe” would attract the attention of the target and conversation would move to personal chat where the spy would earn the trust of the victim, establish a relationship and use it to extract information.
Therefore, best cyber practices must be instilled in the candidates and frequent workshops should be conducted sensitising them about the latest cyber-threats. A time-bound review of all the devices to check for malware would also be helpful. Time to time, all agencies should keep testing the judgement of their personnel when faced with a lure with fake accounts etc.
As you are no doubt aware, Swarajya is a media product that is directly dependent on support from its readers in the form of subscriptions. We do not have the muscle and backing of a large media conglomerate nor are we playing for the large advertisement sweep-stake.
Our business model is you and your subscription. And in challenging times like these, we need your support now more than ever.
We deliver over 10 - 15 high quality articles with expert insights and views. From 7AM in the morning to 10PM late night we operate to ensure you, the reader, get to see what is just right.
Becoming a Patron or a subscriber for as little as Rs 1200/year is the best way you can support our efforts.