Operation Shady RAT: India-Pak hackers flex muscles

More than 117 Indian government websites compromised in the first six months of this year have been asked to hand over records to aid investigators in finding out how they were breached. While defacements can be humiliating, especially for government agencies, they are just a distraction from the serious, sophisticated attacks carried out by organised crime, spies or patriotic freelancers.

A cyber-security researcher announced uncovering an unprecedented global cyber-espionage campaign. India was among the governments hit by the campaign, dubbed Operation Shady RAT. The Indian government most likely wants to analyse minor attacks such as the defacements to help tighten security against much more serious incidents.

[caption id=“attachment_53815” align=“alignleft” width=“380” caption=“The Indian government most likely wants to analyse minor attacks such as the defacements to help tighten security against much more serious incidents. AFP”]  [/caption]

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

The defacements are part of a tit-for-tat battle for bragging rights between Indian and Pakistani hackers. In December last year, a group calling itself the Indian Cyber Army hacked 35 Pakistani government websites. Less than a week later, a group calling itself the Pakistani Cyber Army - no points for originality - returned fire, defacing the CBI website. The Pakistani hackers left a message on the front page of the site that included this:

“This attempt is in response to the pakistani websites hacked by ‘Indian Cyber Army’. We told you before too ..we are sleeping but not dead..remember PCA(pakistan cyber army)!..back off kids or we will smoke your d00rs off like we did before”

While hacktivism entered the public consciousness over the last year, as hacking group Anonymous has launched denial of service attacks against major websites including Visa, Mastercard and PayPal, hackitivists have taken part in several international conflicts before.

In 2001, Pakistani hackers launched attacks against US and Indian sites, and Chinese and US hackers engaged in a defacing contest after a US reconnaissance plane collided with a Chinese war plane. The Chinese war plane crashed, killing the pilot, and the reconnaissance plane was forced to land in China.

Government servers are not the only sites that have been defaced in the attacks on Indian websites. From January through May of this year, 3,628 with a .in domain have been defaced.

Defacements are the internet equivalent of spraying graffiti across the web, but to deface a website, a hacker would have had to broken into the web servers. If the servers were set up properly and isolated from other systems, the hackers would be able to do little more than change some web pages.

However, in at least one case, hackers claimed to have grabbed thousands of files. The Pakistan Cyber Army claims to have stolen 10,000 user records including names, email, phone numbers and location from BNSL. They also claimed to have stolen details of BNSL’s VPN, virtual private network, a way for people to access their work networks over the internet.

Rising cyber threats

Such attacks have increased dramatically. 2010 was a banner year for defacements of sites in India, tripling last year to 8,864 sites compromised with an .in domain. The Computer Emergency Response Team (CERT-In) blamed the rise in attacks to poor security by individuals and small businesses on self-hosted websites.

This cyber-vandalism make headlines but often mask the deeper threats to cyber-security.

Other issues face Indian websites. Of 151 security incidents in May, phishing was involved in 57 percent of the cases. Phishing is the use of email to trick users out of personal details or to trick them into downloading ‘malware’, malicious software, such as key loggers or software that allows the hacker to control the compromised machine.

While most phishing is little more than fake emails trying to trick you out of your bank details, a new more sophisticated use of this type of attack, spear phishing, is being used in industrial and state espionage. The emails look as if they are sent from colleagues or other people known to you. They aren’t sent en masse but are targeted.

Google managed to thwart such an attack against officials from the US and Asian governments, Chinese political activists, military personnel and journalists earlier this year.

Criminals and vandals can rent networks of compromised computers to launch attacks against websites or other computer networks. In 2009, security researchers uncovered the Golden Cash botnet market. Cybercriminals could rent 1,000 infected computers for $60 in the UK, $100 in Australia or $50 in the US.

CERT-In tracked 45 command and control servers used to control more than 2m bot-infected computers in India.

The hacktivist defacements mostly use automated attack tools and known vulnerabilities. They scan websites looking for these unlocked doors so they can break in and and leave their taunts. Other more experienced hackers mock such hackers, calling them script kiddies.

The hackers behind spear-phishing and corporate and governmental espionage leave little trace. Computer security expert Bruce Schneier has been writing about hackers in China and the threat perceived by the US for years. In 2008, he wrote:

“They’re stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem.”

While these hackers might not be taking their orders from the Chinese government, they make their money selling stolen information to the government. Being at arm’s length from the authorities gives Chinese officials the ultimate weapon in espionage - plausible deniability.

Soon, an attack online might lead to a war in the real world. The US has said that certain cyber attacks might be construed as an act of war.

Earlier this year, a US military official told the Wall Street Journal, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

While hackers leave childish messages on websites as they thump their chests, real cyber criminals are making the internet a much more dangerous place than it used to be.