Why India Cannot Remain Complacent Against Cyber Attacks Like WannaCry

Cyberworld.jpgON MAY 15TH, Union Information and Technology Minister Ravi Shankar Prasad said that India has seen only “isolated incidents” of cyber attack by the WannaCry ransomware, the latest variant of computer viruses that typically lock up PCs and demand ransom in return for recovering files. A day later, employees of Indian Railways in Palakkad, Kerala, saw on their monitors the cryptic message: ‘Ooops, your files have been encrypted’. An officer who is familiar with the warning—he has seen it over the past several days in dailies — tells Open that he never thought the malware would affect his computer or those of 22 others in his regional division. “It was only after we snapped the internet connection that we started to breathe easy,” he notes. At that very moment, it dawned on this officer, who spoke on condition of anonymity, that his team had been rather lax and that the Government was in denial despite India being the third biggest victim of the devastating new virus, which has been infecting 3,600 computers per hour worldwide. Aruna Sundararajan, secretary at the ministry of electronics and IT, also played down the quantum of the attack.

“Prasad’s cavalier remark is unacceptable. What senior politicians like him should understand is that though he is not interested in the virus, the virus is interested in him,” says a former home ministry official assigned to a crucial project to fight cyber crime. At seminars, government officials never tire of making perfunctory statements about cyber defence being the fourth arm of the armed forces, but the latest viral strike on Windows users bring to the fore concerns about the lack of Indian preparedness to ensure cyber security. According to a statement by anti-virus software maker Quick Heal Technologies, as on May 15th, 48,000 ransomware attack attempts were detected in India, with West Bengal witnessing the most incidents. Among the worst hit states identified by the firm, neither Andhra Pradesh nor Kerala are mentioned, states that were named by Prasad. Instead, they include Bengal, Maharashtra, Gujarat, Delhi NCR and Odisha. The company also said that 60 per cent of those targeted were enterprises and the rest individuals. The top five cities listed by Quick Heal are Kolkata, Delhi, Bhubaneshwar, Pune and Mumbai. “Our observation is that the attack is not focused towards any particular industry, but it is widely spread across industries especially those organisations that are online and connected,” says Quick Heal Managing Director Sanjay Katkar of the virus.

Hackers who unleashed the global wave of attacks starting May 12th on various sectors, including national health systems in countries such as UK, telecom companies in Spain, banks, travel networks, police departments, public services, airports, logistics companies and other enterprises globally, especially in Russia, Ukraine, India and US, used a tool developed by US spies known as Eternal Blue. At the Palakkad division of Indian Railways, as well as in several hospitals of UK’s National Health Services, the ransom demanded was $300 in bitcoin, the digital wallet that ensures anonymity of users. As on early May 16th, the WannaCry hackers had grossed more than $71,000 through ransoms, indicating that the pace of payment is rising each passing day. Before the latest bout of cyber hacking took place, the existence of the NSA-developed program that could exploit the vulnerabilities in Windows’ operating systems was leaked last month by a hacking group called The Shadow Brokers, who have now threatened to release more such NSA tools.

Mumbai-based cyber crime investigator Ritesh Bhatia avers that American cyber whistleblower and former NSA contractor Edward Snowden has been proved right once again—that NSA has been making cyber weapons of mass destruction. “It’s unfortunate that the same cyber weapons were stolen and used against many countries for a ransom,” he says, adding that what is very disturbing is the fact that large organisations are still using the outdated Windows XP.

Various other cyber experts—including those in the Government— state that governments have to take the risk posed by cyber attacks, be it from terrorists or from hackers like in this case, more seriously. “The amount of loss is not what counts. What matters is how vulnerable our systems are because nobody will be lucky the next time,” says a Mumbai-based police officer who has closely followed cyber attacks in the country. Points out Bhatia, “Awareness, audits and action have no substitutes. Awareness sessions should be held on a monthly basis. Random and surprise audits are a must.” He adds that data is the new oil. “In the case of ransomware, only a backup can help you. Even if you pay up, the decryption code leaves behind backdoors for the hacker to attack again. We must have infrastructure where we are able to switch over to another working environment.”

For his part, Brad Smith, president and chief legal officer, Microsoft, has suggested that this latest series of attacks on Windows users is a “wake-up call” for governments. He wrote on his blog that this is ‘yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world’. Infact, he stated, Microsoft ‘had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally.’ Meanwhile, WikiLeaks released a post and identified ‘Assassin’ and ‘AfterMidnight’ as two CIA ‘remote control and subversion malware systems’ that target Windows. It said that both ‘were created to spy on targets, send collected data back to the CIA and perform tasks specified by the CIA’. Snowden tweeted to say that had NSA disclosed the vulnerability when they discovered it, ‘hospitals would have had years—not months—to prepare’.

Without doubt, digital insecurity is the new normal, considering that hackers have managed to intrude into the operating system sold by a company that has for long understood the nature of cyber threats. Writing in The New York Times, Nick Wingfield pointed out that the world’s largest software manufacturer by revenue had not provided regular software updates to Windows XP-based systems installed in 2001 that had not paid for updates. Neither Satya Nadella, Microsoft CEO, nor Brad Smith responded to questions from Open. Interestingly, a section of pundits—the likes of John Gapper—believe that Microsoft will use the opportunity to resist efforts to loosen security for official missions.

While government officials in West Bengal, which is widely considered the worst-hit state in India, didn’t respond to request for comments, a Maharashtra police officer conceded that several PCs in his department were hit by the virus. “This happened on Saturday itself. We have disconnected those PCs from the internet and we are still assessing the extent of damage,” he told Open, admitting that his team was using a non-upgraded version of the Windows operating system. He refused to divulge further details.

Government departments in India, especially the police, have sent advisories to their employees, listing the various dos and don’ts—such as not clicking on an unfamiliar link. They have also identified a list of domains and IP addresses that ought not to be clicked on. In private, some officers said they have asked their staff to employ the “two-factor authentication system” so that there is always an extra verification when one logs on to their email account—either via SMS or to another email account.

Meanwhile, the Reserve Bank of India had also directed banks to throw their ATMs open for use only after machines receive a Windows update. Most ATM machines run on Windows and a majority use the outdated Windows XP. Though Gulshan Rai, former director general of Indian Computer Emergency Response Team (CERT-In), who is currently the cyber security chief in the PMO, didn’t reply to questions about WannaCry ransomware strikes, two police officers in Andhra Pradesh who spoke to Open said that “some systems” in the state were affected by the malware. Meanwhile, though he acknowledged the receipt of an email from Open, Railway Minister Suresh Prabhu didn’t respond to queries whether PCs in other centres of the Indian Railways were hit or not.

Going by the data, India needs to worry more about cyber crimes. Last year, a survey by PricewaterhouseCoopers India and industry body Assocham stated that such crimes in India rose 350 per cent between 2011 and 2014, of which one-sixth reportedly took place on social media. According to the National Crime Records Bureau, the conviction rate for cyber crimes in the country is at an abysmal low of 0.7 per cent. Government officials close to the matter say that internecine rivalries between various agencies responsible for cyber security also hinder timely execution of plans. In fact, CERT-IN had issued a vulnerability note on its website as early as March with a severity rating of ‘high’, a day after Microsoft released its update. “However it took some hackers to wake us up from the slumber. We have to stay ahead of the race or lose out completely,” says a home ministry official. He adds, “There are a lot of security experts who say that this is a work of amateurs who made a raft of mistakes that reduced their efforts to rake in huge sums of money as profit. In that sense, had this been done by professionals, the damage could have been really bad.”

On May 15th, Neel Mehta, security researcher at Google, wrote what looked like a set of cryptic characters on his Twitter handle, ‘9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4’ with the hashtag WannaCryptAttribution.

Costin Raiu, a director at Kaspersky Lab, a Russian cyber security firm, responded to it with a comment, ‘rule lazaruswannacry { …’

Later, Kaspersky Lab researchers demystified what they meant—the cryptic message in fact refers to a similarity between two samples that have shared code. The two samples Mehta refers to in the post are:

A WannaCry cryptor sample from February 2017 which looks like a very early variant

A Lazarus APT group sample from February 2015

Lazarus Group is a group of super-hackers based in China working for North Korea. However, Kaspersky Lab hastens to add that it is probable that someone is trying to imitate Lazarus to lead investigators astray.

Yet, companies such as Symantec state that the similarities with massive cyber attacks on Sony Pictures, the central bank in Bangladesh and Polish banks are inescapable. North Korea is believed to hire teenagers with exceptional knowledge of math and logic and train them to launch cyber offensives on countries worldwide. Apocryphal stories claim that those youngsters are also encouraged to use their prowess on online gambling sites so that the millions they earn are routed to the country’s nuclear programme. Sony was targeted for cyber strike over its backing for the film The Interview, which satirises North Korean communist dictator Kim Jong-un. S Ramadorai, former National Skill Development Corporation (NSDC) chairman, had suggested earlier that the Government of India hire its pool of cyber security talent the way companies such as Facebook and Twitter do. These companies invite hackers to find vulnerabilities in their systems and are paid handsomely for doing so. When unemployed youngsters use such talent for nefarious purposes, we have the likes of ramsomware attacks and ‘honey pots’, which often put unsuspecting travellers in trouble—once you log on to certain public WiFi networks, hackers who can see the keystrokes, will get immediate access to your computer. Similarly, cyber spies also access internal networks of governments. A group of spies named Danti had created emails in the names of several high- ranking Indian government officials, according to a Kaspersky Lab’s report last year. The report added, ‘Kaspersky Lab’s Global Research and Analysis Team has spent months in observing a wave of cyber espionage attacks conducted by different groups across Asia-Pacific (APAC) and Far East regions, all of which share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability. This weakness in Microsoft Office software was patched at the end of 2015, but still appears to be of use to these threat actors. ’ CVE-2015-2545 is a ‘vulnerability’—or a feature that makes MS Office programme users easy prey for hackers—that came to light in August 2015 when the Platinum group launched attacks on targets in India. The group had also targeted Indian embassies in Denmark, Colombia and Hungary. Open had reported last year about various other challenges that the country faces on the cyber security front (See ‘Hack and Run’, September 2nd, 2016).

The officer at the Palakkad division of Indian Railways says he is anxious about future attacks. “Now that I have seen it unfurl right in front of my eyes, I am deeply worried.”

Worry makes great sense. Only, it must also spur action.

This article was first published in Open magazine

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s