Even with increasing questions today surrounding the authenticity of a purported Indian military document leaked by a group of self-professed Indian hackers who claim to be part of the Anonymous hacktivist movement in the wake of an investigation into whether India pilfered emails from the U.S.-China Economic and Security Review Commission, the events have spurred discussion about cyberespionage by nations other than China, which has been synonymous with the advanced persistent threat (APT).
As with any intelligence campaign, the subterfuge makes it difficult to pinpoint with certainty who did what, why -- and even whether the hackers are who they say they are. In the latest development, Infosec Island today reports that the hacktivists, who call themselves the Lords of Dharmaraja, showed the news site evidence that Indian government cyberspies gained access to U.S. government agency networks, including a sample of some 68 username/passwords from federal agencies. The hackers say they nabbed those by infiltrating servers at the India Ministry of External Affairs and the National Informatics Centre.
That same hacker group also has claimed responsibility for grabbing Symantec Norton antivirus source code, though Symantec said the code was old and not stolen directly from its servers. In addition, the group claims to have hacked other businesses and that its main motivation is to disrupt the Indian government and push for a more “pro-American” climate, according to the Infosec Island report.
As experts debate whether the memo leaked by the Lords of Dharmaraja is legitimate and truly implicates the Indian government in cyberespionage, cyberespionage experts say the bottom line is that China isn’t the only player in that game.
Art Coviello, executive chairman of RSA Security, says assuming targeted, cyberespionage-type attacks are solely out of one nation is naive. “It’s very dangerous to point a finger at a particular country. You can draw inferences from ... circumstantial evidence,” Coviello says. “To think it’s just China or Russia or the U.S. or India is naive.”
Experts like Coviello say it’s likely that nations conduct some level of spying. “The question becomes, is it traditional spying in the time-honored sense that they’ve been doing? Or is it more economic or is it potentially a military preparedness use of a cyberattack? All of these things need to be studied and evaluated,” he says.
Much of the so-called APT-type attacks have had ties to China, of course, including the Aurora campaign that hit Google, Adobe, Intel, and other major corporations. But that doesn’t mean other nations shouldn’t be on the lookout list, experts say.
“This is exactly what I've been warning about for several years: too much focus on China while missing everyone else, including Allies,” says Jeffrey Carr, CEO of Taia Global. Carr believes that if India icould be waging traditional spying as well as grabbing intell for a competitive edge like China does.
Carr says it's likely the military memo claiming mobile phone surveillance is a fake:"The Lords of Dharmaraja are mixing authentic stolen data with invented scenarios in order to get more publicity for themselves," he wrote in a new blog post.
[ It's not about prosecuting the nameless, faceless attackers behind relentless targeted attacks -- it's about minimizing the damage they incur. See To Catch An APT. ]
Several elements of the Indian hacktivist claims don’t add up neatly, expert say. The U.S. China Commission, for instance, appears to be an odd target for Indian intelligence unless the actors are after information on what the U.S. knows about China. Sources told Reuters today the Indian military memo could be a fake due to some inconsistencies. But so far, no one knows for sure.
Richard Stiennon, chief research analyst at IT-Harvest and a cyberespionage expert, says he’s not surprised that India would be interested in Chinese intelligence. “China and Pakistan are India’s biggest geopolitical interests,” he says. “We’ve seen more interest in cybersecurity in India” of late, he says, especially after the recent discovery of breached Indian military servers that were being used as part of a botnet.
If the Indian military memo is legit and not a forgery, Stiennon says, then it represents the first real piece of public evidence of cyberespionage. “This would be the first time we’ve gotten a look at proof of espionage between India and the U.S.,” he says. Even the highest profile APT-type attacks like Aurora weren’t fully disclosed with documentation that pointed to Chinese cyberespionage, he says.
And as is common with these types of attacks -- where the perpetrators hide behind layers of IP addresses and other walls -- there’s still no confirmation that the Indian hacker group is who it says it is. “When we see an attack from an IP address from China, it could be a stopping-over point for another hacker or country,” Stiennon says. “We don’t know about this group in India: Are they actually another nation-state? Is it Pakistan trying to strain the relationship between the U.S. and India?”
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.