Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:41 PM
Connect Directly

China Not The U.S.'s Only Cyber-Adversary

Reports of cyberespionage out of India are a wake-up call for U.S. businesses, government agencies

China long has been the focus of U.S. authorities and security researchers as a major source of cyberespionage against the U.S., but potential new evidence of targeted attacks by India against the U.S. demonstrates just how widespread cyberspying might be.

Even with increasing questions today surrounding the authenticity of a purported Indian military document leaked by a group of self-professed Indian hackers who claim to be part of the Anonymous hacktivist movement in the wake of an investigation into whether India pilfered emails from the U.S.-China Economic and Security Review Commission, the events have spurred discussion about cyberespionage by nations other than China, which has been synonymous with the advanced persistent threat (APT).

As with any intelligence campaign, the subterfuge makes it difficult to pinpoint with certainty who did what, why -- and even whether the hackers are who they say they are. In the latest development, Infosec Island today reports that the hacktivists, who call themselves the Lords of Dharmaraja, showed the news site evidence that Indian government cyberspies gained access to U.S. government agency networks, including a sample of some 68 username/passwords from federal agencies. The hackers say they nabbed those by infiltrating servers at the India Ministry of External Affairs and the National Informatics Centre.

That same hacker group also has claimed responsibility for grabbing Symantec Norton antivirus source code, though Symantec said the code was old and not stolen directly from its servers. In addition, the group claims to have hacked other businesses and that its main motivation is to disrupt the Indian government and push for a more “pro-American” climate, according to the Infosec Island report.

As experts debate whether the memo leaked by the Lords of Dharmaraja is legitimate and truly implicates the Indian government in cyberespionage, cyberespionage experts say the bottom line is that China isn’t the only player in that game.

Art Coviello, executive chairman of RSA Security, says assuming targeted, cyberespionage-type attacks are solely out of one nation is naive. “It’s very dangerous to point a finger at a particular country. You can draw inferences from ... circumstantial evidence,” Coviello says. “To think it’s just China or Russia or the U.S. or India is naive.”

Experts like Coviello say it’s likely that nations conduct some level of spying. “The question becomes, is it traditional spying in the time-honored sense that they’ve been doing? Or is it more economic or is it potentially a military preparedness use of a cyberattack? All of these things need to be studied and evaluated,” he says.

Much of the so-called APT-type attacks have had ties to China, of course, including the Aurora campaign that hit Google, Adobe, Intel, and other major corporations. But that doesn’t mean other nations shouldn’t be on the lookout list, experts say.

“This is exactly what I've been warning about for several years: too much focus on China while missing everyone else, including Allies,” says Jeffrey Carr, CEO of Taia Global. Carr believes that if India icould be waging traditional spying as well as grabbing intell for a competitive edge like China does.

Carr says it's likely the military memo claiming mobile phone surveillance is a fake:"The Lords of Dharmaraja are mixing authentic stolen data with invented scenarios in order to get more publicity for themselves," he wrote in a new blog post.

[ It's not about prosecuting the nameless, faceless attackers behind relentless targeted attacks -- it's about minimizing the damage they incur. See To Catch An APT. ]

Several elements of the Indian hacktivist claims don’t add up neatly, expert say. The U.S. China Commission, for instance, appears to be an odd target for Indian intelligence unless the actors are after information on what the U.S. knows about China. Sources told Reuters today the Indian military memo could be a fake due to some inconsistencies. But so far, no one knows for sure.

Richard Stiennon, chief research analyst at IT-Harvest and a cyberespionage expert, says he’s not surprised that India would be interested in Chinese intelligence. “China and Pakistan are India’s biggest geopolitical interests,” he says. “We’ve seen more interest in cybersecurity in India” of late, he says, especially after the recent discovery of breached Indian military servers that were being used as part of a botnet.

If the Indian military memo is legit and not a forgery, Stiennon says, then it represents the first real piece of public evidence of cyberespionage. “This would be the first time we’ve gotten a look at proof of espionage between India and the U.S.,” he says. Even the highest profile APT-type attacks like Aurora weren’t fully disclosed with documentation that pointed to Chinese cyberespionage, he says.

And as is common with these types of attacks -- where the perpetrators hide behind layers of IP addresses and other walls -- there’s still no confirmation that the Indian hacker group is who it says it is. “When we see an attack from an IP address from China, it could be a stopping-over point for another hacker or country,” Stiennon says. “We don’t know about this group in India: Are they actually another nation-state? Is it Pakistan trying to strain the relationship between the U.S. and India?”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/11/2012 | 11:10:15 PM
re: China Not The U.S.'s Only Cyber-Adversary
I'm sure all of the major power engage in cyber espionage. It's just a new example of-spycraft.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).