DRDO’s Zero Day

As our most sensitive defence information undergoes the throes of a targeted cyber attack, Mehak Chawla examines the threats facing our critical information infrastructure and how technology can take control
It happened with Border Security Force, IRCTC and Andhra Pradesh government in the year 2012. And the start of this year has seen it happening with the mother of all sensitive organizations- the Defence Research and Development Organization (DRDO). Yes, we are talking about attacks in the cyber world, the most recent one being on DRDO, and which is being touted as the biggest ever attack on critical systems nestling our country’s most sensitive information.

The information that was extracted as a result of this attack has been traced to to a server in Guangdong in China. The reports on the latest cyber security breach claimed that the attack came to light when the country’s technical intelligence unit, National Technical Research Organization (NTRO), along with private cyber experts, cracked a case.

Among the DRDO organizations that came under attack, the report suggested, was the Hyderabad-based Defence Research and Development Lab (DRDL) that works on India’s missile systems. DRDO had also been assigned the task to work on an Operating System (OS) for the country back in the year 2010, and it is speculated that information related to that might also have leaked out. Thousands of top secret CCS files, and other documents related to surface-to-air missile and radar programmes from DRDL, were traced back to the Chinese server.

However, this is not the first time India’s highly sensitive defence establishments have come under cyber attack, suspected to be the handiwork of Chinese hackers. In November 2012, an international cyber security watchdog claimed that computers of DRDO labs and the Prime Minister’s Adviser on Public Information, Infrastructure and Innovations had been hacked and were victims of “suspicious and unwanted” activity.

Though DRDO has remained tight lipped and hasn’t acknowledged a breach, Defence Minister A K Antony has sought a probe and ordered a status report on the cyber security situation in the agency.

Cyber Warfare
What has perturbed the experts most about this attack is its unique nature. Not only is this an unparalleled attack in terms of information theft, but the magnitude of the breach has stunned many.

According to Pavan Duggal, cyber law expert and Supreme Court Advocate, this kind of hacking has taken place for the very first time in India and should certainly serve as a wake up call. “This kind of attack has been unprecedented in the history of cyber crime and we can’t term it as a mere attack. It is a manifestation of cyber warfare. Never have the attackers been so brazen in their intent and the nature of the attack certainly indicates that it was conducted with an intent to impact the integrity of our country,” he emphasizes.

The queer thing about this attack is that it originated from a country that has long been notorious on this front and yet we were unable to foresee and prepare for an attack at such an elevated level.

Sharda Tickoo, PMM, Trend Micro India, agrees with Duggal. “There is no doubt that this attack was pre- meditated and politically motivated. This can be classified as nothing short of cyber warfare.”

The timing of the attack too has come under the scanner. According to  Asheesh Raina, Principal Research Analyst, Gartner India, one dimension to this attack is that China is believed to have come up with a new architecture for internet and could be testing out their findings. “This could also be a benchmark study for their system’s strength. The analogy is hard to miss because other countries like U.S and North Korea also faced similar attacks in the same time frame.”

APT by Nature
The very nature of the attack on DRDO, as per Tickoo, suggests that it was an Advanced Persistent Threat (APT) attack. APT is a full blown campaign that is focused on finding a vulnerability in the system and then strategically exploiting it. In the case of DRDO, certain top shot email IDs were targeted. Vulnerabilities are usually of two types- application related or OS related.

An APT attack usually charts itself over 6 stages. The first step is intelligence gathering, where the attackers try to gauge the vulnerability and ways to exploit it. The second step is point of entry which determines where does the initial compromise begin from and how does zero day malware enter the network  “In about 90% of APT attacks, email is the point of entry,” reveals Tickoo.

The third step is establishing a command and control communication so that attackers can control the movement of malware within the network. Step four entails the lateral movement where perpetrators monitor how does zero day malware maintain contact and harvest information once it is inside the system.

Then comes asset discovery which focuses on finding relevant files within the infected network. The last step is data exfiltration which deals with transmission of this relevant data to another destination- in this case, to a server in Guangdong in China.

The primary defining factor of APT is that it is fully strategical in nature and done with a specific intent to compromise sensitive information. Already, we have seen the likes of Stuxnet and Flame as widely recognized examples of carefully crafted attacks focused on specific goals in targeted organizations.

While cyber-attacks previously employed a mass scale opportunistic strategy, APT hackers are well organized, and taking a slow-and-low approach to work their way into specific target companies. The other characteristic of APT is that attackers only need to trick a single employee into opening a piece of malware that exploits a zero-day vulnerability, enabling them to take control of the employee’s PC, gain access to the corporate network, and execute a cycle of difficult-to-detect maneuvers to attain their ultimate goals.

Surendra Singh, Regional Director – India & SAARC, Websense claims that this attack can also be labeled as a spear-phishing email attack. “Based on our own research into targeted attacks on high profile targets of this type, one of the most common attack methods used is a spear-phishing email attack. In spear-phishing attacks, we usually see two primary paths to compromise: Viral binaries that target application vulnerabilities in document viewers such as Word, Excel or PDF exploits. Or, emailed lures that include a link to a website that hosts malicious content which looks to exploit vulnerabilities in Java, the browser or other plug-ins.”

Counter mechanism
In the face of growing APTs, the need for holistic solutions which can track all the 6 steps and initiate action is being echoed loud and clear. As Tickoo says, “For custom attacks, we need custom defense.”

The problem with most security mechanisms is that vulnerabilities are often exposed only once the systems are hacked. A security solution that can not only perform custom detection and analysis of attacks at the network level, but also integrate advanced detection technology into the existing endpoint and gateway defenses, is being touted as an answer to APTs. An example of such a solution is Trend Micro’s Deep Discovery which focuses on early detection and rapid response. Players like HP, Symantec and RSA also offer products to counter APTs.

One of the first things that DRDO should be doing, according to Singh is to consult outside experts to conduct a forensic investigation to identify and remove any malware remaining in the system, and identify the methods used in the compromise.

Apart from the security solutions, Raina insists that a security framework around these technologies is of paramount importance. “Today it is impossible to gauge where is the next attack going to come from, so we need to be prepared. Though point protection for malware has already been implemented in most cases, we need to go beyond. When it comes to security, though the solutions we have with us might be sufficient, there is not sufficient governance around them.”

Most government organizations in India are aware of security threats and thus have implemented things like Data Loss Protection (DLP), application level security, end point protection platforms and identity management. Enterprise Digital Right Management (EDRM) is also gaining popularity. What we need now is not only multiple layers of security but also a strong policy framework around this technology.

The other counter mechanism, argues Duggal has to come from more defined controls around cyber governance.

Policy perspective
There is hardly any debate on the fact that we need to reinvent our cyber laws, dramatically. The last amendment to cyber laws happened back in 2008 and we certainly lack a rational policy on cyber warfare. “We don’t have an institutionalized mechanism to protect India’s interests in cyber space,” stresses Duggal.

Duggal suggests that we need to go beyond modifying our cyber policies. “We need to further designate our critical information infrastructure and declare it as a protected system, the breach of which entails 10 years imprisonment under the Section 70 of IT act.”

Duggal also feels that we need to create a culture of cyber security which not only includes government organizations but also the private sector.

However, above all the technology and policies, what we need is an exercise in awareness around cyber security in the era of sophisticated threats and friendly neighbors.

Comments (0)
Add Comment