14 May,2023 07:25 AM IST | Mumbai | Gautam S Mengle
Imaging/Uday Mohite
In December 2021, the Press Information Bureau of the Government of India issued a routine press release, announcing the appointment of Vice Admiral Biswajit Dasgupta as the Flag Officer Commanding-in-Chief of the Eastern Naval Command, Indian Navy. A whole year later, Indian cybersecurity researchers found that the same press release was being emailed to Indian government employees.
When an investigation was launched, it threw up worrying results. The investigators found that the press release, which looked like a PDF document, was embedded with a malware. A malware is an all-encompassing term to describe any software that is maliciously designed to cause disruption to a server, computer, or gain unauthorised access to a system or information. The target? Indian government employees. When unsuspecting staffers clicked to open the file, and later dismissed it as an old announcement resent erroneously, the malware installed itself into their devices, whether computer or phone.
The answer to who was behind this conspiracy sat in the technical details of the malware. Two glaring clues, say the researchers, were as obvious as robbers spray-painting their names on the walls of a bank after a heist.
ALSO READ
Six security personnel killed during protests by Imran Khan's party; shoot at sight orders for army in Pakistan
Imran supporters march to Islamabad
Pak protests: US calls on Pakistani authorities to respect human rights, fundamental freedoms
Policeman killed, 70 injured, many taken 'hostage' as PTI party's supporters clash with police in Pakistan
Belarus President Lukashenko arrives in Pakistan to strengthen ties
Every malware usually triggers a series of commands on the targeted electronic device. In this case, one of the commands was named, âRabia Please Mujhe Chhod Do', while another was âGurday Kapooray'.
Rabia Please Mujhe Chhod Do (Rabia, please let me go) is a reference to a 2016 viral video of a Pakistani man sweet-talking his lady love on the phone. He says this line while begging her to release her hold on him, since he is unable to concentrate on work. The man went on to be nicknamed Majboor Uncle (Helpless Uncle). He became so popular that Pakistani youth gathered in public squares to record themselves yell, "Rabia, please mujhe chhod do!" as a way to show their solidarity with him.
Gurday Kapooray, meanwhile, is a popular Pakistani street food made of goat testicles. Both clues made it clear that the malware was Pakistan's gift.
Pradeep Kurulkar, 59, a senior Defence Research and Development Organisation (DRDO) scientist was arrested in Mumbai on May 3 on charges of espionage and wrongful communication with a female Pakistan Intelligence Operative (PIO), in an alleged honey trap case. The needle of suspicion pointed to him after a senior officer of the Vigilance and Security Department of DRDO filed a complaint. An age-old tactic by intelligence and counter-intelligence agencies around the world, honey-trapping uses women tasked with getting close to high-value targets and milking them for secrets, either through false declarations of love, intimacy, or blackmail.
This has now spread to social media too. Hundreds of profiles identified as those of women with stunning portfolio pictures, are created with the intention of targetting government officials like Kurulkar. After the complaint, the Maharashtra ATS began tracking Kurulkar and learnt that he was in touch with the woman since 2022 through WhatsApp audio and video messages. In his case, all it took was for the woman to say, "This beautiful Indian girl from London is a great admirer of the work you're doing for India". Kurulkar, who his colleagues and friends call a family man, is married to a doctor and is a resident of Pune. He comes from a family of mathematicians, and personally holds a BE in Electrical Engineering. Known for his nationalist credentials, Kurulkar has been a long-time worker of the Rashtriya Swayamsevak Sangh (RSS).
The scientist, who has hit headlines since, is one example of the many high-value Indians on Pakistan's radar. While social media is a more obvious form of cyber-espionage and hence, more discussed, Pakistan's underhand cyber-war against India operates largely in the space of malwares.
Of particular concern is a hacker group dubbed APT36, also known as Transparent Tribe or Mythic Leopard, where âAPT' stands for Advanced Persistent Threat.
In the global cybersecurity community, this is a tag given to hacker groups that display sophisticated methods and significant backing in terms of resources. In the case of APT36, multiple cyber-experts, through independent research, have confirmed that it is backed by Pakistan and almost exclusively focuses on Indian government staffers, particularly defence employees.
The group, active since 2013, pulled off its first major feat in 2017 with CapraRAT, a malware capable of accessing and controlling the camera and microphone of hacked devices, which was circulated via email. The âRAT' in the name stands for Remote Access Trojan, meaning that the malware slips into the target device undetected, like the mythical Trojan Horse, and grants remote access to hackers.
Over the next five years, it was repeatedly sent out to Indian government employees using various lures, including government documents, pictures of attractive women and then COVID-19 related information during the pandemic. APT36 has only became better with time.
The December 2022 campaign is an example. Once researchers got over the blatant tongue-in-cheek references to Pakistani memes and street food, they discovered that the malware was capable of taking screenshots of the target's screen in real time and relaying it to its âC2' - the Command and Control server, which controls the malware. Next, the malware finds specific files as commanded by the C2 and extracts them.
In this case, the first thing that the malware did was search for Kavach, a software used by Indian government employees as an added security feature. Kavach enables them to use the multi-factor authentication, commonly known as the One Time Password (OTP), system, as an extra step of security while logging into their accounts.
Once the malware detected Kavach, it launched a process to bypass Kavach's security features before making further inroads into the device.
And if this weren't proof enough of the hackers' capabilities, the malware was being hosted in the Gallery section of the Indian Income Tax department's website.
"It is clear that this is a targeted attack towards the Indian government. We know that the malware is looking for a particular file - Kavach - which means that the attacker had insider knowledge about the intended target. Based on correlated data from the samples of the RAT used by the threat actors, we realise that this campaign has been ongoing undetected against Indian targets for the last one year. Based on indicators discovered by our team recently, we can conclude that the threat actors are still active and have no plans to stop operations," says Harshil Doshi, country director, India, Securonix, the cyber-intelligence agency that first flagged the campaign.
On the social media front, Meta, the parent company of Facebook, has been fighting a losing battle against Pakistan's consistent efforts to lure Indians. In the first quarter of 2023, Meta disabled 120 Facebook accounts from Pakistan, which were found targetting high-value Indians.
"This group used fictitious personas - posing as recruiters for both, legitimate and fake defense companies and governments, military personnel, journalists and women looking to make a romantic connection - in an attempt to build trust with the people they targeted," Meta has stated in its Quarterly Adversarial Threat Report.
The tech giant went on to share that this same group was also found distributing malware via ads for apps and recruitment offers on Facebook. Meta had taken similar action against hundreds of APT36-linked accounts in the second quarter of 2022.
"Honey-trapping is rampant but clearly not the only activity that Pakistan relies on. At any given time, a wide variety of attempts are being employed to embed malware into Indian computers and phones to steal data as well as control the camera and microphone, effectively turning it into the eyes and ears for the enemy. It is very hard to pull off, but certainly not outside the realm of possibility, depending on how careless the target is," a senior cyber law-enforcement official tells mid-day on condition of anonymity.
Meanwhile, cybersecurity investigators are worried that APT36 is only refining itself with each hacking campaign. In early 2022, it had created CrimsonRAT, a malware capable of recording keystrokes and stealing data, which was emailed to students and staff of educational institutions in India, embedded in an MS Word document made to look like a survey questionnaire by IIT-Hyderabad. In keeping with ATP36's tongue-in-cheek style, the malware's command and control server was named âsunnyleone'.
In the same year, APT36 also created a spoof of Kavach, the very software designed to secure official Indian government emails, and circulated it via email. The targets were fooled into believing that they were downloading a system update to their existing Kavach version.
APT36's earlier feats include a data-stealing malware disguised to look like an app for the Canteen and Stores Department of the Ministry of Defence, sent via phishing emails to Indian defence employees.
In an advisory issued last year, Cisco Talos, another cyber-intelligence firm that has been tracking APT36, cautioned: "This is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets. Organisations should remain vigilant against such threats, as they are likely to proliferate in the future.
In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention."