Indian Strategic Departments Are Targeted By Cyber Espionage

The cases of cyber attacks and cyber espionage are not new to India. In the past computers located at crucial departments/ministries of India have been successfully targeted and compromised.

Even the computers at prime minister’s office (PMO) have been compromised for months without any knowledge of the same. Similarly, computers at ministry of external affairs (MEA), home ministry, defense computers, etc have been targeted and compromised in the past. Even the website of central bureau of investigation (CBI) was defaced and compromised in the past.

Now it has been reported that some of the top officials in the PMO, including principal secretary to the PM TKA Nair and national security advisor Shiv Shankar Menon, received warning calls from India’s technical intelligence agency, the National Technical Research Organisation (NTRO).

NTRO required all computer systems to be shut down and all computers were to be unplugged until its officials arrive at the PMO. Similarly, other key ministries were also asked to shut down the computer systems.

This was one of the most strategically targeted cyber attacks on India’s key ministries, as officials from the ministries of home affairs, defence, external affairs and the armed forces began to receive similar calls asking them to shut down their computer systems.

On July 12, 2011 NTRO officials noticed bulk emails from one address with an attached Word document titled “cms,ntro:dailyelec.mediareport (2011)” being sent to inboxes of key officials of India’s vast security architecture.

Other officials who received the email were joint secretaries and directors in the PMO, the special secretary (internal security) UK Bansal in the ministry of home affairs, seven key joint secretaries in the ministry of external affairs dealing with the US and Pakistan, and a host of other officials in BSF and CISF.

For several hours, the computer systems remained infected and compromised as NTRO officials struggled to make them Malware free. Luckily for them, a lot of good work had already been done to prepare for such an eventuality. In April and May this year, the agency observed a mass attack on India’s key security-related ministries. The NTRO contacted several key officials whose systems had been compromised for months.

Two of them were joint secretaries in the PMO and the national council secretariat that collates all the intelligence generated by agencies like RAW, IB and NTRO. The third target to be detected was the rear admiral who was posted in the “Perspective Plans” directorate of the Integrated Defence Headquarters, a joint armed forces setup.

NTRO officials were horrified that these official systems were targeted and infected with Malware. These were well-planned attacks meant to launch selective commands on the system that would be saved on a virtual drive created secretly by the Malware.

As the officials began to decode the systems, they approached the service provider MTNL to get access to their key communication nodes. Here, NTRO’s sensors picked up an additional 500 email addresses that had already been compromised by a similarly coded Malware. The report concluded that this was “a deliberate attempt to gain access to email addresses of key officials” through which major systems could be breached and compromised.

By July 20, Dr Nirmaljeet Singh Kalsi, a joint secretary in the ministry of home affairs sent out a detailed note spelling out the nature of the attack so as to prevent a future breach. It noted that “reports of cyber espionage attack” on various government installations had been received, and advised key ministries to lay down strict security protocol. The attack was being initiated by trusted email addressees that had actually been compromised as early as 2007.

Racing against time, NTRO officials analysed and reversed the Malware in a bid to detect the origin and nature of the attack. By July 8, a detailed three-page report was issued to all the key ministries to remain alert to a much more targeted attack. This effort minimised the damage of the July 12 attack and the breach was sealed in a matter of hours.