30 December 2019

Information Warfare: South Asian Cyber War


December 27, 2019: Internet security firms have noted an increase in Cyber War campaigns waged by Indian and Pakistani APTs (Advanced Persistent Threat) operations. APTs are well organized and very active hacker groups that are often created and sustained by governments or major criminal gangs. In this case six Indian APTs (Lucky Elephant, Donot Team, Patchwork Group, Sidewinder Group and two unnamed) and the three Pakistani (Transparent Tribe and two unnamed) have been carrying out large scale and persistent Internet based attacks. All APTs are given a number, as in APT23, and often a name as well. Many APTs stick with criminal activities over a long period, concentrating on stealing money, or information they can sell. The current online conflict between India and Pakistan is unique and deemed a Cyber War for several reasons. First, it has involved numerous attacks on military and government networks to steal information or plant malware that can later be activated to crash the network temporarily. Many other attacks are against media to sway public opinion over issues like Pakistani efforts (since the late 1940s) to annex Indian Kashmir or accuse the other side of promoting terror and disorder.

Since the 1980s Pakistan has been waging an unacknowledged Islamic terrorist campaign in Kashmir and accusing India of planning to invade and conquer Pakistan. This effort is the work of the Pakistani military and its ISI intelligence agency. A similar effort has been waged against Afghanistan. The most visible aspect of the Afghan effort is the Taliban, which was created in the mid-1990s by ISI to end the Afghan civil war with the Taliban in control of Afghanistan. Rule by a religious dictatorship backed by Pakistan was not popular with most Afghans. That led to the overthrow of Taliban rule in 2001 and persistent Pakistan-backed violence in Afghanistan ever since.


There were some ugly side effects. Pakistan could not control all the Islamic terror groups it hosted and many of these began seeking to establish a religious dictatorship in Pakistan. That led to the Pakistani army declaring war on these rogue Islamic terrorists in 2014 and for several years there was less violence in Kashmir. After three years for effort the anti-government Islamic terror groups in Pakistan were suppressed, but not completely eliminated, and Pakistan once more turned its attention to Kashmir. Pakistan blamed India for all the Islamic terrorism in Pakistan and claimed this justified sponsoring Islamic terrorism in Indian Kashmir.

At this point the rest of the world had caught on and Pakistan was being openly accused of all this mischief and condemned as a sponsor of international terrorism. India was also losing patience with this Pakistani aggression and threatening conventional war if Pakistan did not stop. Since both countries have nuclear weapons, things could get out of hand. Inside Pakistan the situation was already out of control. For example, about half the time since Pakistan was created in 1947, its democracy was usurped by military rule “to restore order.” Eventually public pressure restored democracy and these elected governments tended to agree with India that the problem here was the Pakistani military, which was becoming more and more powerful by acquiring control of large segments of the economy and sponsoring Islamic parties which openly supported religious war against India to “defend Islam.” Pakistan has fought several conventional wars with India since 1948 and lost them all. This was the main reason for resorting to Islamic terrorism. At this point the Pakistani military controls many Pakistani politicians via corruption or coercion, and now exercises a great deal of control over the elected government. Most Pakistanis oppose this and the military and ISI are now using Cyber War to suppress or discredit critics in Pakistan and do the same in India. Pakistani media manipulation efforts inside India seek to winning over Indian Moslems, who are 14 percent of the population, are more numerous than the entire population of Pakistan. Few Indian Moslems are won over by the Pakistani Information War campaign but the ISI keeps trying.

This shift in Pakistani tactics is a reflection of a trend in computer hacking, which has gone pro since the late 1990s. One side effect is the creation of many tools and techniques hackers created to carry out these Cyber War attacks. What this all means is that nations see Cyber War weapons as major components of their military power because the Cyber War weapons available keep getting more effective. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2005. Within a decade researchers began to encounter major APTs like TajMahal and the White Company. These major malware producers and users came to be called APTs and that said it all. The White Company was discovered in 2017 by computer security companies as this new APT quietly tried to hack its way into Pakistani Air Force networks. White Company was deliberate, effective and discreet. It was called the “white” company because the group placed a premium on concealing its operations as well as its origins. This sort of thing was first noted in 2010 when Stuxnet was discovered and attributed to an Israeli-American state-level effort that produced a very elaborate, professional and stealthy bit of malware that did major damage to the Iranian nuclear program. In 2018 Iran was hit with a similar attack but this Stuxnet-like malware was even more elaborate, its source is still unknown and the Iranians would rather not talk about it.

By 2017 it was clear that North Korean APTs were becoming a major threat. The North Koreans do it mainly for the money because North Korea is broke and run by a ruthless but economically inept dictator. The North Korean Cyber War threat has been one of the many revelations in the last decade. Long believed to be nonexistent, North Korean cyberwarriors did exist. North Korea has had personnel working on Internet issues since the early 1990s, and their Mirim College program quietly trained a growing number of Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit is increasingly active. North Korea is now considered a major player and it not only maintains some major APTs but often hires foreign ones, usually Chinese.

China is a major user of APTs for economic, industrial and military espionage. This was a direct threat to India and an inspiration for Pakistan. Both these South Asian nations were slow to get into large scale and APT grade hacking but now they are both at it, mainly against each other. Both nations have a lot of local talent (software engineers and proficient amateurs) and for a long time the attacks were unorganized and mostly directed at low level activities like defacing websites and engaging in opinion manipulation on a larger and larger scale. Meanwhile India was subject to more professional attacks by Chinese and North Korean APTs that led to the Indians mobilizing their own APTs, mainly to deal with Pakistan and, to a lesser extent, China. India sees China as the major threat and Pakistan as more a nuisance, but one with nuclear weapons.

India and Pakistan also noted that what most of these APT level efforts had in common was the exploitation of human error. Case in point is the continued success of attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. For the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. This is what the White Company used on a large, and detailed, scale against the Pakistani Air Force. Since India and Pakistan share a similar culture and languages it is easier for both nations to create compelling spear fishing attacks using convincing cover letters.

China has been a major user of spearfishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spearfishing payloads. This has led to China becoming the home of nearly half the APTs known to exist. The methods, and source, of many spearfishing attacks, have been traced back to China. In 2010, Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers and all movement of command and stolen data led back to servers in China.

China's Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human-readable text that programmers create and then turn into smaller binary code for computers to use), and techniques for using it, in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. The White Company is a good example of that.

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect (when they are breaking in) and much more difficult to track down. Thus the East Europeans go after more difficult (and lucrative) targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly.

For Chinese hackers that behave (don't do cybercrimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen recently when a group of hackers were caught trying to get into a high-security network in the White House, the one dealing with emergency communications with the military and nuclear forces. Such amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

India, which has always been a democracy since independence in 1948, cannot be as ruthless as dictatorships like China, Iran and North Korea, The Pakistani military tried to exercise the same ruthless power as a dictatorship but has been unable to obtain that kind of control over Pakistan. With APTs is attempting to gain such power but has to overcome the opposition of most Pakistanis, and India to do so. Cyber War may be the decisive weapon, or the gambit that breaks the military stranglehold on Pakistani government and popular opinion.

No comments: