An Indian government agency was one of the 72 targets of Operation Shady RAT (Remote Access Tool) whose activities security firm McAfee logged for five years. The Indian agency intrusion began in September 2010 and lasted for two full months, according to McAfee’s 14-page report which was made public today to coincide with the annual Black Hat conference being held in Las Vegas.
“For those who believe these compromises occur only in the United States, Canada and Europe, allow me to change that perception with the following statistics on 14 geographic locations of the targets,” states Dmitri Alperovitch, vice-president (threat research) at McAfee which tracked intrusions into over 70 global companies, governments and non-profit organisations “with the goal of raising the level of public awareness” of “...a five-year targeted operation by one specific actor — Operation Shady RAT, as I have named it at McAfee”.
In 2006, the year that the logs begin, McAfee saw only eight intrusions. In 2007, the pace of activity jumped by a whopping 260 per cent to a total of 29 victim organisations. That year, McAfee began to see new compromises of four US defense contractors, Vietnam’s government-owned technology company, US federal government agency, several US state and country governments, and one computer network security company. The compromises of the Olympic Committees of two nations in Asia and one Western country began that year as well. In 2008, the count went up further to 36 victims, including the United Nations and the World Anti-Doping Agency, and to 38 in 2009.
| BUG STOPS HERE |
| * In September 2010, Symantec observed 100,000 infected hosts and over 40,000 unique external IP addresses in India |
| * India was the third most-infected country for Stuxnet with 10 per cent infections |
| * Second largest malicious codes come from India |
| * According to Symantec Critical Infrastructure Protection Survey 2010, over half of India’s critical infrastructure providers were victims of cyber attacks |
| * Over 35,697 active bot computers in India. Average of 435 bots per day in 2010 |
| Source: Symantec |
The number of intrusions fell to 17 in 2010 and nine in 2011, likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor, notes the report. These measures caused the perpetrator to adapt and increasingly employ a new set of implant families and command & control infrastructure (and causing activity to disappear from the logs McAfee analysed).
The shortest time that an organisation remained compromised was less than a month; nine share that honour — the International Olympic Committee, Vietnam’s government-owned technology company, trade organisation of a nation in Asia, one Canadian government agency, one US defence contractor, one US general government contractor, one US state and one county government, and a US accounting firm. The longest compromise was recorded at an Olympic Committee of a nation in Asia — it lasted on and off for 28 months.
| TOP 5 EXPLOITS Representing different periods of cybercrime eras |
| MyDoom’s mass infection: Estimated damage $38 billion - 2004 |
| ‘I LOVE YOU’ worm’s false affection: Estimated damage $15 Billion - 2000 |
| Conficker’s stealthy destruction: Estimated damage $9.1 Billion - 2007 |
| Stuxnet worm — targeted and dangerous: Damage unknown - 2010 |
| Zeus Botnet — versatile information stealer: Damage unknown - since 2007 |
| Source: McAfee |
India is high on the cybercriminal’s radar, ranking second for malicious code globally in 2010, according to Symantec’s latest Internet Security Threat Report. The Symantec Critical Infrastructure Protection Survey 2010, too, had revealed that over half of India’s critical infrastructure providers were victims of cyber attacks.
Also Read
Back home, hackers claiming to be from the Anonymous group (which ‘Anonymous’ group supporters later denied) defaced the National Informatics Centre website this June and posted its logo and a message addressing the Indian Prime Minister, protesting against the recent police crackdown on supporters of yoga guru Ramdev. The Indian Army website, too, was defaced but quickly restored after outrage by Indians on Facebook and Twitter against the attacks. In April, hackers reportedly compromised two servers created by Congress general-secretary Rahul Gandhi, and redirected users to an engineering college website. The Delhi Police is investigating the case. Way back in 1998, a group called Milworm hacked into the Bhabha Atomic Research Centre website, and put an anti-nuclear message.
According to Shantanu Ghosh, vice-president and MD, Symantec (India), “In the past, politically motivated attacks primarily fell in the realm of cyber espionage or denial-of-service type attacks against web services. With the Pandora’s box now opened due to Stuxnet, we expect to see these threats move beyond spy games and annoyances as malware is weaponised to cause real-world damage and more indications of the pursuit to control the digital arms race come to light.” Stuxnet-like malware could lead to system shutdowns, explosions or the inability to control important Industrial Control Systems attributes like pressure and temperature, according to Ghosh.
Individual consumers are not spared either. In 2010, McAfee detected an average of 60,000 new pieces of malware each day. The countries most targeted were China (17.09 per cent of all attacks), Russia (11.36 per cent), India (9.30 per cent), the US (5.96 per cent) and Vietnam (5.44 per cent). Moreover, as social networking sites such as Facebook and Twitter started to take off, cybercrooks realised they could get their hands on a wealth of personal information if they played the game right.
Recently, researchers from the Indraprastha Institute of Information Technology, New Delhi, and University of Illinois in the US created a Stegobot — a new generation botnet — which could exploit Facebook images and steal information from unsuspecting users.
It’s cheap too. Cybercrime is typically perpetrated by botnets which can be used for a variety of purposes — denial of services attacks (DDoS), mail relays for spam, click fraud, and malware implementation. It is also possible for cybercriminals to subcontract these services, and they are cheap. McAfee data (January-March 2011) indicate that prices of malware are falling. For instance, prices for DDoS services, which were generally $20 for one hour and between $100 and $200 for 24 hours, currently range between $10 for an hour and $50 for 24 hours. The price for 1,000 installs of a single malware application in Asia, for instance, is around $8. However, prices for spam services are increasing. In 2007, the same business offered 32 million emails for $1,000 but today charge $1,500 for the same. Socks/Proxy services cost around $1,500 for a month. Similarly, crime tools like Phoenix, Bleeding Life and Eleonore cost anywhere between $650 and $2,000.
The fact that top e-security companies in India make most of their revenue from training rather than selling security solutions, is proof that we are not thinking about security, concludes Vijay Mukhi, a leading cyber-security expert.