‘What we are actually missing in India is a platform wherein the government engages with cybersecurity experts, gets them employed and then utilises their capability to deter such attacks.’
At 18, Vineet Kumar, once the world’s youngest Microsoft Certified Systems Administrator, had founded the Global Ethical Hackers’ Association and National Anti-Hacking Group in 2003 that helped fight cybercrimes in India.
Today, Vineet is the founder and president of the Cyber Peace Foundation, a nonpartisan civil society organisation striving for cyber peace.
Prasanna D Zore/Rediff.com spoke with Vineet against the backdrop of reports attributing State actors from China for being responsible for cyberattacks on India’s critical infrastructure since the Indian Army’s border standoff with the Chinese army in Ladakh.
Could you help us understand what exactly are the Chinese hackers doing with India’s power systems and about which a couple of reports are out?
We have seen a series of attacks that are coming in on the critical infrastructures. When I say critical infrastructures, it is not just the power infrastructure. It is also manufacturing, oil and gas, refineries, healthcare and other critical infrastructure.
At Cyber Peace Foundation we have been setting up sensors — which is part of a project called e-Kawach — across multiple strategic locations and each of these sensors are emulating a particular critical infrastructure, like I mentioned healthcare, refineries.
We have been watching activities captured by these sensors in the cyberspace and what we have found is that the attacks on critical infrastructure are indeed increasing.
Analysis of data from these sensors tells us that a lot of them are from IP addresses originating from foreign countries.
However, as is the case with information and cyberattacks, the most complicated thing is attribution of attacks to certain actors. This is because there is possibility of a malicious actor using proxies, bots etc, which may not be attributable to a State or non-s=State actor.
At the same time, what can be concluded with the data and our analysis is that most of the IP addresses and some of the CnCs (command and control centres) are also from foreign countries.
Cyber Peace Foundation is in close collaboration with leading research institutes which are working in the space of critical infrastructure security and have observed sudden spike in infiltration attempts in these critical infrastructures.
The Cyber Peace Foundation has also come out with series of reports revealing different kinds of scams that are being operated, in addition to just the attacks on critical infrastructure.
For example, there have been cases where a series of messages can be seen floating around offering thirty thousand rupees per month by working from home.
When we investigated (these messages) what we found out that there are Chinese domains and IP addresses involved.
How do these State-backed hackers infiltrate into India’s power system, or any such critical infrastructure?
Unlike banking and finance, power sector has always relied on security by obscurity approach. Their over-reliance on long-busted air-gap myth and state of denial to such vulnerabilities are the major causes (of such hacks).
It’s just a vulnerability (that hackers look out for). There could be vulnerabilities in the computer which then gets connected to SCADA (Supervisory Control and Data Access) systems.
Most of our critical infrastructures are basically designed keeping safety in mind, but not security thereby exposing them to highly malicious attacks by highly-motivated State actors.
These systems are developed decades ago with legacy protocols, legacy devices working on clear text communication. The most interesting part is the only protection these systems had was air-gaps.
Air-gapped means that they are not connected to the Internet. There are IT systems which are separate and there are ICS-SCADA (<em) systems which are separate.
For example in heavy machinery, you must have seen Siemens PLCs which operate cranes. There’s a small computing device, which is used to control heavy machinery. With the growing digitisation it is not difficult to breach the air gaps and such systems are now highly vulnerable to cyberattacks.
Further, highly motivated, financially supported nation-State actors can always find some or other ways of social engineering, honey-trapping to launch insider attack breaching such air-gaps.
That’s the main issue that needs to be highlighted.
Is State-backed actors from China were actually responsible for these cyberattacks why would they leave the IP address footprints that can easily be traced back to China?
This is exactly why attribution in cyber-attacks is so complex and something, even internationally, far from any sort of agreement.
There can be cases where another country or actor from another country exploits resources in China to leave a trail leading back to China.
In any type of arrangement or more investigations, it is extremely difficult to fix attribution.
There is a need for International Cyber Cooperation between countries to bust the criminal gangs running the fraud campaigns affecting individuals and organisations to make Cyberspace resilient and peaceful.
As per your knowledge, did the Government of India send requests to the Chinese government to block these IP addresses?
I am not aware if they have done. Some of the domains and IP addresses, which we highlighted in our research reports, have been found to be of Chinese origin.
We have also published research reports on our Web site which can be downloaded and acted upon by respective governments.
Free Women’s Day Gift Scam: Cybercriminals used Cloudflare technologies to mask the real IP addresses of the front end domain names used in this ‘Free Women’s Day Gift’ campaign. But during the investigation, we have identified some domain names that were requested in the background and have been traced as belonging to China.
Fake Ram Nath Kovind Foundation case: One of the domains was created in the name of the President Ram Nath Kovind Foundation and this like was redirecting to a Chinese eCommerce Web site; a week ago this domain was still operational and harvesting information from users.
My team informed me recently that the site was still up, but running on a different IP address, which is now German, but is redirecting to a Chinese e-commerce Web site.
Is India equipped with cyber infrastructure to stonewall such attacks from State-backed actors?
We keep sharing our research reports to make various governments aware about these attacks with solid statistics.
Last November we had informed various governments that vaccine facilities and critical healthcare could be under attack. I am sure they must have acted on it, but we need to be proactive now rather than reactive.
We have to develop a proactive approach and incidents like these (the cyberattacks on power infrastructure) actually create a scenario where it makes sense to look at and understand what is critical and important to us.
Probably all these smart grids and other related infrastructure should carry out regular cyber mock trials to test whether the systems are vulnerable, identify these vulnerabilities and act before State actors or cyber criminals get (hack) into the system.
While mock drills are done regularly by defence forces where they practice the use of different weapons, play defensive warfare games to find out your own vulnerabilities; the same is required today in the cyberspace also.
There are nodal agencies like the National Critical Information Infrastructure Protection Center (NCIIPC) and CERT-In (Computer Emergency Response Team-India) active in this space and I’m sure they would be thinking about it. Let’s switch gears from being reactive to being proactive.
India is a nuclear power. I’m sure we have a very solid command and control system. But is there a way these State actors could hack into this command and control system? How safe is India’s defence infrastructure?
The kind of new technologies that are coming in, I feel any of these facilities that are there, are not foolproof or cyberattack proof and no facility can be 100 per cent attack proof. However they should implement the best practices to secure themselves from majority of the attacks.
Countries have been working on new kind of technology innovations which could be utilised in a targeted attack. One of them is zero days and can be called as a Cyber weapon.
This will make you think about the capabilities that are being created by humans and they could very well be used by state as well as non-state actors.
To begin with, let’s keep it simple: anything that is connected (to the Internet/intranet) is hackable. Anything that gets connected to the Internet or any network is hackable and people (hackers) once they hack into the network, they generally have the capability to turn it into a weapon and also to bring it down.
One is somebody hacks into the infrastructure directly using the internet and other is by hacking into the systems (mobiles/laptops//computers) of end-users working in these infrastructural facilities.
Sometimes it is the other way around.
It’s not a connection that gets established from outside to inside. It’s a connection that gets established from inside to outside.
There are people (working at these places) who are unaware, who don’t know basics of cyber hygiene.
For example, somebody (an employee working at such critical infrastructural facility) might get a link on an instant messaging app/social media and this person could be connected to the internal network on which runs some critical infrastructure.
If s/he clicks on that particular link then a connection gets established from the inside to outside with the attackers getting access to the critical infrastructure. So that’s how things get done.
How equipped is Indian to give China a tit-for-tat using the same means that the Chinese employ? Can Indian hackers also hack into China’s critical infrastructure networks?
Since we are a peace-keeping organisation, we are anti-cyberwarfare.
At CPF, we do suggest countries to build the capability so that they can keep themselves safe from any of these cyberattacks. It’s more about building defensive controls.
If you ask me about the capabilities (that India has), yes, we have talent all across in India; there are people who are experts in different fields.
Their number is growing now because I see that many of these (defence) institutions and academic institutions are now moving on to cybersecurity; they are short term and long term BTech courses, MBA courses are being introduced.
I have come across (cybersecurity) experts who don’t even have a formal degree. But they’re very hardcore techies.
What we are actually missing here in India is a platform, wherein the government engages with these (cybersecurity) experts, gets them employed and then utilises their capability to deter such attacks. You would mean a central platform. We are doing something to this effect called the Cyber Peace Corps.
You must have seen reports that say China has a complete academy of hackers; even government gives jobs to the hackers. Like National Critical Information Infrastructure Protection Centre offers a platform to experts wherein they can report directly to the NCIIPC if they find any bug in any of these networks and the contribution of these experts is also acknowledged.
NCIIPC engages with experts, ethical hackers, but a bigger platform is needed wherein the government can directly engage with ethical hackers, cybersecurity experts and engage with them in building robust systems to deter such cyberattacks.
Many countries are working on a model to rehabilitate cybercriminals; in fact, they must be given a chance to move from a negative side to a positive side. We are going to experiment that very soon. We need to build such an ecosystem here in India.
But something bigger than this is the need of the hour. Something bigger needs to be created. I see a need to create some of the roles, at multiple places, within the state police, state governments and Union government like a tech cadre in itself.
Rather than having hackers as consultants, you should probably hire experts directly. You can create a technical cadre just like the civil services.
One idea that I have been suggesting is the Territorial Army in India probably raising a Cyber Battalion.
I studied at the Cranfield University, UK, and at the Defence Academy there, they have engaged reservists: People who are working with tech companies give their weekends to the UK government, all this skilling and training happens and they work for the UK government during the weekends.
We have the platform. but a little bit of tweaking needs to be done where the experts can be engaged directly.