Inside story of cyber attacks on India’s banks, airlines, railways… and the fightback

34-War-minus-bullets Imaging: Binesh Sreedharan

On March 2, 2014, Ukraine woke up to a major communication blackout. Mobile phones in the former Soviet republic stopped working, the internet and power grid were down. There was panic all around. As authorities tried to figure out what was happening, Russian forces invaded the country and took over the Crimean Peninsula and the key naval base of Sevastopol. The Russian cyberattack before the actual invasion was quite debilitating, and it offered a glimpse of future military tactics. Armies are now more likely to march in only after crippling the enemy’s communication, banking, power supply and transport systems through cyberattacks.

In 2020, India jumped 37 positions to reach the tenth position on the United Nations Global Cyber Security Index.
Emerging trends in cybersecurity indicate that nearly all future global conflicts will have a cyber component.

In fact, this was nearly tried out back in 2003 by the US before it invaded Iraq. It had plans to cripple the Iraqi banking system so that Saddam Hussein would have no money to fight back. But the Pentagon decided against it at the last moment, after the CIA warned that such an attack would also cripple the European banking system which was linked to Iraq’s.

Such attacks are not, however, limited to wars and conflicts. They have become quite common, and India is one of the major victims. More than 11.5 lakh incidents of cyberattacks were tracked and reported to India’s Computer Emergency Response Team (CERT-In) in 2021. According to official estimates, ransomware attacks have increased by 120 per cent in India. Power companies, oil and gas majors, telecom vendors, restaurant chains and even diagnostic labs have been victims of cyberattacks.

On October 12, 2020, Mumbai, the country’s financial capital, was hit by a massive power outage. Train services were cancelled, water supply was affected and hospitals had to rely on generators. Commercial establishments in Mumbai, Thane and Navi Mumbai struggled to keep their operations running until the crisis was resolved two hours later.

Maharashtra Power Minister Nitin Raut alleged sabotage, while cybersecurity experts suspected the hand of China’s People’s Liberation Army (PLA), which was engaged in a major standoff with the Indian Army in Ladakh. The needle of suspicion pointed towards 14 Trojan horses, a kind of malware which might have been introduced into the Maharashtra State Electricity Transmission Company servers.

Defence mechanism: Bombay Stock Exchange has a 24x7 cybersecurity operation centre | Amey Mansabdar Defence mechanism: Bombay Stock Exchange has a 24x7 cybersecurity operation centre | Amey Mansabdar

The suspicion was not out of place. Maharashtra Cyber, the nodal agency for cybersecurity in the state, has already been warned of attacks on power conglomerates and dispatch centres. It is an open secret that the PLA’s cyber warfare branch and a million malware families hosted by Chinese cyber espionage groups specialise in such attacks. India’s cybersecurity czar Lieutenant General (retd) Rajesh Pant would not take any chances. He called for reports from the state and Central power ministries. “Was there actuation in the grid? What were the indicators of compromise?” Several suspects—most of them Chinese—showed up.

Cyber forensic teams fanned out to investigate and two reports landed on Pant’s table, of which one said the outage was due to an external attack. Experts, however, concluded that although malware was detected, it did not cause the outage. “There are two types of operating systems connecting the power grid,” said an expert. “The malware was detected in the system that was not capable of putting lights out.”

Finally, the national power grid controlled by the Power System Operation Corporation Limited said the failure happened because of human error. Union Power Minister R.K. Singh, too, clarified that there was no link between the outage and the cyberattack.

An airport in a metro city faced a cyberattack a few months ago where nearly a third of its infrastructure was targeted | Bhanu Prakash Chandra An airport in a metro city faced a cyberattack a few months ago where nearly a third of its infrastructure was targeted | Bhanu Prakash Chandra

“If you take a drop of water and analyse it, you will find a million impurities in it. Similarly, a million malwares are detected every day. What is important is to protect our systems against it,” said Brijesh Singh, additional director general of police, who was instrumental in setting up Maharashtra Cyber. All the same, India’s cyber-warriors are constantly on alert, guarding against malware infecting the country’s various infrastructure operating systems such as the railways, power supplies, banking, communication, information dissemination, hospital networks and airlines.

India, on its part, is worried most about its strategic adversary China, given the bad blood between the two countries. The mandate for coordinating India’s activities across multiple sectors to ensure a secure cyberspace has been given to Pant, who is the national cybersecurity coordinator (NCSC) under the National Security Council Secretariat.

Pant advises Prime Minister Narendra Modi on cybersecurity (he is the first Indian general to serve in this position) and assists National Security Adviser Ajit Doval and his team in drawing up strategies to secure cyberspace. Pant and his team gather information on the intent and capabilities of not just principal players like China, but also their foot soldiers like Pakistan.

Hitting where it hurts: On October 12, 2020, Mumbai was hit by a massive power outage. Maharashtra Cyber had already been warned of attacks on power conglomerates and dispatch centres | Getty Images Hitting where it hurts: On October 12, 2020, Mumbai was hit by a massive power outage. Maharashtra Cyber had already been warned of attacks on power conglomerates and dispatch centres | Getty Images

Insikt Group—the threat research division of the global cyberintelligence firm Recorded Future, which assists the US Cyber Command and 25 CERTs around the world—said intrusions targeting three Indian aerospace and defence contractors, major telecommunication providers in Afghanistan, India, Kazakhstan and Pakistan and multiple government agencies across the region had been detected. At least six state and regional power dispatch centres and two ports were targets, Indian agencies were warned.

Pant and his team, while collating the information from such friendly agencies and from Indian cyberintelligence units, are trying to arm the country and its myriad entities to defend themselves against cyberattacks. Pant, who spent 41 years in the Army Corps of Signals, is a veteran in cyber warfare. Prior to moving to his new position, he was in Mhow, heading the Army’s cyber training establishment. Under his tutelage, India has made rapid strides in hacking, cryptography, reverse engineering and forensics. In 2020, India jumped 37 positions to reach the tenth position on the United Nations Global Cyber Security Index.

While the Mumbai outage was a wakeup call for the Indian cybersecurity establishment, it also showed that some critical sectors were not affected by the power grid failure or the cyber breach. For India’s cyber preparedness, these turned out to be good examples.

One such entity is the Bombay Stock Exchange, the world’s fastest stock exchange that operates at a median trade speed of six microseconds, processing more than three crore transactions a day. Notified as national critical infrastructure by the Central government, the BSE is now coming up with a power exchange, the third in the country after the Indian Energy Exchange and Power Exchange of India Ltd. Shivkumar Pandey, BSE’s group chief information security officer, said the stock exchange had a fully operational 24x7 next generation cybersecurity operation centre (SOC) that protects it from both internal and external threats.

Pandey said the BSE was a perennial target of sophisticated attacks, which it fights with the SOC operating from multiple sites in hybrid mode, utilising more than 40 niche security technologies. “The SOC is also enabled with AI (artificial intelligence) and ML (machine learning) technology to proactively detect and respond to highly sophisticated cyberthreats which traditional technologies may fail to detect and alert on time,” he said. The BSE is working in close coordination with CERT-In to exchange intelligence information and contribute to the overall national information security infrastructure.

CERT-In has stepped up efforts to tackle the growing menace of cyberattacks. Dr Sanjay Bahl, director-general of CERT-In, sensitised board members of multiple organisations in the power and banking sectors on cybersecurity and the latest threat perceptions. The first lesson he imparted was to report the incident itself. The biggest drawback in India’s cyber preparedness is that most organisations—both private and public—are reluctant to report incidents of cyberattack for fear of bad publicity and losing customers.

A few months ago, an airport in a metro city faced a cyberattack where nearly a third of its infrastructure was targeted. Luckily, it got fixed quickly, but Central agencies were kept out of the loop initially. “Had it lasted for more than half an hour, it could have created a bigger problem,” said a government official. The incident made both Central and state agencies sit up and agree that they needed to work in tandem, remove overlaps, fix responsibility and integrate various arms for a coordinated response.

In February 2021, when SITA, the Geneva-based air transport data giant which serves more than 90 per cent of the world’s airlines, informed Air India that hackers stole the personal data of 4.5 million passengers, it presented yet another challenge for India’s cybersecurity establishment. The attack happened outside Indian jurisdiction, yet millions of Indians were affected. “The breach involved personal data spanning almost a decade from August 26, 2011 to February 3, 2021,” Air India said in a statement. While the Indian cyber-warriors tried their best to limit the damage caused by the breach, they soon realised that investigation into attacks which happened outside the Indian cyberspace was not easy because of jurisdictional issues.

Apart from airlines, railways and power, another major area of concern is the telecom sector. “It is the easiest target, as also the one that yields the most value to the attacker,” said a cyber expert. “Telecom carriers give attackers several gateways into multiple businesses.”

Telecom service providers are now required to connect only those new devices which are designated as “trusted products from trusted sources”. An intelligence report warned that a single telecom operator intrusion could give attackers access to a lot more information than they would get by going after individuals.

The government is, therefore, wary about rolling out 5G services. “An entirely new ecosystem has to be created and the country needs to be prepared for it,” said an expert. “5G has 200 times more access points for hackers than the existing networks. In fact, some IoT (Internet of Things) devices can be hacked in 15 minutes.”

India’s cyber-warriors are aware of this threat. The national committee on security and telecom, headed by deputy national security adviser Rajinder Khanna, has issued a directive aimed at creating a secure telecom network system. It has made Pant the designated authority to vet telecommunication sources and products that can enter the country’s telecom network.

Assisting Pant in this task is an army of cyber sleuths from different agencies, handpicked to be part of the ‘trusted telecom cell’. They run background checks of telecom vendors who take part in tenders and screen the ultimate beneficiaries. They examine virtually every chip and semiconductor to see their place of origin and what had gone into their making and design. Their findings are transmitted to nodal officers in Central ministries.

Pant, however, has not taken an alarmist position and blacklisted suspicious foreign entities like the US has been doing. While the US comes out with negative lists of Chinese tech companies like Huawei and ZTE which are barred from working with US firms, Pant is quietly drawing up a “positive” list, from which Indian entities can choose their partners. This also has enabled India to sail through the world of global commerce without ruffling diplomatic feathers.

Yet, India has a long way to go to catch up with leading global players in cybersecurity. The malware attack on Cosmos Bank in 2014, in which customers lost 094 crore, was a glaring example of how Indian markets could be easy targets for financial crime syndicates. Brijesh Singh, who handled the case, said he found fraudulent transactions made in 29 countries in two and a half hours. The manner in which the crime was committed showed sophistication and large-scale coordination by international hackers. “What was equally shocking was how online actors used unsuspecting people as money mules to launder money for various criminal operations,” he said.

The Cosmos Bank case has shown that Indian agencies need to step up further in monitoring and preventing money crimes. Sameer Ratolikar, chief information security officer of HDFC Bank, said Indian banks were facing more social engineering attacks like phishing, especially during the pandemic because of the growing number of online transactions.

“Fraudsters target gullible customers and lure them with various financial offers, making them disclose their personal information like one-time passwords. This requires a layered defence, including customer awareness,” said Ratolikar. “Other important measures include sending OTPs on a different channel, device binding (the process of linking a token to a trusted device), adaptive authentication (a method for selecting the right authentication factors depending on a user’s risk profile and tendencies) and transaction monitoring solutions.”

The financial sector is also grappling with the problem of ransomware. ‘’Third party vendors are important vectors through which ransomware can be infiltrated,” said Ratolikar. “Therefore, having adequate security framework around them is important.” The best way of defence from ransomware is to
create employee awareness, develop a proper incident-response plan and undertake regular tabletop exercises. Ratolikar is working closely with CERT-In, which offers real-time intelligence that helps shut down phishing sites located abroad.

While many of these attempts at hacking banks and airlines might appear the handiwork of non-state enemies and mafias, cybersecurity experts are not willing to dismiss them as private crimes.

Even the US, which boasts top-notch cyber defence capabilities, is not immune to attacks. American intelligence agencies believe that Russian saboteurs had hacked into their voting systems multiple times. The Texas-based cybersecurity firm SolarWinds, which has several high-profile clients like the department of homeland security, the treasury department and at least 100 private companies, too, was a victim. The US imposed sanctions on Russia in April, blaming it for the SolarWinds hack and for the interference in the 2020 elections.

Recorded Future has indicated that geopolitical rivalries and border skirmishes are responsible for most of India’s recent woes in cyberspace. It pointed towards China-sponsored groups APT41 and Barium as having targeted Indian companies multiple times. The US-China Economic and Security Review Commission, an independent agency of the US government, endorsed this view in its annual report released in November, taking note of the PLA’s cyberattacks on Indian targets.

The US has documented the attacks and China has issued a denial, but India has got no proof. The good news is that the FBI is chasing some of these groups and probing their links with China’s ministry of state security.

“We are pursuing these criminals no matter where they are and to whom they may be connected,’’ James A. Dawson, FBI’s acting assistant director, told a federal grand jury during a hearing in one of those rare moments when global cyberthreats had real names and faces to them. The jury indicted five Chinese hackers—Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang—for intrusions affecting 100 companies in the US, Australia, Brazil, India, Japan and Hong Kong.

The Chinese foreign ministry called the charges “speculation and fabrication”. The denials have become shriller, especially after the 2015 US-China Cyber Agreement to curb cyber-enabled theft of intellectual property. “Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property outside China,” said Jeffrey A. Rosen, former acting attorney general of the US.

Emerging trends in cybersecurity indicate that nearly all future global conflicts will have a cyber component. Whether it is for spying on governments, targeting defence forces, hitting power and communication grids, crippling transport networks, subverting financial systems or sabotaging flights, the next war will begin in cyberspace. It may even be waged largely there, yet it will wreak havoc in everyday lives of common people, unless a robust defence is put up.