Should India start worrying about “supply chain” viruses and hackers? Should a couple of hacking exploits that affected the US government and, perhaps, the government of Vietnam set off alarm bells in India? Yes, because in an increasingly digital and connected world, this could be the new face of cyber warfare. In the last week of 2020, news came in that Vietnam had been found to be the target of a sophisticated supply chain cyber attack.
A group of hackers had managed to compromise many Vietnamese private companies and government departments by compromising the Vietnam Government Certification Agency (VGCA). This department is responsible for issuing digital certificates that would be used for electronically signing documents. While the malware—a Trojan called PhantomNet—that was inserted wasn’t very complex, it served as a wireframe for other more potent viruses.
Before that, in the second week of December, the technology world was rocked by the news of a “supply chain” cyber attack that had managed to infiltrate the networks and systems of multiple US government departments, tech majors like Microsoft and Cisco, and hundreds of big and small companies around the world working in sensitive areas. The implications of the hack and the amount of information the hackers managed to get are still being worked out.
Though the US government officials or the technology companies did not name anyone, the finger of suspicion pointed towards a Russian group of hackers called CozyBear, acting with state support. It was a highly sophisticated indirect attack. These are termed “supply chain” cyber attacks because instead of attacking a target, the hackers rely on infecting one of its suppliers instead to gain access. CozyBear exploited a vulnerability and attached a malicious code in the software update that the well-known Texas-based IT management company SolarWinds was preparing to roll out for clients.
The company counts Microsoft, Deloitte, Nvidia, Cisco and many other global leaders as its clients. The attack was initiated as early as March, when the hackers managed to insert their code into the SolarWinds software update. When the SolarWinds update was implemented by its clients, the code got access to parts of their networks as well. The hackers were exceedingly patient and did nothing for several months. After that, they slowly started stealing some data, taking care to avoid detection. It was almost by accident that the exploit came to light in December when an employee in the US cyber security firm FireEye realised that someone had logged into the company VPN using his credentials. This led to a search for the intruder, which in turn made the company realise that the hackers had got access when it implemented the SolarWinds’ Orion update.
In 2020, apart from the SolarWinds and VGCA attacks, three other supply chain hacking cases had been detected. In two cases, China was involved. One Chinese bank apparently forced foreign companies operating in the country to install a backdoor tax software toolkit. In the second case, Chinese hackers had managed to compromise the update mechanism of a chat app used by Mongolian government agencies. The fifth case of the year was a North Korean attack that delivered malware to South Korean users. Supply chain attacks are not new and have been around for several years.
Earlier, most hackers preferred to attack their target companies directly. However, as big companies beefed up their cyber security measures, such attacks could be quickly detected and counter measures taken. Unlike direct attacks, supply chain hackers are relatively difficult to guard against. The US government cyber defense system for example could not detect the CozyBear attack because it came in via a trusted source, SolarWinds, which it had no reason to suspect of any malicious intent.The bigger danger though that is cropping up is of motive. In the past, many big hacking exploits were looking to make money. This typically meant inserting ransomware or the stealing of credit card and bank details or other data. Occasionally, hackers attacked companies because they felt these were evil and needed to be punished.
But increasingly, government to government or government-sponsored attacks on rivals are gaining currency. Instead of asking for money, hackers are instead slowly gathering critical information, compromising data and inserting more malicious and complex codes that can be used one day to paralyse entire government departments or private companies and their clients, thus spreading chaos. This is the new digital warfare that seeks to bring a country to its knees by attacking its key functions and biggest companies instead of attacking it through conventional means.
As in the case of fishing stories, in hacking too, it is not the ones that are caught that are important. It is the ones that got away undetected that have the potential to do most harm. Among the countries particularly known for using hacking attacks at the government level are Russia, China and North Korea, as well as a few East European countries. For India therefore, the threat from China or Pakistan may not come from the areas it is keeping an eye on—but in the form of a cyber attack that is hard to detect and therefore counter. This is the new threat that India needs to be worried about.
Prosenjit Datta (prosaicview@gmail.com)
Senior business journalist