'DNA' investigation: PMO faces largest strategically targeted cyber attack
Malware was directed at senior officials of defence, home, and external affairs ministries.
On July 12, some of the top officials in the Prime Minister’s Office (PMO), including principal secretary to the PM TKA Nair and national security advisor Shiv Shankar Menon, received a flurry of calls from the National Technical Research Organisation (NTRO), India’s technical intelligence agency.
The calls were brief and to the point. All systems were to be shut down and all computers were to be unplugged until NTRO officials arrived at the PMO. As an NTRO team set off from their headquarters in the outskirts of Delhi, other key ministries were also asked to shut down.
This was perhaps the most strategically targeted cyber attack on India’s key ministries, as officials from the ministries of home affairs, defence, external affairs and the armed forces began to receive similar calls asking them to shut down systems.
It started in the early hours of July 12 when NTRO officials monitoring India’s critical systems infrastructure began to notice a mass of emails from one address with an attached Word document titled “cms,ntro:dailyelec.mediareport (2011)” being sent to inboxes of key officials of India’s vast security architecture.
Other officials who received the email were joint secretaries and directors in the PMO, the special secretary (internal security) UK Bansal in the ministry of home affairs, seven key joint secretaries in the ministry of external affairs dealing with the US and Pakistan, and a host of other officials in BSF and CISF.
For several hours, the systems remained compromised as NTRO officials raced to sanitise them and restore order. Luckily for them, a lot of good work had already been done to prepare for such an eventuality. In April and May this year, the agency observed a mass attack on India’s key security-related ministries. The NTRO contacted several key officials whose systems had been compromised for months.
Two of them were joint secretaries in the PMO and the national council secretariat that collates all the intelligence generated by agencies like RAW, IB and NTRO. The third target to be detected was the rear admiral who was posted in the “Perspective Plans” directorate of the Integrated Defence Headquarters, a joint armed forces setup.
NTRO officials were horrified that these official systems were targeted and infected with malware. These were well-planned attacks meant to launch selective commands on the system that would be saved on a virtual drive created secretly by the malware.
As the officials began to decode the systems, they approached the service provider MTNL to get access to their key communication nodes. Here, NTRO’s sensors picked up an additional 500 email addresses that had already been compromised by a similarly coded malware. The report concluded that this was “a deliberate attempt to gain access to email addresses of key officials” through which major systems could be breached and compromised.
By July 20, Dr Nirmaljeet Singh Kalsi, a joint secretary in the ministry of home affairs sent out a detailed note spelling out the nature of the attack so as to prevent a future breach. It noted that “reports of cyber espionage attack” on various government installations had been received, and advised key ministries to lay down strict security protocol. The attack was being initiated by trusted email addressees that had actually been compromised as early as 2007.
Racing against time, NTRO officials analysed and reversed the malware in a bid to detect the origin and nature of the attack. By July 8, a detailed three-page report was issued to all the key ministries to remain alert to a much more targeted attack. This effort minimised the damage of the July 12 attack and the breach was sealed in a matter of hours.